amazon-web-services - 调用 ImportImage 操作时的 AWS InvalidParameter

Question

我将.ovaVM 存储在我的 S3 存储桶中，我正在尝试从这些 OVA 创建 AMI。我正在观看此视频，以使用 VM Import/Export 将 VM 作为映像导入到 Amazon EC2。

我创建了一个 EC2 实例，我将使用它来触发导入所需的 CLI 命令。我创建了一个 IAM 角色并将其附加到 EC2 实例。

请参考角色的详细信息：

信任政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "vmie.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

访问 S3 和 EC2 的内联策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:CopySnapshot",
                "s3:ListAccessPointsForObjectLambda",
                "s3:GetAccessPoint",
                "s3:PutAccountPublicAccessBlock",
                "s3:ListAccessPoints",
                "ec2:RegisterImage",
                "s3:ListJobs",
                "s3:PutStorageLensConfiguration",
                "s3:ListMultiRegionAccessPoints",
                "s3:ListStorageLensConfigurations",
                "ec2:Describe*",
                "s3:GetAccountPublicAccessBlock",
                "ec2:ModifySnapshotAttribute",
                "s3:ListAllMyBuckets",
                "s3:PutAccessPointPublicAccessBlock",
                "s3:CreateJob",
                "ec2:ImportImage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::vms"
        },
        {
            "Sid": "AllowStsDecode",
            "Effect": "Allow",
            "Action": "sts:DecodeAuthorizationMessage",
            "Resource": "*"
        }
    ]
}

KMS 解密的内联策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "*"
        }
    ]
}

此外，我已将AWSImportExportFullAccess托管策略附加到角色。

我正在使用以下命令将 VM 导入 AMI：

aws ec2 import-image --description "MY_VM_Image" --disk-containers "file://configuration.json"

以下是内容configuration.json

[{
                "Description": "Image",
                "Format": "ova",
                "UserBucket": {
                        "S3Bucket": "vm",
                        "S3Key": "xzt.ova"
                }

        }

]

但我面临以下错误：

An error occurred (InvalidParameter) when calling the ImportImage operation: The service role vmimport provided does not exist or does not have sufficient permissions

我试图查看故障排除文档。它说明了以下内容

This error can also occur if the user calling ImportImage has Decrypt permission but the vmimport role does not.

因此，我还禁用了 S3 的默认加密。

仍然没有运气。成功运行命令还需要什么其他权限。