How to script AWS AppStream 2.0 ImageBuilder

1 min read 271 words

AppStream (2.0) is a fully managed non-persistent desktop and application service for remotely accessing your work.

The ImageBuilder forms the first stage in the creation and definition of an image that can be used to stream.

You can use the AWS CLI to initiate the creation of an image in ImageBuilder:

aws appstream create-image-builder \
  --name <name> \
  --image-name <image_name> \
  --instance-type <instance_type> \
  --vpc-config SubnetIds=<subnet_ids>,SecurityGroupIds=<security_group_ids> \
  --iam-role-arn <iam_role_arn> \
  --enable-default-internet-access

Swap out the above items with your own values:

<name> = “org-image-name”
<image_name> = “AppStream-WinServer2019-10-08-2021”
<instance_type> = stream.standard.small
<subnet_ids> = subnet-xxxxxxxxxxxx1234
<security_group_ids> = sg-xxxxxxxxxxxx1234
<iam_role_arn> = arn:aws:iam::xxxxxxxx1234:role/SomeRoleName

How to create the role

For the Permissions, you will need to add policy definitions of the services this instance will call out to. This could include AmazonS3FullAccess, AmazonFSxFullAccess and AmazonAppStreamServiceAccess as an example.

Additionally, it is important to make sure the trust relationship is set to appstream.amazonaws.com. A policy trust relationship would look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "appstream.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

How to Join an Active Directory Domain on Creation

If you would like to join an Active Directory Domain on creation, then you will also need to pass the --domain-join-info flag to the create-image-builder command above.

This can be done as follows:

<meta charset="utf-8">aws appstream create-image-builder \
  --name <name> \
  --image-name <image_name> \
  --instance-type <instance_type> \
  --vpc-config SubnetIds=<subnet_ids>,SecurityGroupIds=<security_group_ids> \
  --iam-role-arn <iam_role_arn> \
  --domain-join-info '{"DirectoryName": "<directory>","OrganizationalUnitDistinguishedName": "<OU>"}' \
  --enable-default-internet-access

The <directory> and <OU> need to be created and configured in the DirectoryConfig section of AppStream.

An example value of the above could be:

--domain-join-info '{"DirectoryName": "your.cloud","OrganizationalUnitDistinguishedName": "OU=Computers,OU=yourcloud,DC=your,DC=cloud"}'

Tags:
Andrew
Andrew

Andrew is a visionary software engineer and DevOps expert with a proven track record of delivering cutting-edge solutions that drive innovation at Ataiva.com. As a leader on numerous high-profile projects, Andrew brings his exceptional technical expertise and collaborative leadership skills to the table, fostering a culture of agility and excellence within the team. With a passion for architecting scalable systems, automating workflows, and empowering teams, Andrew is a sought-after authority in the field of software development and DevOps.

Tags