How to Script AWS AppStream 2.0 ImageBuilder


AppStream (2.0) is a fully managed non-persistent desktop and application service for remotely accessing your work.

The ImageBuilder forms the first stage in the creation and definition of an image that can be used to stream.

You can use the AWS CLI to initiate the creation of an image in ImageBuilder:

aws appstream create-image-builder \
  --name <name> \
  --image-name <image_name> \
  --instance-type <instance_type> \
  --vpc-config SubnetIds=<subnet_ids>,SecurityGroupIds=<security_group_ids> \
  --iam-role-arn <iam_role_arn> \
  --enable-default-internet-access

Swap out the above items with your own values:

<name> = “org-image-name”
<image_name> = “AppStream-WinServer2019-10-08-2021”
<instance_type> = stream.standard.small
<subnet_ids> = subnet-xxxxxxxxxxxx1234
<security_group_ids> = sg-xxxxxxxxxxxx1234
<iam_role_arn> = arn:aws:iam::xxxxxxxx1234:role/SomeRoleName

How to create the role

For the Permissions, you will need to add policy definitions of the services this instance will call out to. This could include AmazonS3FullAccess, AmazonFSxFullAccess and AmazonAppStreamServiceAccess as an example.

Additionally, it is important to make sure the trust relationship is set to appstream.amazonaws.com. A policy trust relationship would look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "appstream.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

How to Join an Active Directory Domain on Creation

If you would like to join an Active Directory Domain on creation, then you will also need to pass the --domain-join-info flag to the create-image-builder command above.

This can be done as follows:

<meta charset="utf-8">aws appstream create-image-builder \
  --name <name> \
  --image-name <image_name> \
  --instance-type <instance_type> \
  --vpc-config SubnetIds=<subnet_ids>,SecurityGroupIds=<security_group_ids> \
  --iam-role-arn <iam_role_arn> \
  --domain-join-info '{"DirectoryName": "<directory>","OrganizationalUnitDistinguishedName": "<OU>"}' \
  --enable-default-internet-access

The <directory> and <OU> need to be created and configured in the DirectoryConfig section of AppStream.

An example value of the above could be:

--domain-join-info '{"DirectoryName": "your.cloud","OrganizationalUnitDistinguishedName": "OU=Computers,OU=yourcloud,DC=your,DC=cloud"}'