By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Help with EC2 Image Import – "InvalidParameter: The service role provided does not exist or does not have sufficient permissions" error

0

Hello, I'm trying to import a Windows image to EC2 using the ImportImage feature, but I keep encountering the following error:

InvalidParameter: The service role admin provided does not exist or does not have sufficient permissions.

Context:

I’ve created the required IAM role for VM Import/Export, but the error persists despite following the standard documentation. Here are the details:

  1. IAM Role Policy for vmimport Role (as per AWS documentation):

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:GetObject"
          ],
          "Resource": [
            "arn:aws:s3:::import-to-ec2-*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
          ],
          "Resource": "*"
        }
      ]
    }
  2. Trust Relationship for vmimport:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
  3. Policies attached to the user account:

    • AdministratorAccess
    • AmazonEC2FullAccess
    • AmazonS3FullAccess
    • AWSImportExportFullAccess
    • VMImportExportRoleForAWSConnector

Steps I’ve Taken:

  1. I ensured that the vmimport role is correctly created and has the necessary policies (vmimport, S3 permissions, EC2 permissions).
  2. Double-checked that the trust relationship allows EC2 to assume the role.
  3. Verified the bucket permissions and ensured the region aligns with EC2 and S3.

Despite all this, the error persists. It seems related to role or permission configuration, but I can't pinpoint the issue.

Questions:

  1. Is there anything specific I’m missing or doing wrong in configuring the vmimport role or the permissions?
  2. Are there any additional steps I need to take to resolve this error?

Any guidance would be greatly appreciated. Thanks in advance!

asked 2 months ago90 views
2 Answers
0

Update the trust relationship of the vmimport role to trust vmimport.amazonaws.com.

I treid this and get an errror: "Invalid principal in policy: "SERVICE":"vmimport.amazonaws.com"

It took me a while but I found this document. The correct principal is "vmie.amazonaws.com"

https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html

AWS
answered 9 days ago
-1

Based on the information you've provided, it appears that there might be a few issues with your setup that are causing the "InvalidParameter: The service role provided does not exist or does not have sufficient permissions" error. Let's address these points:

  1. Role Name: The error message mentions "service role admin", but the correct role name should be "vmimport". Make sure you're using the correct role name when importing the image.

  2. Trust Relationship: Your trust relationship for the vmimport role is incorrect. It should trust the vmimport.amazonaws.com service, not ec2.amazonaws.com. Update your trust relationship to:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "vmimport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
  1. IAM Role Policy: Your IAM role policy looks mostly correct, but you might want to expand the S3 bucket permissions. Instead of limiting it to "import-to-ec2-", consider using "" to allow access to all S3 buckets, or specify the exact bucket you're using for the import.

  2. KMS Permissions: If you're using SSE-KMS encryption for your S3 bucket, you need to add KMS permissions to your role. Add the following to your role policy:

{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "*"
}
  1. User Permissions: While you have attached several policies to your user account, ensure that you have the necessary permissions to pass the role to the VM Import/Export service. You might need to add the "iam:PassRole" permission to your user.

To resolve this error:

  1. Update the trust relationship of the vmimport role to trust vmimport.amazonaws.com.
  2. Verify the role name you're using in the import command is exactly "vmimport".
  3. Expand the S3 bucket permissions in the role policy if necessary.
  4. Add KMS permissions if you're using SSE-KMS encryption.
  5. Ensure your user has the iam:PassRole permission.

After making these changes, try the import process again. If you still encounter issues, double-check that the vmimport role exists in the same AWS region where you're performing the import.
Sources
Troubleshooting VM Import/Export - VM Import/Export
Import your VM as an image - VM Import/Export
Use ImportImage with an AWS SDK or CLI - AWS SDK Code Examples

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions