Loading...

Creating a vmimport role

Before you perform any VM conversion operations to create AWS instances, you must enable the VM Import Service role (vmimport) on the Amazon Web Services account and associate that role to the user account that is used to perform conversion operations.

Procedure

  1. To create the service role, create a file named trust-policy.json with the following policy:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": { "Service": "vmie.amazonaws.com" },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals":{
              "sts:Externalid": "vmimport"
            }
          }
        }
      ]
    }

  2. Save the file anywhere on your computer and note the location of the file.
  3. From the AWS command line, use the create-role command to create a role named vmimport and to give VM import and VM export operations access to the role. Specify the full path to the location of the trust-policy.json file, and add file:// before the path (for example, file://C:\trust-policy.json as shown in the following command):

    aws iam create-role --role-name vmimport --assume-role-policy-document file://C:\trust-policy.json

    Note: Provide the access key and secret key for the account where the vmimport role is created. Ensure that the user has permission to create the role.

    If you receive an error stating that "This policy contains invalid Json," verify that the path to the JSON file is provided correctly.

  4. Create a file named role-policy.json with the following policy.

    Note:

    • Replication schedules that were created prior to Service Pack 15 use the buckets that were specified in the replication configuration. When you create the vmimport role, substitute the names of those buckets in place of <bucket_name_1>, <bucket_name_2>, or <bucket_name_3> in the following example. You do not need to include those lines for new operations in Service Pack 15 or more recent service packs.
    • If you created a vmimport role prior to Service Pack 15, update the vmimport role to include permissions for gx-restore- buckets as shown in the following example. If those lines are not included, conversion and live sync replication jobs fail after you upgrade to Service Pack 15.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:ListBucket",
            "s3:GetBucketLocation"
          ],
          "Resource": [
            "arn:aws:s3:::gx-restore-*",
            "arn:aws:s3:::gx-restore-*/*",
            "arn:aws:s3:::<bucket_name_1>",
            "arn:aws:s3:::<bucket_name_1>/*",
            "arn:aws:s3:::<bucket_name_2>",
            "arn:aws:s3:::<bucket_name_2>/*",
            "arn:aws:s3:::<bucket_name_3>",
            "arn:aws:s3:::<bucket_name_3>/*"
          ]
        },
        {
          "Sid": "VisualEditor2",
          "Effect": "Allow",
          "Action": [
            "ec2:CopySnapshot",
            "ec2:Describe*",
            "ec2:ModifySnapshotAttribute",
            "ec2:RegisterImage"
          ],
          "Resource": "*"
        }
      ]
    }

  5. From the AWS command line, use the put-role-policy command to attach the policy to the vmimport role. Specify the full path to the location of the role-policy.json file.

    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://C:\role-policy.json

    Note: Provide the access key and secret key for the account where the vmimport role is created. Ensure that the user has permission to create the role.

Last modified: 5/17/2019 7:26:14 PM