By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Title: Importing OpenBSD Raw Image to Create AMI - Service Role and Permissions Issue

0

I am trying to import an OpenBSD raw image (gzipped) from an S3 bucket to create an Amazon Machine Image (AMI) in AWS. I have followed the steps to create a VM import service role named "vmimport" and granted the necessary permissions. However, when I run the aws ec2 import-snapshot command using AWS CLI, I am encountering the following error:

An error occurred (InvalidParameter) when calling the ImportSnapshot operation: The service role vmimport provided does not exist or does not have sufficient permissions

I have double-checked the "vmimport" role, S3 bucket permissions, and the JSON input to the aws ec2 import-snapshot command, but I still cannot resolve the issue. I have also tried running the command as both the root user and an IAM user ("adming") with the necessary permissions.

Can you please help me identify the cause of the error and suggest a solution to successfully import the OpenBSD raw image and create an AMI?

Thank you!

Topics
Migration & ModernizationSecurity, Identity, & ComplianceManagement & Governance
Tags
Migration & ModernizationSecurity, Identity, & ComplianceAWS Identity and Access ManagementAWS Command Line InterfaceIAM Policies
Language
English
rePost-User-2968909
asked a year ago424 views
1 Answer
1
Accepted Answer

This can occur when the VM Import Service role is missing or has insufficient privileges as described in the following document.
https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-troubleshooting.html#import-image-errors

Verify that the trusted entities are as follows.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Principal": { "Service": "vmie.amazonaws.com" },
         "Action": "sts:AssumeRole",
         "Condition": {
            "StringEquals":{
               "sts:Externalid": "vmimport"
            }
         }
      }
   ]
}

Also check that the service role has the necessary permissions set as follows.

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Allow",
         "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource": [
            "S3 ARN"
         ]
      },
      {
         "Effect": "Allow",
         "Action": [
            "s3:GetObject"
         ],
         "Resource": [
            "S3 ARN/*"
         ]
      },
      {
         "Effect": "Allow",
         "Action":[
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource": "*"
      }
   ]
}
profile picture
EXPERT
Riku_Kobayashi
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content