If you have Amazon Machine Images (AMI) or a virtual disk image (VMDK or VHD) stored in a S3 bucket on Amazon Web Services (AWS), you can use the Google Cloud CLI to import these images into Google Cloud.
Alternatively, you can import an image by following the instructions for Manually importing boot disks.
For a full list of import options, see Choose a migration path.
Before you begin
-
If you haven't already, set up authentication.
Authentication is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine as follows.
-
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
- Set a default region and zone.
-
Overview of importing images from AWS
The process to import an image from AWS to Compute Engine is as follows:
From your AWS account, create an IAM user that has the required permissions to perform the export.
- For AMI images, see Creating a AWS IAM user for AMI export.
- For virtual disk images, see Creating an AWS IAM user for virtual disk image export.
From your AWS account, set and view the configuration settings.
From your AWS account, by using the IAM user created in the previous step, generate temporary credentials that can be used by the Google Cloud CLI.
In Google Cloud, import the image using the Google Cloud CLI. The Google Cloud CLI completes the following steps:
- Imports the image from AWS to Compute Engine.
- Adds the image to the list of available images in your specified project on Compute Engine.
Limitations and restrictions
- Review the export considerations documentation from AWS.
- Review the export limitations documentation from AWS.
- You cannot import Arm64 images by using the image import tool. To import Arm64 images, follow step-by-step instructions as described in Manually import boot disks.
Create an AWS IAM user
Because it might not be a best practice to generate credentials using your AWS root user account. For security reasons, Google recommends that you create one or more IAM users and provide them with the minimum permissions required to export an AMI or virtual disk from AWS.
The minimum permissions required for the IAM user depend on the type of image (AMI or virtual disk image) that you want to export from AWS.
Create an AWS IAM user for AMI export
To create this user, see create an IAM user in your AWS account.
This user must have the following required permissions and service role:
Create an AWS IAM user for virtual disk image export
To create this user, see create an IAM user in your AWS account.
The minimum permissions required by this user are outlined in the following
JSON
IAM policy. Replace IMAGE_FILE_PATH
with
the path to the image file you want to import.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::IMAGE_FILE_PATH"] }, ] }
Set up and view the configuration settings
After you create the IAM user, you need to set and configure your environment.
To set up and view your configuration settings, run the following command:
aws configure
For more information about this command, see Set and view configuration settings.
Generate temporary credentials
After you create and configure the IAM user, you need to create a temporary
credential that can be used by the gcloud compute images import
command.
This user credential consists of the following:
- An access key ID:
aws-access-key-id
- A secret access key:
aws-secret-access-key
- A session token:
aws-session-token
This temporary AWS IAM user credential must be generated from an IAM user. The selected IAM user must have all the required permissions.
To generate the temporary credentials, you must use the AWS command-line tool or you can generate the credentials programmatically. To install the AWS command-line, see Installing the AWS CLI version 2.
For example, the following command generates a credential that expires in 3600 seconds. Make sure that you specify enough time to import your image into Google Cloud.
aws sts get-session-token --duration-seconds 3600
For more information on generating temporary credentials, see Using Temporary Credentials With AWS Resources.
Import images into Compute Engine
After you have created an AWS IAM user and generated the temporary user credentials, you can now import your image to Compute Engine.
Import an AMI from AWS
Set up an AWS S3 bucket. This bucket is used as a temporary storage location from which the Google Cloud CLI can export the AMI. The Google Cloud CLI deletes the AMI from this bucket as soon as the import to Compute Engine completes successfully.
This bucket must be in the same region as the AMI.
Import the AMI. To import an AMI from AWS, use the
gcloud compute images import
command:gcloud compute images import IMAGE_NAME \ --aws-region=AWS_REGION \ --aws-access-key-id=AWS_ACCESS_KEY_ID \ --aws-secret-access-key=AWS_SECRET_ACCESS_KEY \ --aws-session-token=AWS_SESSION_TOKEN \ --aws-ami-id=AWS_AMI_ID \ --aws-ami-export-location=AWS_AMI_EXPORT_LOCATION \ --os=OS
Replace the following:
IMAGE_NAME
: name of the AMI image to create.AWS_REGION
: AWS region of the image that you want to import.AWS_ACCESS_KEY_ID
: access key ID for a temporary AWS credential. This ID must be generated using the AWS Security Token Service.AWS_SECRET_ACCESS_KEY
: secret access key for a temporary AWS credential. This key must be generated using the AWS Security Token Service.AWS_SESSION_TOKEN
: session token for a temporary AWS credential. This session token must be generated using the AWS Security Token Service.AWS_AMI_ID
: AWS AMI ID of the image to import.AWS_AMI_EXPORT_LOCATION
: AWS S3 bucket location where you want to export the image from. This bucket must be in the same region as the AMI.OS
: operating system of the disk image being imported.
Example
For example, to import an AMI image that has the ID
ami-04d75016789164863
from your S3 bucketami-test-bucket
and to name itmy-ami-test-image
, your command might resemble the following:gcloud compute images import my-ami-test-image \ --aws-region=us-east-2 \ --aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \ --aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \ --aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \ --aws-ami-id=ami-04d75016789164863 \ --aws-ami-export-location=s3://ami-test-bucket \ --os=ubuntu-1804
Import a virtual disk image from AWS
To import a virtual disk image from AWS, use the
gcloud compute images import
command:
gcloud compute images import IMAGE_NAME \ --aws-region=AWS_REGION \ --aws-access-key-id=AWS_ACCESS_KEY_ID \ --aws-secret-access-key=AWS_SECRET_ACCESS_KEY \ --aws-session-token=AWS_SESSION_TOKEN \ --aws-source-ami-file-path=DISK_IMAGE_FILE_PATH \ --os=OS
Replace the following:
IMAGE_NAME
: name of the disk image to create.AWS_REGION
: AWS region of the image that you want to import.AWS_ACCESS_KEY_ID
: access key ID for a temporary AWS credential. This ID must be generated using the AWS Security Token Service.AWS_SECRET_ACCESS_KEY
: secret access key for a temporary AWS credential. This key must be generated using the AWS Security Token Service.AWS_SESSION_TOKEN
: session token for a temporary AWS credential. This session token must be generated using the AWS Security Token Service.DISK_IMAGE_FILE_PATH
: S3 resource path of the virtual disk image file that you want to import.`OS
: operating system of the disk image being imported.
Example
For example, to import an ubuntu1804.vmdk
virtual disk from your S3 bucket
image-test-bucket
and to name it my-test-image
, your command might resemble
the following:
gcloud compute images import my-test-image \ --aws-region=us-east-2 \ --aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \ --aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \ --aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \ --aws-source-ami-file-path=s3://image-test-bucket/ubuntu1804.vmdk \ --os=ubuntu-1804
What's next
- Create a new VM instance that uses your bootable image.
- Share your image across projects.