Issue
When running the AWS (Amazon Web Services) import-image task:
aws ec2 import-image --description "My OVA" --disk-containers file://c:\TEMP\containers.json
An error occurred (InvalidParameter) when calling the ImportImage operation: User does not have access to the S3 object.(mys3bucket/vms/myOVA.ova)
I followed all of the instructions in this AWS document on importing a VM (including Steps 1, 2, and 3). Specifically, I setup a vmimport role and the recommended policies for the role. What am I doing wrong?
Solution
I finally figured this out. The problem was my IAM user, that contains the vmimport role, did not have access to my S3 bucket. Once I granted my IAM user access to my S3 bucket (by setting a bucket policy in S3), the import-image command kicked off the process successfully.
To set the bucket policy in S3, right-click on your bucket (i.e. the top level bucket name in S3), then click "Properties". Then from the right-hand menu that gets displayed, open "Permissions", and click "Add bucket policy". A small window will come up where you can put in JSON for a policy. Here is the one that worked for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1476979061000",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MY-AWS-account-ID:user/myIAMuserID"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]}
You'll need to replace "MY-AWS-account-ID" with your AWS Account ID, and "myIAMuserID" with your IAM user ID that contains the vmimport role. This document talks about how to get your AWS Account ID. And this document talks more about granting permissions in S3.
Answered By - Justin Answer Checked By - Katrina (WPSolving Volunteer)