EC2 Export Task Stuck in "Active" — No OVA File, Only AccessDenied XML

Question

Hi all,

I'm trying to export a stopped EC2 instance to an .ova file using create-instance-export-task, following the steps outlined in the AWS documentation. The export task successfully starts but never completes, and no .ova file appears in the target S3 bucket. Instead, the only file that appears is vmimportexport_write_verification.txt, which contains an AccessDenied XML error.

Here's what I've verified so far:
    - The instance is stopped, EBS-backed, and located in us-east-1
    - The AMI being used is owned by my account (not Marketplace)
  -   The required IAM vmimport role is created with the correct trust relationship and inline policy
    - The S3 bucket is in the same AWS account and region
    - My Canonical ID has been granted FULL_CONTROL via the bucket ACL
   - I’ve tested with a permissive bucket policy and temporarily enabled public access
    - AWS STS is enabled in the region
    - describe-export-tasks shows the task remains in "active" state, but no export file is created

I've retried the export using the same setup and encountered the same behavior. Any insights or ideas?

Thanks in advance!

taylor · Answer

Did you ever figure this out? I'm running into the same problem.

re:Post Agent · Answer

It seems you're encountering a persistent issue with your EC2 instance export task. Based on the information provided, here are some potential causes and solutions to consider:

1. IAM Role Permissions: While you've created the vmimport role, ensure it has the necessary permissions to write to the S3 bucket. The role should have both the trust relationship with VM Import/Export service and the correct inline policy for S3 access.

2. S3 Bucket Configuration: Although you've granted FULL_CONTROL via the bucket ACL and tested with a permissive policy, double-check that the bucket policy explicitly allows the vmimport role to perform the required actions (PutObject, GetBucketLocation).

3. Instance State: Confirm that the instance remains in a stopped state throughout the export process. If the instance starts or terminates during the export, it can cause issues.

4. Export Task Monitoring: Use the describe-export-image-tasks command to get more detailed information about the export task's progress and any error messages. This might provide additional insights into why the task is stuck.

5. S3 Bucket Versioning: If versioning is enabled on your S3 bucket, ensure that the vmimport role has permissions to read and write object versions.

6. VPC Endpoints: If your VPC uses VPC endpoints for S3, make sure they are correctly configured to allow the export traffic.

7. Service Quotas: Verify that you haven't exceeded any service quotas related to concurrent export tasks or S3 operations.

8. AWS Support: If the issue persists after verifying all these points, it may be worth contacting AWS Support for further assistance, as there could be an underlying service issue.

Remember to monitor the export task closely using the describe-export-image-tasks command, which can provide more detailed status updates and potential error messages. This can help pinpoint the exact stage where the export is failing.  
**Sources**  
[Start an instance export task - VM Import/Export](https://docs.aws.amazon.com/vm-import/latest/userguide/export-instance.html)  
[Monitor an export image task - VM Import/Export](https://docs.aws.amazon.com/vm-import/latest/userguide/monitor-image-export.html)  
[I'm trying to run an export image task for hours with no results. | AWS re:Post](https://repost.aws/questions/QULG6HQBiZT_qTwf0__SUTKQ/i-m-trying-to-run-an-export-image-task-for-hours-with-no-results)

EC2 Export Task Stuck in "Active" — No OVA File, Only AccessDenied XML

Relevant content