Importing images from AWS

If you have Amazon Machine Images (AMI) or a virtual disk image (such as VMDK and VHD) stored in a S3 bucket on Amazon Web Services (AWS), you can use the gcloud command-line tool to import these images into Google Cloud.

Alternatively, you can import an image by following the instructions for Manually importing virtual disks.

For a full list of import options, see Choosing an import method.

Before you begin

Import from AWS overview

The process to import an image from AWS to Compute Engine is as follows:

  1. From your AWS account, create an IAM user that has the required permissions to perform the export.

  2. From your AWS account, set and view the configuration settings.

  3. From your AWS account, by using the IAM user created in the previous step, generate temporary credentials that can be used by the gcloud command-line tool.

  4. In Google Cloud, import the image using the gcloud command-line tool. The gcloud command-line tool completes the following steps:

    • Imports the image from AWS to Compute Engine.
    • Adds the image to the list of available images in your specified project on Compute Engine.

Limitations and restrictions

Creating AWS IAM user

Because it might not be best practice to generate credentials using your AWS root user account. For security reasons, Google recommends that you create one or more IAM users and provide them with the minimum permissions required to export an AMI or virtual disk from AWS.

The minimum permissions required for the IAM user depends on the type of image (AMI or virtual disk image) that you want to export from AWS.

Creating an AWS IAM user for AMI export

To create this user, see create an IAM user in your AWS account.

This user must have the following required permissions and service role:

Creating an AWS IAM user for virtual disk image export

To create this user, see create an IAM user in your AWS account.

The minimum permissions required by this user are outlined in the following JSON IAM policy. Replace IMAGE_FILE_PATH with the path to the image file you want to import.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::IMAGE_FILE_PATH"]
    },
  ]
}

Setting and viewing the configuration settings

After you create the IAM user, you need to set and configure your environment.

To set and view your configuration setting, run the following command:

aws configure

For more information about this command, see Set and view configuration settings.

Generating temporary credentials

After you create and configure the IAM user, you need to create a temporary credential that can be used by the gcloud compute images import command.

This user credential consists of the following:

  • An access key ID: aws-access-key-id
  • A secret access key: aws-secret-access-key
  • A session token: aws-session-token

This temporary AWS IAM user credential must be generated from an IAM user. The selected IAM user must have all the required permissions.

To generate the temporary credentials, you must use the AWS command-line tool or you can generate the credentials programmatically. To install the AWS command-line, see Installing the AWS CLI version 2.

For example, the following command generates a credential that expires in 3600 seconds. Make sure that you specify enough time to import your image into Google Cloud.

aws sts get-session-token --duration-seconds 3600

For more information on generating temporary credentials, see Using Temporary Credentials With AWS Resources.

Importing images into Compute Engine

After you have created an AWS IAM user and generated the temporary user credentials, you can now import your image to Compute Engine.

Importing an AMI from AWS

  1. Set up an AWS S3 bucket. This bucket is used as a temporary storage location from which the gcloud command-line tool can export the AMI. The gcloud command-line tool deletes the AMI from this bucket as soon as the import to Compute Engine completes successfully.

    This bucket must be in the same region as the AMI.

  2. Import the AMI. To import an AMI from AWS, use the gcloud beta compute images import command:

    gcloud beta compute images import IMAGE_NAME \
        --aws-region=AWS_REGION \
        --aws-access-key-id=AWS_ACCESS_KEY_ID \
        --aws-secret-access-key=AWS_SECRET_ACCESS_KEY \
        --aws-session-token=AWS_SESSION_TOKEN \
        --aws-ami-id=AWS_AMI_ID \
        --aws-ami-export-location=AWS_AMI_EXPORT_LOCATION \
        --os=OS
    

    Replace the following:

    • IMAGE_NAME: name of the AMI image to create.
    • AWS_REGION: AWS region of the image that you want to import.
    • AWS_ACCESS_KEY_ID: access key ID for a temporary AWS credential. This ID must be generated using the AWS Security Token Service.
    • AWS_SECRET_ACCESS_KEY: secret access key for a temporary AWS credential. This key must be generated using the AWS Security Token Service.
    • AWS_SESSION_TOKEN: session token for a temporary AWS credential. This session token must be generated using the AWS Security Token Service.
    • AWS_AMI_ID: AWS AMI ID of the image to import.
    • AWS_AMI_EXPORT_LOCATION: AWS S3 bucket location where you want to export the image from. This bucket must be in the same region as the AMI.
    • OS: operating system of the disk image being imported.

    Example

    For example to import an AMI image that has the ID ami-04d75016789164863 from your S3 bucket ami-test-bucket and name it my-ami-test-image, your command might resemble the following:

    gcloud beta compute images import my-ami-test-image \
        --aws-region=us-east-2 \
        --aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \
        --aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \
        --aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \
        --aws-ami-id=ami-04d75016789164863 \
        --aws-ami-export-location=s3://ami-test-bucket \
        --os=ubuntu-1804
    

Importing a virtual disk image from AWS

To import a virtual disk image from AWS, use the gcloud beta compute images import command:

gcloud beta compute images import IMAGE_NAME \
    --aws-region=AWS_REGION \
    --aws-access-key-id=AWS_ACCESS_KEY_ID \
    --aws-secret-access-key=AWS_SECRET_ACCESS_KEY \
    --aws-session-token=AWS_SESSION_TOKEN \
    --aws-source-ami-file-path=DISK_IMAGE_FILE_PATH \
    --os=OS

Replace the following:

  • IMAGE_NAME: name of the disk image to create.
  • AWS_REGION: AWS region of the image that you want to import.
  • AWS_ACCESS_KEY_ID: access key ID for a temporary AWS credential. This ID must be generated using the AWS Security Token Service.
  • AWS_SECRET_ACCESS_KEY: secret access key for a temporary AWS credential. This key must be generated using the AWS Security Token Service.
  • AWS_SESSION_TOKEN: session token for a temporary AWS credential. This session token must be generated using the AWS Security Token Service.
  • DISK_IMAGE_FILE_PATH: S3 resource path of the virtual disk image file that you want to import.`
  • OS: operating system of the disk image being imported.

Example

For example to import an ubuntu1804.vmdk virtual disk from your S3 bucket image-test-bucket name it my-test-image, your command might resemble the following:

gcloud beta compute images import my-test-image \
    --aws-region=us-east-2 \
    --aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \
    --aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \
    --aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \
    --aws-source-ami-file-path=s3://image-test-bucket/ubuntu1804.vmdk \
    --os=ubuntu-1804

What's next