vmimport role does not have the required permissions

"vmimport" role does not have the required permissions


A Cloud Site fails to launch with an error message that indicates a service role is lacking permissions similar to the screenshot below:


Even though the vmimport role is supposed to be created automatically according to the provided Cloud Formation Template in AWS, some of its permissions might not have been assigned correctly and require manual actions. 


Here are the steps for adding the necessary permissions to the vmimport role. You can go directly to Step 3 if the role has already been created, and you only need to specify the exact policy.

To create the service role:

Step 1.   Create a file named trust-policy.json with the following policy:

  1.     "Version": "2012-10-17", 
  2.     "Statement": [ 
  3.         { 
  4.             "Effect": "Allow", 
  5.             "Principal": { "Service": "vmie.amazonaws.com" }, 
  6.             "Action": "sts:AssumeRole", 
  7.             "Condition": { 
  8.                 "StringEquals":{ 
  9.                     "sts:Externalid": "vmimport" 
  10.                 } 
  11.             } 
  12.         } 
  13.     ] 
  14. }

The file can be saved anywhere on the computer. Take note of the location of the file as it will be needed in the next step. 

Step 2. Use the create-role command to create a role named vmimport and give VM Import/Export access to it. Ensure that the full path to the location of the trust-policy.json file is specified and that you prefix file:// to it as in the following example: 

  1. aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json 
If you encounter an error stating that "This policy contains invalid Json," double-check that the path to the JSON file is provided correctly. 

Step 3. Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket where the disk images are stored: 

  1.     "Version":"2012-10-17", 
  2.     "Statement":[ 
  3.         { 
  4.             "Effect":"Allow", 
  5.             "Action":[ 
  6.                 "s3:GetBucketLocation", 
  7.                 "s3:GetObject", 
  8.                 "s3:ListBucket" 
  9.             ], 
  10.             "Resource":[ 
  11.                 "arn:aws:s3:::disk-image-file-bucket", 
  12.                 "arn:aws:s3:::disk-image-file-bucket/*" 
  13.             ] 
  14.         }, 
  15.         { 
  16.             "Effect":"Allow", 
  17.             "Action":[ 
  18.                 "ec2:ModifySnapshotAttribute", 
  19.                 "ec2:CopySnapshot", 
  20.                 "ec2:RegisterImage", 
  21.                 "ec2:Describe*" 
  22.             ], 
  23.             "Resource":"*" 
  24.         } 
  25.     ] 

Step 4. Use the following put-role-policy command to attach the policy to the role created above. Ensure that the full path to the location of the role-policy.json file is specified. 

  1. aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json 

As the result, you should have a service role with all the necessary permissions to launch a Cloud Site in your target AWS environment.