Problem
When users are trying to use GCP Marketplace images as source images to create custom images using Packer, it is convenient to get the marketplace images from their image family using souce_image_family configuration option. Packer can create new images by referencing the latest image version from the source image family. However, this can fail because the GCP service account used in the Packer code is not granted the compute.images.getFromFamily permission at the GCP project that hosts the source image family. For example, the source image family hosted by the CIS (Center for Internet Security) in GCP is not granted public access.
Cause
The Packer code contains source_image_family and source_image_project_id:
source "googlecompute" "example" {
project_id = var.project_id
zone = var.zone
source_image_family = "cis-red-hat-enterprise-linux-9-level-2"
source_image_project_id = "mpi-cis-public"
...
}Error message when running packer build .:
Error getting source image for instance creation: Could not find image, cis-red-hat-enterprise-linux-9-level-2, in projects, [mpi-cis-public]: 1 error(s) occurred:
* googleapi: Error 403: Required 'compute.images.getFromFamily' permission for 'projects/mpi-cis-public', forbiddenSolution
To verify if the GCP marketplace image belongs to any image family before adding source_image_family and source_image_project_id to the Packer build block, users can retrieve the image details via the GCP Console, the gcloud command, or the GCP API. This image displayed the details of a CIS-hardened image:
and the image link is projects/mpi-cis-public/global/images/cis-red-hat-enterprise-linux-9-level-2-v2-0-0-4 (retrieved by clicking the Equivalent REST button). The field Family is not included on the GCP console nor in the REST API output. This tells that the image family of this marketplace GCE image is either not created or not publicly accessible.
Users will need to update the Packer code by removing source_image_family and instead using source_image option to reference the source image link,
source "googlecompute" "example" {
project_id = var.project_id
zone = var.zone
// source_image_family = "cis-red-hat-enterprise-linux-9-level-2"
source_image_project_id = "mpi-cis-public"
source_image = "cis-red-hat-enterprise-linux-9-level-2-v2-0-0-6"
...
}