Create and associate AWS roles

The following are required to import a virtual machine (VM) into AWS:

The use of the designated role, vmimport,
Specific permissions on the S3 bucket, granted to the vmimport role (for example, read, list, and so on).
Assign the vmimport role to the the vmimport command so that the command can read the bucket and create an import job within AWS.

Console
Command Line

Note:

There's no AWS console equivalent to the vmimport command. See the Command Line tab for vmimport.

Open a terminal window.

Create the required vmimport IAM identity role to import images:

Create a json file, which represents the trust policy for the vmimport IAM identity role:

{
    "Version": "2012-10-17",
    "Statement":[ {
        "Effect": "Allow",
        "Principal": { "Service": "vmie.amazonaws.com" },
        "Action": "sts:AssumeRole",
        "Condition": {
        "StringEquals":{ "sts:Externalid": "vmimport"}
            }
      }]
}

Create the IAM identity role using the trust policy:

aws iam create-role --role-name vmimport --assume-role-policy-document "file://~/Downloads/trust-policy.json"

Create a role policy to associate the new IAM identity with the previously created bucket. In the following example, replace BUCKET_NAME with the name of the bucket:

{
    "Version":"2012-10-17",
    "Statement":[{
        "Effect":"Allow",
                 "Action":[
                  "s3:GetBucketLocation",
                  "s3:GetObject",
                  "s3:ListBucket" 
                  ],
         "Resource":[
             "arn:aws:s3:::BUCKET_NAME",
             "arn:aws:s3:::BUCKET_NAME/*"
          ]
       }, {
        "Effect":"Allow",
                "Action":[
                  "s3:GetBucketLocation",
                  "s3:GetObject",
                  "s3:ListBucket",
                  "s3:PutObject",
                  "s3:GetBucketAcl"
                  ],
            "Resource":[
             "arn:aws:s3:::BUCKET-NAME",
             "arn:aws:s3:::BUCKET-NAME/*"
             ]
       }, {
         "Effect":"Allow",
                  "Action":[
                   "ec2:ModifySnapshotAttribute",
                   "ec2:CopySnapshot",
                   "ec2:RegisterImage",
                   "ec2:Describe*"],
            "Resource":"*"
        }
    ]
}

Grant an inline role policy to vmimport identity, including various rights to access the S3 bucket and perform ec2 operations. The following command doesn't return a value on success:
```
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://~/Downloads/role-policy.json"
```