Cannot copy an image due to mysterious error about EC2 BillingProduct code

Question

I am attempting to copy an EC2 image for the purpose of encrypting it.

The command line I issue is:

$ aws ec2 copy-image --name encrypted-kafka-201707121432 \
  --source-region ap-southeast-2 --encrypted --source-image-id ami-2a617249 \
  --region ap-southeast-2

This leads to the following error being emitted:

An error occurred (InvalidRequest) when calling the CopyImage operation:
  Images with EC2 BillingProduct codes cannot be copied to another AWS account.

I have looked around and I understand that this error is typically seen when copying Windows AMIs (e.g. here) and it is similar to this issue on SO (here).

However, this image is not from the Marketplace, and it is not a Windows AMI, and it does not have any ProductCodes in it:

$ aws ec2 describe-images --image-ids ami-2a617249 --region ap-southeast-2 \
    --query '.Images[].ProductCodes'
[]

Compare this to another one that does:

$ aws ec2 describe-images --image-ids ami-00280263 --region ap-southeast-2 \
    --query '.Images[].ProductCodes'
[
  {
    "ProductCodeType": "marketplace",
    "ProductCodeId": "dsli9z1o9amfv5g2hsmdj1pph"
  }
]

The image was baked using Packer.

I am out of ideas. Why is this happening - am I doing something wrong, or is this undocumented behaviour?

Was the instance generated from an AMI of the Marketplace instance, or is it in any way associated with a Marketplace instance? See also https://serverfault.com/questions/775946/aws-encrypted-ebs-boot-volumes-for-windows-instances and http://blog.open-tribute.org/2017/04/18/ami-copy-failed-billingproduct/ — John Rotenstein, Jul 12 '17 at 10:23
To the best of my knowledge, i.e. unless I have been misled, no. I guess to rule this out I would need to fully do all upstream AMI bakes myself, or is there a way of testing? — Alex Harvey, Jul 12 '17 at 10:53
Turns out the answer is "yes" after all. Full explanation below. — Alex Harvey, Jul 14 '17 at 12:52

Alex Harvey · Accepted Answer · 2019-05-18T09:06:50.153

It turns out that a descendent of this AMI did come from the Amazon Marketplace.

A simplified version of the baking pipeline is:

Account A:

Marketplace AMI (ami-xxxxxxxx) -> packer build (ami-yyyyyyyy) -> share to Account B

Account B:

I then issued:

aws ec2 copy-image --encrypted --source-image ami-yyyyyyyy

And received:

An error occurred (InvalidRequest) when calling the CopyImage operation:
  Images with EC2 BillingProduct codes cannot be copied to another AWS account.

From account B I could check the owner, namely the Account that shared it with me:

$ aws ec2 describe-images --image-id ami-yyyyyyyy --region ap-southeast-2 \
>   --query 'Images[0].OwnerId'

This returned the 16-digit account ID of Account A.

At this point it is helpful to understand that baking an AMI using Packer causes the product codes to be apparently lost. However, those product codes remain, and Amazon support can see them. It requires a call to Amazon support to confirm this part.

To work around, I now maintain a script encrypt_ami in Python or Bash (AWS CLI) that can be used.

So you share the image, spin it up, and create your copy from the running instance, rather than being able to just make a copy of the image. — Len Jaffe, Oct 22 '18 at 21:02

Cannot copy an image due to mysterious error about EC2 BillingProduct code

1 Answers1