I’m currently learning packer and terraform, something i noticed was that Azure and AWS appear to utilize two different winrm accounts. AWS utilizes Administrator and Azure utilizes an account called packer. Is that by design? This seems to cause an issue when i try to use elevated credentials for a provisioner in a multiple builder script. You can only specify one account for the elevation. And from what i have been researching there doesnt appear to be a way to create a conditional provisioner based on the way json works.
So how do people get around this? Is there a better way to handle it? A big benefit of packer from what i can see is incorporating multiple builders in the same script. But how do you do this with windows templates?
Hi @mkozlowski
I’m not sure about the credentials part of your question, but I wanted to answer the “conditional provisoners” part. There are statements to define which provisioners run on named builders: except and only. Do these satisfy your needs?
For the builders, it should be possible, going from the documentation, to specify exactly which account is using the cloud. For AWS for example, you can specify an assume role, or specific account. Doesn’t this cover your need, or am I misunderstanding something?
1 Like
Hi Bruce, i hadn’t come across the “except and only” options prior. I’ll have to take a look at these and see if they will work for what we are trying to do. It sounds like they would based on what i had just read. Though its interesting this provisioners section was only specified in the template category and not the other provisioners category that is listed under Builders, etc. Thats probably why i hadnt found it. I have been spending the bulk of my time reading through the other categories (the Builders and Provisioners). I’ll give this a try and follow up.
For the ability to assume a role… this may work but i was looking more for a way to specify my own service account on the templates. Maybe one i could use across the board… I had tried specifying one in my custom_data_file/user_data_file. Even though its insecure specifying the password in plain text, it didnt seem to take or use the credentials i had specified. Does azure also have this feature to assume a role? If so, this might be another option.
I’ll give the “except and only” a shot, this may work for my needs. Thank you for the help and clarification.
1 Like
Just following up, the “except and only” option worked for our needs. I just specified one provisioner script to run under aws and one under azure (same script but different credentials). This allows me to specify a different elevated user account for each. Not sure how to mark this thread as answered or solved?
Thanks for the response Bruce! This was a big help.
1 Like
So glad you found what you were looking for 