Tagging resources on creation, as a security feature / issue

The best that I can tell, when resources are created with the AWS EBS AMI builder, the AWS resources (i.e. everything from the keypair to the AMI image itself) are created first, and then tagged.

I’d like to understand why that is. When I dove into the code, it looked like a lot of it could actually tag the resources on creation. But the tags are not being passed into the code that creates the resources. They are tagged after-the-fact.

This is an issue for security because whatever node / service account / pod that is running Packer will need to be able to have broad AWS permissions on any resource, including terminating arbitrary instances. You can’t try to restrict the permissions with tags, because the tags are applied after-the-fact, so you have to be able to tag *.

If I’m mistaken, or if there’s an optional flag I missed, I’d love to be corrected.

Adding to @baguasquirrel’s thoughts:

Using tags would allow IAM policies that only allow Packer to copy, delete, etc ec2 instances that it created. This is well documented AWS security practice Controlling access to AWS resources using tags - AWS Identity and Access Management

As it is done today, Packer cannot safely be used inside an account with any other ec2 resources since the packer credentials could be used to access those resources.

1 Like