The Service Role vmimport does not Exist or does not Have Sufficient Permissions for the Service to Continue

Situation

The image-based or VM restore plan to Amazon EC2 platform fails with the following error message: The service role vmimport does not exist or does not have sufficient permissions for the service to continue

Cause

Absence of the IAM service role and certain permissions necessary to import the image-based or VM backup as an EC2 instance.

Solution

If you have encountered issues related to vmimport IAM role during the EC2 restore of the image-based backup, consider the following troubleshooting strategies:

Check Your Permissions

In order to restore your image-based backup to a EC2 instance, make sure that the following permissions are granted to your Amazon Web Services IAM user (AWS management console -> IAM -> Users -> User name -> Permissions)

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ec2:ImportInstance",
            "ec2:ImportImage",
            "ec2:RunInstances",
            "ec2:DescribeInstances",
            "ec2:MonitorInstances",
            "ec2:RequestSpotInstances",
            "ec2:RunInstances",
            "ec2:StartInstances",
            "ec2:TerminateInstances",
            "ec2:ModifyInstanceAttribute",
            "ec2:CreateTags",
            "ec2:CancelImportTask",
            "ec2:StartInstances",
            "ec2:DescribeConversionTasks",
            "ec2:DescribeImportImageTasks",
            "ec2:ImportVolume",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSubnets",
            "ec2:StopInstances",
            "ec2:DescribeKeyPairs",
            "iam:ListRoles",
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*",
        "Condition": {}
    },
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::{your bucket name}",
        "Condition": {}
    },
    {
        "Effect": "Allow",
        "Action": "sts:GetFederationToken",
        "Resource": "*",
        "Condition": {}
    },
    {
        "Effect": "Allow",
        "Action": "ses:*",
        "Resource": "*",
        "Condition": {}
    }
]
}

If you are granted with MBS Mangement Console administrator privileges, ensure that your S3 (AWS) storage account has been added using the IAM role authentication type, not legacy access/secret key pair of the root user.

To do this:

  1. Open the Management Console.
  2. In the Storage menu, select Storage Accounts.
  3. Find the required account, then click the Gear button.
  4. Click Change credentials.

Set Up the vmimport IAM Role Again

In case all necessary IAM user permissions are set, but the issue persists, try to set up the vmimport IAM role again.

  1. Open the Amazon Web Services console.
  2. Log in using your Amazon root / user credentials.
  3. In Security, Identity & Compliance category, select IAM.

  1. Select Roles, then click Create role.

  1. Select the type of trusted entity (AWS service), then select the service for the role (EC2).

  1. Click Next: Review.
  2. Specify the name for the role (vmimport), then review the role's summary and click Create Role.

Make sure that the role's name is exactly that: vmimport

  1. Click on the created role to edit role policies.

  1. In the Permissions, click Add Inline Policy.
  2. Switch to the JSON policy editor, then insert the following policy:
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket",
            "s3:GetBucketLocation"
         ],
         "Resource":[
            "arn:aws:s3:::{your bucket name}"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:GetObject"
         ],
         "Resource":[
            "arn:aws:s3:::{your bucket name}/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "ec2:ModifySnapshotAttribute",
            "ec2:CopySnapshot",
            "ec2:RegisterImage",
            "ec2:Describe*"
         ],
         "Resource":"*"
      }
   ]
}

Make sure that instead of "{your bucket name}" placeholder ( "arn:aws:s3:::{your bucket name}") you specified the name of the S3 bucket containing the image-level backup

  1. Once all is set, review the created policy, specify the policy name, then click Create Policy.

  1. Open the Trust Relationships section, then click Edit Trust Relationships.

  1. In the Policy Document editor, insert the following script:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "vmie.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "vmimport"
        }
      }
    }
  ]
}
  1. Once you are done, click Update Trust Policy.

Add S3 Storage Account to the Management Console with a New IAM User

In case the issue still persists after the measures described above and you are granted with the MBS Management Console administrator privileges, try to add your S3 (AWS) storage account to the MBS Management Console again from scratch using a new IAM user.

To do this:

  1. Open the AWS management console.
  2. Create a new IAM user with the following minimum of required permissions:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:PutRolePolicy",
                "iam:CreateRole",
                "iam:GetRole",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*",
            "Condition": {}
        }
    ]
}
  1. Open the MBS Management Console.
  2. Specify the new IAM user's credentials. To learn how to do it, refer to the Storage Accounts chapter of the MBS help documentation.

Note that IAM role authentication type for S3 accounts is recommended

  1. Follow the Add Cloud Storage Wizard steps to finish adding the storage account. The new storage account must contain all necessary roles, permissions, and policies related to assigned IAM user.

Reference Materials

If you have any questions after reading this article, consider these materials for further reading: