vmimport role does not have the required permissions

"vmimport" role does not have the required permissions

Challange 

A Cloud Site fails to launch with an error message that indicates a service role is lacking permissions similar to the screenshot below:



Cause

Even though the vmimport role is supposed to be created automatically according to the provided Cloud Formation Template in AWS, some of its permissions might not have been assigned correctly and require manual actions. 

Solution

Here are the steps for adding the necessary permissions to the vmimport role. You can go directly to Step 3 if the role has already been created, and you only need to specify the exact policy.

To create the service role:


Step 1.   Create a file named trust-policy.json with the following policy:


  2.     "Version": "2012-10-17", 
  3.     "Statement": [ 
  4.         { 
  5.             "Effect": "Allow", 
  6.             "Principal": { "Service": "vmie.amazonaws.com" }, 
  7.             "Action": "sts:AssumeRole", 
  8.             "Condition": { 
  9.                 "StringEquals":{ 
  10.                     "sts:Externalid": "vmimport" 
  11.                 } 
  12.             } 
  13.         } 
  14.     ] 
  15. }


The file can be saved anywhere on the computer. Take note of the location of the file as it will be needed in the next step. 

Step 2. Use the create-role command to create a role named vmimport and give VM Import/Export access to it. Ensure that the full path to the location of the trust-policy.json file is specified and that you prefix file:// to it as in the following example: 

  1. aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json 
If you encounter an error stating that "This policy contains invalid Json," double-check that the path to the JSON file is provided correctly. 

Step 3. Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket where the disk images are stored: 

  2.     "Version":"2012-10-17", 
  3.     "Statement":[ 
  4.         { 
  5.             "Effect":"Allow", 
  6.             "Action":[ 
  7.                 "s3:GetBucketLocation", 
  8.                 "s3:GetObject", 
  9.                 "s3:ListBucket" 
  10.             ], 
  11.             "Resource":[ 
  12.                 "arn:aws:s3:::disk-image-file-bucket", 
  13.                 "arn:aws:s3:::disk-image-file-bucket/*" 
  14.             ] 
  15.         }, 
  16.         { 
  17.             "Effect":"Allow", 
  18.             "Action":[ 
  19.                 "ec2:ModifySnapshotAttribute", 
  20.                 "ec2:CopySnapshot", 
  21.                 "ec2:RegisterImage", 
  22.                 "ec2:Describe*" 
  23.             ], 
  24.             "Resource":"*" 
  25.         } 
  26.     ] 


Step 4. Use the following put-role-policy command to attach the policy to the role created above. Ensure that the full path to the location of the role-policy.json file is specified. 


  1. aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json 

As the result, you should have a service role with all the necessary permissions to launch a Cloud Site in your target AWS environment.


    • Related Articles

    • AWS migration error: "Multiple different grub/menu.lst files found"

      Challenge Migration to AWS fails with the error “Multiple different grub/menu.lst files found” Cause An Ubuntu Cloud image can be configured so that it can boot using BIOS or UEFI alternatively. Such images have two files named boot/grub/grub.conf. ...

    • "Forbidden (403)" error appears during certain actions

      Challenge User cannot see anything in Hystax Acura Control Panel or doesn’t have rights to perform any action (getting 403 Forbidden) Cause The role assigned to the user doesn’t give them rights to perform certain actions Solution In this situation, ...

    • Connectivity check for a machine shown offline in ACP

      Challenge A source machine has a replication agent installed but it is shown in an offline state in ACP, although the machine has been properly discovered before. Solution One of the possible ways to check the connection to Acura is to use the telnet ...

    • Diagnosing replication failures caused by VSS issues

      Cause A failed replication on Windows may be caused by a range of preceding internal issues affecting the source machine. A properly functioning Volume Shadow Copy Service is one of the main prerequisites for a successful replication. Solution Access ...

    • Why a machine doesn't replicate with HVRAgent, returning a "FileNotFoundError" message

      Challenge A machine doesn't replicate with HVRAgent, returning an error: ERROR: Traceback (most recent call last):   File "/src/cabrio/processes/base.py", line 28, in run_object_guard     guard.start(queue_info)   File ...