Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Title: Importing OpenBSD Raw Image to Create AMI - Service Role and Permissions Issue

0

I am trying to import an OpenBSD raw image (gzipped) from an S3 bucket to create an Amazon Machine Image (AMI) in AWS. I have followed the steps to create a VM import service role named "vmimport" and granted the necessary permissions. However, when I run the aws ec2 import-snapshot command using AWS CLI, I am encountering the following error:

An error occurred (InvalidParameter) when calling the ImportSnapshot operation: The service role vmimport provided does not exist or does not have sufficient permissions

I have double-checked the "vmimport" role, S3 bucket permissions, and the JSON input to the aws ec2 import-snapshot command, but I still cannot resolve the issue. I have also tried running the command as both the root user and an IAM user ("adming") with the necessary permissions.

Can you please help me identify the cause of the error and suggest a solution to successfully import the OpenBSD raw image and create an AMI?

Thank you!

Tópicos
Migração e modernizaçãoSegurança, identidade e conformidadeGestão e governança
Tags
Migração e modernizaçãoSegurança, identidade e conformidadeAWS Identity and Access ManagementInterface da linha de comando da AWSPolíticas do IAM
Idioma
English
rePost-User-2968909
feita há um ano438 visualizações
1 Resposta
1
Resposta aceita

This can occur when the VM Import Service role is missing or has insufficient privileges as described in the following document.
https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-troubleshooting.html#import-image-errors

Verify that the trusted entities are as follows.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": { "Service": "vmie.amazonaws.com" },
         "Action": "sts:AssumeRole",
         "Condition": {
            "StringEquals":{
               "sts:Externalid": "vmimport"
            }
         }
      }
   ]
}

Also check that the service role has the necessary permissions set as follows.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource": [
            "S3 ARN"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetObject"
         ],
         "Resource": [
            "S3 ARN/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action":[
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource": "*"
      }
   ]
}
profile picture
ESPECIALISTA
Riku_Kobayashi
respondido há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante