- Le plus récent
- Le plus de votes
- La plupart des commentaires
The most possible reason for this behavior is you might have Default KMS key in your "us-east-1" for EBS and have a custom key for other regions.
This Error corresponds to KMS and the worst part is CloudTrail is not showing these Access Deny's for CreateGrant, however it shows when it's success.
To resolve make sure you know which KMS key is set for EBS default Encryption and Apply Key Grant to Service Role(AWSServiceRoleForAWSCloud9) has Create grant permissions and you can only apply this from CLI as AWSServiceRoleForAWSCloud9 is a Service role.
CLI Command:
aws kms create-grant --region <region-id> --key-id <ebs-default-encryption-key-arn> --grantee-principal arn:aws:iam::<account-id>:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9 --operations "Encrypt" "Decrypt" "ReEncryptFrom" "ReEncryptTo" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "DescribeKey" "CreateGrant"
Then you should be able to create environment with out issues.
Reference: https://docs.aws.amazon.com/cloud9/latest/user-guide/move-environment.html#encrypting-volumes https://docs.aws.amazon.com/kms/latest/developerguide/using-service-linked-roles.html
Contenus pertinents
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a 2 ans
- demandé il y a 4 mois
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 9 mois
- AWS OFFICIELA mis à jour il y a 2 ans
Sydney (ap-southeast-2)