Converting and Importing a Virtual Box VM into a AWS EC2 AMI

AWS S3 Readonly IAM Policy

Sometimes we need to release our local Virtual Machines (VMs) into the cloud here’s how:

First we need to add some confirguration to the local VM to prepare it for its release into the wild:

(The Technologies we are predominately using here are Oracle Virtual Box and Amazon Web Services)

Go ahead and fire up your VM in VirtualBox:

sudo yum install -y epel-release
sudo yum install -y cloud-init cloud-utils-growpart

If you want to change the default user edit this file:

/etc/cloud/cloud.cfg

Once that is completed shut the VM down and export as an ova file.

In this example we are releasing our VM into the Amazon so we need to import into an available S3 bucket on your AWS account.

Next we need to do some configuration in AWS

VM Import Service Role

AWS VM Import requires a role to perform certain operations in your account, such as downloading disk images from an Amazon S3 bucket. You must create a role named vmimport with a trust relationship policy document that allows VM Import to assume the role, and you must attach an IAM policy to the role.

To create the service role

Create a file named trust-policy.json with the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
     {
        "Effect": "Allow",
        "Principal": { "Service": "vmie.amazonaws.com" },
        "Action": "sts:AssumeRole",
        "Condition": {
        "StringEquals":{
        "sts:Externalid": "vmimport"
            }
         }
      }
   ]
}

You can save the file anywhere on your computer. Take note of the location of the file, because you’ll specify the file in the next step.

Use the create-role command to create a role named vmimport and give VM Import/Export access to it. Ensure that you specify the full path to the location of the trust-policy.json file, and that you prefix file:// to it:

aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json

Note

If you encounter an error stating that “This policy contains invalid Json,” double-check that the path to the JSON file is provided correctly.

To create the role-policy:

Create a file named role-policy.json with the following policy, where disk-image-file-bucket is the bucket where the disk images are stored:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket" 
         ],
         "Resource":[
            "arn:aws:s3:::aria-images",
			"arn:aws:s3:::aria-images/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource":"*"
      }
   ]
}

Use the following put-role-policy command to attach the policy to the role created above. Ensure that you specify the full path to the location of the role-policy.json file.

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json

Importing the OVA from S3

Now we can import the ova image from its S3 location with the following command:

aws ec2 import-image --description "Centos7 OVA" --disk-containers "file://containers.json"

The following being an example of a containers.json file:

[
  {
    "Description": "AriaNetworkNavigatorCV_v1.1.2",
    "Format": "ova",
    "UserBucket": {
        "S3Bucket": "aria-images",
		"S3Key": "AriaNetworkNavigatorCV_v1.1.2.ova"
    }
}]

Check the status of the import:

aws ec2 describe-import-image-tasks --import-task-ids import-ami-[printed with previous step]

Once you have succesfully completed the above steps your new AMI can be launched for the EC2 AMI section of your AWS account.

If you are having trouble finding your AMI double check the status of the import with the previous command and alos check the region you uploaded to as images are region sepcific.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.