Create and associate AWS roles

The following are required to import a virtual machine (VM) into AWS:

  • The use of the designated role, vmimport,
  • Specific permissions on the S3 bucket, granted to the vmimport role (for example, read, list, and so on).
  • Assign the vmimport role to the the vmimport command so that the command can read the bucket and create an import job within AWS.

There's no AWS console equivalent to the vmimport command. See the Command Line tab for vmimport.

  1. Open a terminal window.
  2. Create the required vmimport IAM identity role to import images:
    1. Create a json file, which represents the trust policy for the vmimport IAM identity role:
      Copy

      trust-policy.json

      {
          "Version": "2012-10-17",
          "Statement":[ {
              "Effect": "Allow",
              "Principal": { "Service": "vmie.amazonaws.com" },
              "Action": "sts:AssumeRole",
              "Condition": {
              "StringEquals":{ "sts:Externalid": "vmimport"}
                  }
            }]
      }
    2. Create the IAM identity role using the trust policy:
      Copy
      aws iam create-role --role-name vmimport --assume-role-policy-document "file://~/Downloads/trust-policy.json"
  3. Create a role policy to associate the new IAM identity with the previously created bucket. In the following example, replace BUCKET_NAME with the name of the bucket:
    Copy
    role-policy.json
    {
        "Version":"2012-10-17",
        "Statement":[{
            "Effect":"Allow",
                     "Action":[
                      "s3:GetBucketLocation",
                      "s3:GetObject",
                      "s3:ListBucket" 
                      ],
             "Resource":[
                 "arn:aws:s3:::BUCKET_NAME",
                 "arn:aws:s3:::BUCKET_NAME/*"
              ]
           }, {
            "Effect":"Allow",
                    "Action":[
                      "s3:GetBucketLocation",
                      "s3:GetObject",
                      "s3:ListBucket",
                      "s3:PutObject",
                      "s3:GetBucketAcl"
                      ],
                "Resource":[
                 "arn:aws:s3:::BUCKET-NAME",
                 "arn:aws:s3:::BUCKET-NAME/*"
                 ]
           }, {
             "Effect":"Allow",
                      "Action":[
                       "ec2:ModifySnapshotAttribute",
                       "ec2:CopySnapshot",
                       "ec2:RegisterImage",
                       "ec2:Describe*"],
                "Resource":"*"
            }
        ]
    }

  4. Grant an inline role policy to vmimport identity, including various rights to access the S3 bucket and perform ec2 operations. The following command doesn't return a value on success:

    Copy 
    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://~/Downloads/role-policy.json"

Related topics

See IAM Required Permissions for more information on the roles required to run the VM import command..