Create and Associate AWS roles

Importing a VM into AWS requires:

  • The use of the designated role, vmimport,
  • Specific permissions (read, list etc) on the S3 bucket, granted to the vmimport role.
  • Assignment of the vmimport role to the the vmimport command such that the command can read the bucket and create an import job within AWS.
Info

Note

There is no AWS Console equivalent to the command line vmimport command.
Please refer to the command line tab for vmimport.

  1. Open a terminal window.
  2. Create the required vmimport IAM identity role to import images
    1. Create a json file, representing the trust policy for the vmimport IAM identity role as follows:
      {
          "Version": "2012-10-17",
          "Statement":[ {
              "Effect": "Allow",
              "Principal": { "Service": "vmie.amazonaws.com" },
              "Action": "sts:AssumeRole",
              "Condition": {
              "StringEquals":{ "sts:Externalid": "vmimport"}
                  }
            }]
      }

      trust-policy.json

    2. In a terminal window create the IAM identity role using the aws iam create-role command using the new trust policy, as shown:

      aws iam create-role --role-name vmimport --assume-role-policy-document "file://~/Downloads/trust-policy.json"

      Which should return a result similar to:
      {
          "Role": {
              AssumeRolePolicyDocument": {. . . }
              ...
      	"Arn": "arn:aws:iam::809227661992:role/vmimport"
          }
      }

  3. Create a role policy to associate the new IAM identity with the previously created bucket.

    {
        "Version":"2012-10-17",
        "Statement":[{
            "Effect":"Allow",
                     "Action":[
                      "s3:GetBucketLocation",
                      "s3:GetObject",
                      "s3:ListBucket" 
                      ],
             "Resource":[
                 "arn:aws:s3:::BUCKET_NAME",
                 "arn:aws:s3:::BUCKET_NAME/*"
              ]
           }, {
            "Effect":"Allow",
                    "Action":[
                      "s3:GetBucketLocation",
                      "s3:GetObject",
                      "s3:ListBucket",
                      "s3:PutObject",
                      "s3:GetBucketAcl"
                      ],
                "Resource":[
                 "arn:aws:s3:::BUCKET-NAME",
                 "arn:aws:s3:::BUCKET-NAME/*"
                 ]
           }, {
             "Effect":"Allow",
                      "Action":[
                       "ec2:ModifySnapshotAttribute",
                       "ec2:CopySnapshot",
                       "ec2:RegisterImage",
                       "ec2:Describe*"],
                "Resource":"*"
            }
        ]
    }
    role-policy.json

    Replacing BUCKET_NAME with the previously created buckets name.

  4. Grant an inline role policy to vmimport identity granting various rights to access S3 bucket and perform ec2 operations using the aws iam put-role-policyy command. For example:

    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://~/Downloads/role-policy.json"

    Note the aws iam put-role-policy command does not return any value on success.

See Also

  • For more information on roles required to run the VM import command see IAM Required Permissions in the Amazon Web Services documentation.
Top