AWS InvalidParameter when calling the ImportImage operation

Question

I have .ova VM's stored on my S3 bucket, I am trying to create AMI from these OVA. I was going through this video to Import a VM as an Image Using VM Import/Export to Amazon EC2.

I have created an EC2 Instance which I will use to trigger the necessary CLI commands for Importing. I have created an IAM Role and attached it to the EC2 Instance.

Please refer to the details of the Role:

Trust Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "vmie.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Inline Policy for Access to S3 and EC2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:CopySnapshot",
                "s3:ListAccessPointsForObjectLambda",
                "s3:GetAccessPoint",
                "s3:PutAccountPublicAccessBlock",
                "s3:ListAccessPoints",
                "ec2:RegisterImage",
                "s3:ListJobs",
                "s3:PutStorageLensConfiguration",
                "s3:ListMultiRegionAccessPoints",
                "s3:ListStorageLensConfigurations",
                "ec2:Describe*",
                "s3:GetAccountPublicAccessBlock",
                "ec2:ModifySnapshotAttribute",
                "s3:ListAllMyBuckets",
                "s3:PutAccessPointPublicAccessBlock",
                "s3:CreateJob",
                "ec2:ImportImage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::vms"
        },
        {
            "Sid": "AllowStsDecode",
            "Effect": "Allow",
            "Action": "sts:DecodeAuthorizationMessage",
            "Resource": "*"
        }
    ]
}

Inline Policy for KMS Decrypt

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "*"
        }
    ]
}

Also, I have attached the AWSImportExportFullAccess managed policy to the Role.

I am using the following command to Import the VM to AMI:

aws ec2 import-image --description "MY_VM_Image" --disk-containers "file://configuration.json"

Here are the contents of configuration.json

[{
                "Description": "Image",
                "Format": "ova",
                "UserBucket": {
                        "S3Bucket": "vm",
                        "S3Key": "xzt.ova"
                }

        }

]

But I am facing the following error:

An error occurred (InvalidParameter) when calling the ImportImage operation: The service role vmimport provided does not exist or does not have sufficient permissions

I tried to have a look at the Troubleshooting document. It states the following

This error can also occur if the user calling ImportImage has Decrypt permission but the vmimport role does not.

So, I have also disabled the default encryption at S3.

Still no luck. What else permissions are needed to run the command successfully.

Answer 1

I was facing the same issue and it turned out to be an issue with the clock not being in sync with the NTP servers (it was around 6 minutes off). As soon as the time was synced, the aws ec2 import-image worked as expected.

Here is a link for the importance of Time Synchronization in Kerberos:

https://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/time-sync.html#:~:text=If%20you%20allow%20your%20clocks,errors%20and%20refuse%20to%20function.