If you have Amazon Machine Images (AMI) or a virtual disk image
(VMDK or VHD) stored in a S3 bucket on Amazon Web Services (AWS), you
can use the Google Cloud CLI to import these images into Google Cloud.
Alternatively, you can import an image by following the instructions for
Manually importing boot disks
.
For a full list of import options, see
Choose a migration path
.
Before you begin
-
If you haven't already, set up authentication.
Authentication
is
the process by which your identity is verified for access to Google Cloud services and APIs.
To run code or samples from a local development environment, you can authenticate to
Compute Engine as follows.
-
Install
the Google Cloud CLI, then
initialize
it by running the following command:
gcloud init
-
Set a default region and zone
.
Overview of importing images from AWS
The process to import an image from AWS to Compute Engine is as follows:
From your AWS account, create an IAM user that has the required permissions
to perform the export.
From your AWS account,
set and view the configuration settings
.
From your AWS account, by using the IAM user created in the previous step,
generate temporary credentials
that can be used by the Google Cloud CLI.
In Google Cloud,
import the image using
the Google Cloud CLI.
The Google Cloud CLI completes the following steps:
- Imports the image from AWS to Compute Engine.
- Adds the image to the list of available images in your specified
project on Compute Engine.
Limitations and restrictions
Create an AWS IAM user
Because it might not be a best practice to generate credentials using your AWS
root user account. For security reasons, Google recommends that you
create one or more IAM users and provide them with the minimum permissions
required to export an AMI or virtual disk from AWS.
The minimum permissions required for the IAM user depend on the type of
image (AMI or virtual disk image) that you want to export from AWS.
Create an AWS IAM user for AMI export
To create this user, see
create an IAM user in your AWS account
.
This user must have the following required permissions and service role:
Create an AWS IAM user for virtual disk image export
To create this user, see
create an IAM user in your AWS account
.
The minimum permissions required by this user are outlined in the following
JSON
IAM policy. Replace
IMAGE_FILE_PATH
with
the path to the image file you want to import.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::
IMAGE_FILE_PATH
"]
},
]
}
Set up and view the configuration settings
After you create the IAM user, you need to set and configure your
environment.
To set up and view your configuration settings, run the following command:
aws configure
For more information about this command, see
Set and view configuration settings
.
Generate temporary credentials
After you create and configure the IAM user, you need to create a temporary
credential that can be used by the
gcloud compute images import
command.
This user credential consists of the following:
- An access key ID:
aws-access-key-id
- A secret access key:
aws-secret-access-key
- A session token:
aws-session-token
This temporary AWS IAM user credential must be generated from an IAM user. The
selected IAM user must have all the required permissions.
To generate the temporary credentials, you must use the AWS command-line tool or
you can generate the credentials programmatically. To install the AWS command-line,
see
Installing the AWS CLI version 2
.
For example, the following command generates a credential that expires in
3600 seconds. Make sure that you specify enough time to import your image into Google Cloud.
aws sts get-session-token --duration-seconds 3600
For more information on generating temporary credentials, see
Using Temporary Credentials With AWS Resources
.
Import images into Compute Engine
After you have created an
AWS IAM user
and
generated the temporary user credentials
,
you can now import your image to Compute Engine.
Import an AMI from AWS
Set up an
AWS S3 bucket
.
This bucket is used as a temporary storage location from which the Google Cloud CLI
can export the AMI. The Google Cloud CLI deletes the AMI from this bucket
as soon as the import to Compute Engine completes successfully.
This bucket must be in the same region as the AMI.
Import the AMI. To import an AMI from AWS, use the
gcloud compute images import
command
:
gcloud compute images import
IMAGE_NAME
\
--aws-region=
AWS_REGION
\
--aws-access-key-id=
AWS_ACCESS_KEY_ID
\
--aws-secret-access-key=
AWS_SECRET_ACCESS_KEY
\
--aws-session-token=
AWS_SESSION_TOKEN
\
--aws-ami-id=
AWS_AMI_ID
\
--aws-ami-export-location=
AWS_AMI_EXPORT_LOCATION
\
--os=
OS
Replace the following:
Example
For example, to import an AMI image that has the ID
ami-04d75016789164863
from your S3 bucket
ami-test-bucket
and to name it
my-ami-test-image
,
your command might resemble the following:
gcloud compute images import my-ami-test-image \
--aws-region=us-east-2 \
--aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \
--aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \
--aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \
--aws-ami-id=ami-04d75016789164863 \
--aws-ami-export-location=s3://ami-test-bucket \
--os=ubuntu-1804
Import a virtual disk image from AWS
To import a virtual disk image from AWS, use the
gcloud compute images import
command
:
gcloud compute images import
IMAGE_NAME
\
--aws-region=
AWS_REGION
\
--aws-access-key-id=
AWS_ACCESS_KEY_ID
\
--aws-secret-access-key=
AWS_SECRET_ACCESS_KEY
\
--aws-session-token=
AWS_SESSION_TOKEN
\
--aws-source-ami-file-path=
DISK_IMAGE_FILE_PATH
\
--os=
OS
Replace the following:
Example
For example, to import an
ubuntu1804.vmdk
virtual disk from your S3 bucket
image-test-bucket
and to name it
my-test-image
, your command might resemble
the following:
gcloud compute images import my-test-image \
--aws-region=us-east-2 \
--aws-access-key-id=ASIAXS3ZFH4O3WWGMMH5 \
--aws-secret-access-key=aW/uxvQD68A+hv3m5oQ4zFfaKiS+za+X/kRlBvx0 - \
--aws-session-token=IQoJb3JpZ2luX2VjEEQaCWPIEwL7Qi76PyEIfFyj88...== \
--aws-source-ami-file-path=s3://image-test-bucket/ubuntu1804.vmdk \
--os=ubuntu-1804
What's next