Hello,
I am trying to import an image uploaded to the "centos-sigs-ami-images" bucket by running the following command:
aws ec2 import-snapshot \ --region us-east-2 \ --description "CentOS Automotive SIG Developer Snapshot (x86_64)" \ --disk-container "{\ \"Description\": \"CentOS Automotive SIG Developer Raw Image (x86_64)\",\ \"Format\": \"raw\",\ \"UserBucket\": {\ \"S3Bucket\": \"centos-sigs-ami-images\",\ \"S3Key\": \"autosd9-developer-regular-x86_64.img\"\ }\ }"
Which leads to the following error message:
An error occurred (InvalidParameter) when calling the ImportSnapshot operation: User: arn:aws:sts::****:assumed-role/vmimport/vm_import_image-***** is not authorized to perform: s3:GetObject on resource: "arn:aws:s3:::centos-sigs-ami-images/autosd9-developer-regular-x86_64.img" because no identity-based policy allows the s3:GetObject action
I had a look at attached policies for centos stream and yours and they have same permissions. But I don't understand the assumed-role/vmimport/vm_import_image as it's maybe something set at the Fedora level (it's their account)
assumed-role/vmimport/vm_import_image
@nirik : does that ring a bell at your side ?
We ran into somthing similar with @jcline when we were setting up cloud-image-importer...
Look at the permissions/iam for the fedimg-upload user?
That is a ec2 policy to allow some things, but more importantly attaching the "VMImportExportRoleForAWSConnector" policy
I tried adding the stuff from https://docs.aws.amazon.com/vm-import/latest/userguide/required-permissions.html and @lrossett is trying a new upload
Looks like that worked? Can you confirm it's working now?
Yes, it worked, the ticket can be closed.
Metadata Update from @lrossett: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.