"vmimport" role does not have the required permissions
Challange
A Cloud Site fails to launch with an error message that indicates a service role is lacking permissions similar to the screenshot below:
Cause
Even though the
vmimport role is supposed to be created automatically according to the provided Cloud Formation Template in AWS, some of its permissions might not have been assigned correctly and require manual actions.
Solution
Here are the steps for adding the necessary permissions to the
vmimport role. You can go directly to Step 3 if the role has already been created, and you only need to specify the exact policy.
To create the service role:
Step
1.
Create a file named trust-policy.json with the following policy:
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": { "Service": "vmie.amazonaws.com" },
- "Action": "sts:AssumeRole",
- "Condition": {
- "StringEquals":{
- "sts:Externalid": "vmimport"
- }
- }
- }
- ]
- }
The file can be saved anywhere on the computer. Take note of the location of the file as it will be needed in the next step.
Step 2. Use the create-role command to create a role named vmimport and give VM Import/Export access to it. Ensure that the full path to the location of the trust-policy.json file is specified and that you prefix file:// to it as in the following example:
- aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json
If you encounter an error stating that "This policy contains invalid Json," double-check that the path to the JSON file is provided correctly.
Step 3. Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket where the disk images are stored:
- {
- "Version":"2012-10-17",
- "Statement":[
- {
- "Effect":"Allow",
- "Action":[
- "s3:GetBucketLocation",
- "s3:GetObject",
- "s3:ListBucket"
- ],
- "Resource":[
- "arn:aws:s3:::disk-image-file-bucket",
- "arn:aws:s3:::disk-image-file-bucket/*"
- ]
- },
- {
- "Effect":"Allow",
- "Action":[
- "ec2:ModifySnapshotAttribute",
- "ec2:CopySnapshot",
- "ec2:RegisterImage",
- "ec2:Describe*"
- ],
- "Resource":"*"
- }
- ]
- }
Step 4. Use the following put-role-policy command to attach the policy to the role created above. Ensure that the full path to the location of the role-policy.json file is specified.
- aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json
As the result, you should have a service role with all the necessary permissions to launch a Cloud Site in your target AWS environment.
Related Articles
Migration to AWS fails with the error “Multiple different grub/menu.lst files found”
Challenge Migration to AWS fails with the error “Multiple different grub/menu.lst files found” Cause An Ubuntu Cloud image can be configured so that it can boot using BIOS or UEFI alternatively. Such images have two files named boot/grub/grub.conf. ...How to perform a connectivity check if a machine is shown offline in ACP
Challenge A source machine has a replication agent installed but it is shown in an offline state in ACP, although the machine has been properly discovered before. Solution One of the possible ways to check the connection to Acura is to use the telnet ...Why "Forbidden (403)" keeps coming up during certain actions
Challenge User cannot see anything in Hystax Acura Control Panel or doesn’t have rights to perform any action (getting 403 Forbidden) Cause The role assigned to the user doesn’t give them rights to perform certain actions Solution Hystax Acura ...Why a machine doesn't replicate with HVRAgent, returning a "FileNotFoundError" message
Challenge A machine doesn't replicate with HVRAgent, returning an error: ERROR: Traceback (most recent call last): File "/src/cabrio/processes/base.py", line 28, in run_object_guard guard.start(queue_info) File ...How to restore an ETCD pod after a node returned to the cluster
Challenge An Etcd pod on the restarted instance is stuck in “Pending” state, and the Etcd cluster can't be rebuilt. Cause If Acura is deployed as a HA cluster, it stays operable if one of the nodes goes down (gets turned off or destroyed). However, ...