- Newest
- Most votes
- Most comments
Update the trust relationship of the vmimport role to trust vmimport.amazonaws.com.
I treid this and get an errror: "Invalid principal in policy: "SERVICE":"vmimport.amazonaws.com"
It took me a while but I found this document. The correct principal is "vmie.amazonaws.com"
https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html
Based on the information you've provided, it appears that there might be a few issues with your setup that are causing the "InvalidParameter: The service role provided does not exist or does not have sufficient permissions" error. Let's address these points:
-
Role Name: The error message mentions "service role admin", but the correct role name should be "vmimport". Make sure you're using the correct role name when importing the image.
-
Trust Relationship: Your trust relationship for the vmimport role is incorrect. It should trust the vmimport.amazonaws.com service, not ec2.amazonaws.com. Update your trust relationship to:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "vmimport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
IAM Role Policy: Your IAM role policy looks mostly correct, but you might want to expand the S3 bucket permissions. Instead of limiting it to "import-to-ec2-", consider using "" to allow access to all S3 buckets, or specify the exact bucket you're using for the import.
-
KMS Permissions: If you're using SSE-KMS encryption for your S3 bucket, you need to add KMS permissions to your role. Add the following to your role policy:
{ "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "*" }
- User Permissions: While you have attached several policies to your user account, ensure that you have the necessary permissions to pass the role to the VM Import/Export service. You might need to add the "iam:PassRole" permission to your user.
To resolve this error:
- Update the trust relationship of the vmimport role to trust vmimport.amazonaws.com.
- Verify the role name you're using in the import command is exactly "vmimport".
- Expand the S3 bucket permissions in the role policy if necessary.
- Add KMS permissions if you're using SSE-KMS encryption.
- Ensure your user has the iam:PassRole permission.
After making these changes, try the import process again. If you still encounter issues, double-check that the vmimport role exists in the same AWS region where you're performing the import.
Sources
Troubleshooting VM Import/Export - VM Import/Export
Import your VM as an image - VM Import/Export
Use ImportImage with an AWS SDK or CLI - AWS SDK Code Examples
Relevant content
- Accepted Answerasked 3 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 6 months ago