> Documentation > End User Access > Command Center > Virtualization and Cloud > Configuration for Virtualization > Hypervisors > Adding a Hypervisor > Amazon > Amazon Web Services User Permissions for VM Conversion

Creating a vmimport role

Before you perform any VM conversion operations to create AWS instances, you must enable the VM Import Service role (vmimport) on the Amazon Web Services account and associate that role to the user account that is used to perform conversion operations.

Procedure

  1. To create the service role, create a file named trust-policy.json with the following policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "vmie.amazonaws.com" 
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals":{
          "sts:Externalid": "vmimport"
        }
      }
    }
  ]
}

  2. Save the file anywhere on your computer and note the location of the file.

  3. From the AWS command line, use the create-role command to create a role named vmimport and to give VM import and VM export operations access to the role. Specify the full path to the location of the trust-policy.json file, and add file:// before the path (for example, file://C:\trust-policy.json as shown in the following command):

    aws iam create-role --role-name vmimport --assume-role-policy-document file://C:\trust-policy.json

    Note

    Provide the access key and secret key for the account where the vmimport role is created. Ensure that the user has permission to create the role.

    If you receive an error stating that "This policy contains invalid Json," verify that the path to the JSON file is provided correctly.

  4. Create a file named role-policy.json with the following policy.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::gx-restore-*",
        "arn:aws:s3:::gx-restore-*/*",
        "arn:aws:s3:::<bucket_name_1>",
        "arn:aws:s3:::<bucket_name_1>/*",
        "arn:aws:s3:::<bucket_name_2>",
        "arn:aws:s3:::<bucket_name_2>/*",
        "arn:aws:s3:::<bucket_name_3>",
        "arn:aws:s3:::<bucket_name_3>/*"
      ]
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "ec2:CopySnapshot",
        "ec2:Describe*",
        "ec2:ModifySnapshotAttribute",
        "ec2:RegisterImage"
      ],
      "Resource": "*"
    }
  ]
}

  5. From the AWS command line, use the put-role-policy command to attach the policy to the vmimport role. Specify the full path to the location of the role-policy.json file.

    aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://C:\role-policy.json

    Note

    Provide the access key and secret key for the account where the vmimport role is created. Ensure that the user has permission to create the role.

Loading...