Import images from AWS


If you have Amazon Machine Images (AMI) or a virtual disk image (VMDK or VHD) stored in a S3 bucket on Amazon Web Services (AWS), you can use the Google Cloud CLI to import these images into Google Cloud.

Alternatively, you can import an image by following the instructions for Manually importing boot disks.

For a full list of import options, see Choose a migration path.

Before you begin

  • If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as follows.
    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

Overview of importing images from AWS

The process to import an image from AWS to Compute Engine is as follows:

  1. From your AWS account, create an IAM user that has the required permissions to perform the export.

  2. From your AWS account, set and view the configuration settings.

  3. From your AWS account, by using the IAM user created in the previous step, generate temporary credentials that can be used by the Google Cloud CLI.

  4. In Google Cloud, import the image using the Google Cloud CLI. The Google Cloud CLI completes the following steps:

    • Imports the image from AWS to Compute Engine.
    • Adds the image to the list of available images in your specified project on Compute Engine.

Limitations and restrictions

Create an AWS IAM user

Because it might not be a best practice to generate credentials using your AWS root user account. For security reasons, Google recommends that you create one or more IAM users and provide them with the minimum permissions required to export an AMI or virtual disk from AWS.

The minimum permissions required for the IAM user depend on the type of image (AMI or virtual disk image) that you want to export from AWS.

Create an AWS IAM user for AMI export

To create this user, see create an IAM user in your AWS account.

This user must have the following required permissions and service role:

Create an AWS IAM user for virtual disk image export

To create this user, see create an IAM user in your AWS account.

The minimum permissions required by this user are outlined in the following JSON IAM policy. Replace IMAGE_FILE_PATH with the path to the image file you want to import.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": ["arn:aws:s3:::IMAGE_FILE_PATH"]
    },
  ]
}

Set up and view the configuration settings

After you create the IAM user, you need to set and configure your environment.

To set up and view your configuration settings, run the following command:

aws configure

For more information about this command, see Set and view configuration settings.

Generate temporary credentials

After you create and configure the IAM user, you need to create a temporary credential that can be used by the gcloud compute images import command.

This user credential consists of the following:

  • An access key ID: aws-access-key-id
  • A secret access key: aws-secret-access-key
  • A session token: aws-session-token

This temporary AWS IAM user credential must be generated from an IAM user. The selected IAM user must have all the required permissions.

To generate the temporary credentials, you must use the AWS command-line tool or you can generate the credentials programmatically. To install the AWS command-line, see Installing the AWS CLI version 2.

For example, the following command generates a credential that expires in 3600 seconds. Make sure that you specify enough time to import your image into Google Cloud.

aws sts get-session-token --duration-seconds 3600

For more information on generating temporary credentials, see Using Temporary Credentials With AWS Resources.

Import images into Compute Engine

After you have created an AWS IAM user and generated the temporary user credentials, you can now import your image to Compute Engine.

Import an AMI from AWS

  1. Set up an AWS S3 bucket. This bucket is used as a temporary storage location from which the Google Cloud CLI can export the AMI. The Google Cloud CLI deletes the AMI from this bucket as soon as the import to Compute Engine completes successfully.

    This bucket must be in the same region as the AMI.

  2. Import the AMI. To import an AMI from AWS, use the gcloud compute images import command:

    gcloud compute images import IMAGE_NAME \
        --aws-region=AWS_REGION \
        --aws-access-key-id=AWS_ACCESS_KEY_ID \
        --aws-secret-access-key=AWS_SECRET_ACCESS_KEY \
        --aws-session-token=AWS_SESSION_TOKEN \
        --aws-ami-id=AWS_AMI_ID \
        --aws-ami-export-location=AWS_AMI_EXPORT_LOCATION \
        --os=OS
    

    Replace the following:

    • IMAGE_NAME: name of the AMI image to create.
    • AWS_REGION: AWS region of the image that you want to import.
    • AWS_ACCESS_KEY_ID: access key ID for a temporary AWS credential. This ID must be generated using the AWS Security Token Service.
    • AWS_SECRET_ACCESS_KEY: secret access key for a temporary AWS credential. This key must be generated using the AWS Security Token Service.
    • AWS_SESSION_TOKEN: session token for a temporary AWS credential. This session token must be generated using the AWS Security Token Service.
    • AWS_AMI_ID: AWS AMI ID of the image to import.
    • AWS_AMI_EXPORT_LOCATION: AWS S3 bucket location where you want to export the image from. This bucket must be in the same region as the AMI.
    • OS: operating system of the disk image being imported.

    Example

    For example, to import an AMI image that has the ID ami-04d75016789164863 from your S3 bucket ami-test-bucket and to name it my-ami-test-image, your command might resemble the following:

    gcloud compute images import my-ami-test-image \
        --aws-region=us-east-2 \
        --aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \
        --aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \
        --aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \
        --aws-ami-id=ami-04d75016789164863 \
        --aws-ami-export-location=s3://ami-test-bucket \
        --os=ubuntu-1804
    

Import a virtual disk image from AWS

To import a virtual disk image from AWS, use the gcloud compute images import command:

gcloud compute images import IMAGE_NAME \
    --aws-region=AWS_REGION \
    --aws-access-key-id=AWS_ACCESS_KEY_ID \
    --aws-secret-access-key=AWS_SECRET_ACCESS_KEY \
    --aws-session-token=AWS_SESSION_TOKEN \
    --aws-source-ami-file-path=DISK_IMAGE_FILE_PATH \
    --os=OS

Replace the following:

  • IMAGE_NAME: name of the disk image to create.
  • AWS_REGION: AWS region of the image that you want to import.
  • AWS_ACCESS_KEY_ID: access key ID for a temporary AWS credential. This ID must be generated using the AWS Security Token Service.
  • AWS_SECRET_ACCESS_KEY: secret access key for a temporary AWS credential. This key must be generated using the AWS Security Token Service.
  • AWS_SESSION_TOKEN: session token for a temporary AWS credential. This session token must be generated using the AWS Security Token Service.
  • DISK_IMAGE_FILE_PATH: S3 resource path of the virtual disk image file that you want to import.`
  • OS: operating system of the disk image being imported.

Example

For example, to import an ubuntu1804.vmdk virtual disk from your S3 bucket image-test-bucket and to name it my-test-image, your command might resemble the following:

gcloud compute images import my-test-image \
    --aws-region=us-east-2 \
    --aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \
    --aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \
    --aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \
    --aws-source-ami-file-path=s3://image-test-bucket/ubuntu1804.vmdk \
    --os=ubuntu-1804

What's next