CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-ec2
abex.co
abex.co

Reputation: 41

AWS EC2 import-image: ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden

I have an S3 bucket which contains my ova file. The file name does not contain space, etc. The S3 bucket is in my default region. I have created the role and trusting policy as described in https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#import-image-prereqs

Command used:

I call the following command to start the import:

aws ec2 import-image --description "IBM QRadar CE 733" --license-type BYOL --disk-containers file://containers.json

{
    "Description": "IBM QRadar CE 733",
    "ImportTaskId": "import-ami-xxxxxxxxxxxx",
    "LicenseType": "BYOL",
    "Progress": "1",
    "SnapshotDetails": [
        {
            "Description": "QRadarCE733",
            "DiskImageSize": 0.0,
            "Format": "OVA",
            "UserBucket": {
                "S3Bucket": "ibmqradarce733",
                "S3Key": "QRadarCE733GA_v1_0.ova"
            }
        }
    ],
    "Status": "active",
    "StatusMessage": "pending"
}

container.json contains:

[{
    "Description": "QRadarCE733",
    "Format": "OVA",
    "UserBucket": {
        "S3Bucket": "ibmqradarce733",
        "S3Key": "QRadarCE733GA_v1_0.ova"
    }
}]

Progress check

Please note: I have added xxx to the ImportTaskId. Already after a few seconds in the "Validation"-Phase I receive the error:

ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden]

Here is the full response: (Please note: I have added xxx to the ImportTaskId)

aws ec2 describe-import-image-tasks --import-task-ids import-ami-0a09ee6b0e35d8ca0
{
    "ImportImageTasks": [
        {
            "Description": "IBM QRadar CE 733",
            "ImportTaskId": "import-ami-xxxxxxxxxxxxx",
            "LicenseType": "BYOL",
            "SnapshotDetails": [],
            "Status": "deleting",
            "StatusMessage": "ClientError: Disk validation failed [We do not have access to the given resource. Reason 403 Forbidden]",
            "Tags": []
        }
    ]
}

Upvotes: 3

Views: 15470

Answers (2)

Yesvanth
Yesvanth

Reputation: 1

give full public access for Bucket & file (object)

Upvotes: 0

riccosmith
riccosmith

Reputation: 76

Make sure the vmimport policy attached to vmimport role allows access to the S3 bucket containing your .ova files.

If you copied the policy from the documentation verbatim, you will need to edit it to explicitly grant access to your S3 buckets.

This section:

"Resource": [
            "arn:aws:s3:::disk-image-file-bucket",
            "arn:aws:s3:::disk-image-file-bucket/*"
         ]

Should become:

"Resource": [
            "arn:aws:s3:::ibmqradarce733",
            "arn:aws:s3:::ibmqradarce733/*"
         ]

Upvotes: 6

Related Questions