AWS Prerequisites
Please have a look at the following prerequisites for the creation of Images on AWS.
A Default VPC should be available in the account were you want to create the customized image.
You should also assign IAM permissions to the user you are specifying for the connection with at least the following permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "NonResourceBasedReadOnlyPermissions",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeImages",
"ec2:DescribeVolumes",
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "NonResourceBasedWritePermissions",
"Action": [
"ec2:CopyImage",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteKeypair",
"ec2:DeleteSnapshot",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RegisterImage"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "IAMPassroleToInstance",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::_ACCOUNT_ID_:role/_ROLE_NAME_"
},
{
"Sid": "AllowInstanceActions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
}
}
},
{
"Sid": "EC2RunInstances",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"StringEquals": {
"ec2:InstanceProfile": "arn:aws:iam::_ACCOUNT_ID_:instance-profile/_ROLE_NAME_"
}
}
},
{
"Sid": "EC2LimitSize",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:instance/*",
"Condition": {
"ForAnyValue:StringNotLike": {
"ec2:InstanceType": [
"*.nano",
"*.small",
"*.micro"
]
}
}
},
{
"Sid": "EC2RunInstancesSubnet",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:volume/*",
"arn:aws:ec2:_REGION_::image/*",
"arn:aws:ec2:_REGION_::snapshot/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:network-interface/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:key-pair/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:security-group/*",
"arn:aws:ec2:_REGION_:_ACCOUNT_ID_:subnet/*"
]
},
{
"Sid": "EC2VpcNonresourceSpecificActions",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeSecurityGroups",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Vpc": "arn:aws:ec2:_REGION_:_ACCOUNT_ID_:vpc/_VPC_ID_"
}
}
}
]
}
You can read more about necessary permissions here.
Azure Prerequisites
Please have a look at the following prerequisites for the creation of Images on Azure.
Create a Service Principal with contributor role access to an Azure subscription with azure cli
Source: https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli
Command Format
az ad sp create-for-rbac --name [ServicePrincipalName] --role Contributor --scopes /subscriptions/[SubscriptionId] --years 1
Command Example
az ad sp create-for-rbac --name xoap-image-principal --role Contributor --scopes /subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --years 1
Command Output
{
"appId": "[ClientId (Guid)]",
"displayName": "xoap-image-principal",
"name": "http://xoap-image-principal ",
"password": "[Password/ClientSecret]",
"tenant": "[TenantId (Guid)]"
}
From that output you can create a connection for your subscription
SubscriptionId: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TenantId (tenant): [Guid]
ClientId (appId): [Guid]
ClientSecret (password) [Text]