Menu
Amazon Elastic Compute Cloud
User Guide for Linux Instances

Setting Up the AMI Tools

You can use the AMI tools to create and manage instance store-backed Linux AMIs. To use the tools, you must install them on your Linux instance. The AMI tools are available as both an RPM and as a .zip file for Linux distributions that don't support RPM.

To set up the AMI tools using the RPM

  1. Install Ruby using the package manager for your Linux distribution, such as yum. For example:

    Copy
    [ec2-user ~]$ sudo yum install -y ruby
  2. Download the RPM file using a tool such as wget or curl. For example:

    Copy
    [ec2-user ~]$ sudo wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.noarch.rpm
  3. Install the RPM using the following command.

    Copy
    [ec2-user ~]$ sudo yum install ec2-ami-tools.noarch.rpm
  4. Verify your AMI tools installation using the ec2-ami-tools-version command.

    Copy
    [ec2-user ~]$ ec2-ami-tools-version

    Note

    If you receive a load error such as "cannot load such file -- ec2/amitools/version (LoadError)", complete the next step to add the location of your AMI tools installation to your RUBYLIB path.

  5. (Optional) If you received an error in the previous step, add the location of your AMI tools installation to your RUBYLIB path.

    1. Run the following command to determine the paths to add.

      Copy
      [ec2-user ~]$ rpm -qil ec2-ami-tools | grep ec2/amitools/version /usr/lib/ruby/site_ruby/ec2/amitools/version.rb /usr/lib64/ruby/site_ruby/ec2/amitools/version.rb

      In the above example, the missing file from the previous load error is located at /usr/lib/ruby/site_ruby and /usr/lib64/ruby/site_ruby.

    2. Add the locations from the previous step to your RUBYLIB path.

      Copy
      [ec2-user ~]$ export RUBYLIB=$RUBYLIB:/usr/lib/ruby/site_ruby:/usr/lib64/ruby/site_ruby
    3. Verify your AMI tools installation using the ec2-ami-tools-version command.

      Copy
      [ec2-user ~]$ ec2-ami-tools-version

To set up the AMI tools using the .zip file

  1. Install Ruby and unzip using the package manager for your Linux distribution, such as apt-get. For example:

    Copy
    [ec2-user ~]$ sudo apt-get update -y && sudo apt-get install -y ruby unzip
  2. Download the .zip file using a tool such as wget or curl. For example:

    Copy
    [ec2-user ~]$ wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
  3. Unzip the files into a suitable installation directory, such as /usr/local/ec2.

    Copy
    [ec2-user ~]$ sudo mkdir -p /usr/local/ec2 $ sudo unzip ec2-ami-tools.zip -d /usr/local/ec2

    Notice that the .zip file contains a folder ec2-ami-tools-x.x.x, where x.x.x is the version number of the tools (for example, ec2-ami-tools-1.5.7).

  4. Set the EC2_AMITOOL_HOME environment variable to the installation directory for the tools. For example:

    Copy
    [ec2-user ~]$ export EC2_AMITOOL_HOME=/usr/local/ec2/ec2-ami-tools-x.x.x
  5. Add the tools to your PATH environment variable. For example:

    Copy
    [ec2-user ~]$ export PATH=$EC2_AMITOOL_HOME/bin:$PATH
  6. You can verify your AMI tools installation using the ec2-ami-tools-version command.

    Copy
    [ec2-user ~]$ ec2-ami-tools-version

Managing Signing Certificates

Certain commands in the AMI tools require a signing certificate (also known as X.509 certificate). You must create the certificate and then upload it to AWS. For example, you can use a third-party tool such as OpenSSL to create the certificate.

To create a signing certificate

  1. Install and configure OpenSSL.

  2. Create a private key using the openssl genrsa command and save the output to a .pem file. We recommend that you create a 2048- or 4096-bit RSA key.

    Copy
    openssl genrsa 2048 > private-key.pem
  3. Generate a certificate using the openssl req command.

    Copy
    openssl req -new -x509 -nodes -sha256 -days 365 -key private-key.pem -outform PEM -out certificate.pem

To upload the certificate to AWS, use the upload-signing-certificate command.

Copy
aws iam upload-signing-certificate --user-name user-name --certificate-body file://path/to/certificate.pem

To list the certificates for a user, use the list-signing-certificates command:

Copy
aws iam list-signing-certificates --user-name user-name

To disable or re-enable a signing certificate for a user, use the update-signing-certificate command. The following command disables the certificate:

Copy
aws iam update-signing-certificate --certificate-id OFHPLP4ZULTHYPMSYEX7O4BEXAMPLE --status Inactive --user-name user-name

To delete a certificate, use the delete-signing-certificate command:

Copy
aws iam delete-signing-certificate --user-name user-name --certificate-id OFHPLP4ZULTHYPMSYEX7O4BEXAMPLE