When I launch an instance with AMI, I get an error: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

0

In the CDK code, I created a custom KMSKey, and then configured the Image Recipe of EC2 Image Builder to use the KMSKey as the encryption key of EBS, after successfully creating the AMI, I used the AMI to launch the instance, and the consistent message failed to start, the error is as follows: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state.

KMSKey's state is enabled, otherwise the AMI would not be successfully generated, so I don't understand why the state Incorrect is still prompted.

I looked up the answer on the Internet and saw a post saying that it was a permission issue, and then I associated a role with an EC2 instance with an inline policy like this::

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": "*"
		}
	]
}

But the startup failed with the same error.

Does anyone know why?

tong_K
preguntada hace 2 meses2321 visualizaciones
1 Respuesta
1
Respuesta aceptada

Hello.

Does your KMS key policy allow access from your AWS account?
Is there a policy in place to use KMS keys for the IAM user trying to launch EC2?
https://github.com/hashicorp/packer/issues/12683#issuecomment-1889831463

How about using the following KMS key policy?

{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::AWS Accout ID:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:DescribeKey",
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey",
              "kms:GenerateDataKeyWithoutPlaintext"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}
profile picture
EXPERTO
respondido hace 2 meses
  • Thanks you.The permissions associated with KMS for the AWS user I use are like this: "kms:CreateAlias", "kms:CreateKey", "kms:DescribeKey", "kms:ListAliases", "kms:TagResource".

  • You may want to check the event from CloudTrail's event history as described in the documentation below. This will allow you to check which IAM policies are missing for IAM users. You probably need to add "kms:CreateGrant" to the IAM user's IAM policy. https://repost.aws/knowledge-center/kms-iam-ec2-permission

  • Thank you, issue solved.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas