Before we started, there are some prerequisites that needed to be done.
1. Download and install AWS CLI tool from AWS website, click here
(Don't forget to set your AWSCLI_HOME)
2. Now we need "VM Import Service Role" this will uses a role in your AWS account to perform certain operations. The role must be created with the name "vmimport" with the following policy and trust entities. Create a file name "trust-policy.json" with following policies:
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"",
"Effect":"Allow",
"Principal":{
"Service":"vmie.amazonaws.com"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"vmimport"
}
}
}
]
}
Then use this command to create service role:
> aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
3. Then create a file named "role-policy.json" to use as policy for this service role:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":[
"arn:aws:s3:::<disk-image-file-bucket>"
]
},
{
"Effect":"Allow",
"Action":[
"s3:GetObject"
],
"Resource":[
"arn:aws:s3:::<disk-image-file-bucket>/*"
]
},
{
"Effect":"Allow",
"Action":[
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*"
],
"Resource":"*"
}
]
}
Then create policy and replace <disk-image-file-bucket> with the appropriate Amazon S3 bucket where the disk files are stored. Run this command to attach the policy to the role created above:
> aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
4. If you're logged on as an IAM user, you'll need the following permissions in your IAM policy to import or export a VM:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": ["arn:aws:s3:::mys3bucket","arn:aws:s3:::mys3bucket/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask"
],
"Resource": "*"
}
]
}
Now we're ready to import our OVA files using AWS CLI tool. Let's continue on part 2...
Hi, Thanks for this amazing post. I was wondering if you could help with this error while creating the role:
ReplyDeleteA client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: AssumeRole policy must contain principals.
Not sure if you're already got the answer yet, but the file name must be exactly 'trust-policy.json' for the trust relationship to be worked
DeleteThank you ... I tried several people and your post is the only one that worked.
ReplyDeleteThanks for the post,
ReplyDeleteCan I drag and drop my OVM file directly to s3 and import from there?
Please explain the process. This is for lab setup
Hi, could you specify which permissions I have to set to the user for the cli? I get the error: An error occurred (AccessDenied) when calling the CreateRole operation: User: arn:aws:iam::80**********:user/Ac***** is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::80**********:role/vmimport
ReplyDeleteI couldn't understand when the 4. is applicable.
ReplyDeleteThank you.Well it was nice post and very helpful information on
ReplyDeleteAWS Online Training