Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Receiving InvalidRequest when calling the CreateRestoreImageTask operation

0

Hi all,

aws --version
aws-cli/1.22.34 Python/3.10.12 Linux/5.19.0-1025-aws botocore/1.23.34

I stored an AMI to S3 using:

aws ec2 create-store-image-task --image-id ami-111 --bucket bucket-test --region us-east-2 --output table

I was able to see that the image was created on S3 using aws ec2 describe-store-image-tasks.

Then, I tried to restore the image using:

aws ec2 create-restore-image-task --object-key ami-111.bin --bucket bucket-test --name "Restored AMI"

and I receive an error like this:

An error occurred (InvalidRequest) when calling the CreateRestoreImageTask operation: Invalid parameters for a dependent service: com.amazonaws.services.kms.model.NotFoundException: Key 'arn:aws:kms:us-east-2:999:key/07e4d1e6-a9ef-4306-af44-58c0c385aaa4' does not exist (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request ID: 64894327-f244-4733-b539-66062fe89b2e; Proxy: null) (Service: AmazonEBS; Status Code: 400; Error Code: ValidationException; Request ID: 7147243a-fadb-4f2a-8c61-54499baefaba; Proxy: null)

I am not able to find that key from KMS in any of the regions, let alone us-east-2. The aws cli account I am using has admin access. Can someone point out what I might be doing wrong and what I must do to restore an AMI from S3?

Argomenti
ArchiviazioneSicurezza, identità e conformitàGestione e amministrazioneComputazionali
Tag
Servizio di archiviazione semplice di AmazonServizio di gestione delle chiavi AWSInterfaccia a riga di comando AWSAmazon Machine Images (AMI)
Lingua
English
ras001
posta 7 mesi fa346 visualizzazioni
2 Risposte
0
Risposta accettata

I bought AWS Developer Support and asked them this question. They asked me to go to EC2 and then look at Data protection and security. Sure enough, the default encryption key was the one that showed up in the error message. Once I changed the default encryption key to a valid encryption key, create-restore-image-task began working well. If anyone comes across this same issue, hope this will post will help them.

ras001
con risposta 6 mesi fa
0

Hello. Ensure that the KMS key is accessible and its policy allows usage by the necessary IAM entities.

Regards, Andrii

profile picture
ESPERTO
Andrii S
con risposta 7 mesi fa
  • ras001
    7 mesi fa

    Hi Andrii, I cannot find the KMS key referenced in the error message in any region. I am looking for the key from the web management console. Is there a spot where keys are stored but not visible through the web management console?

    Also, the aws cli creds are that of an administrator (policy AdministratorAccess). Shouldn't administrator already have the right access? Additionally, I have also set inline policy specifically for the ARN in the error message:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:GenerateDataKey",
				"kms:GenerateDataKeyWithoutPlaintext",
				"kms:ReEncrypt*",
				"kms:CreateGrant",
				"ec2:CreateTags",
				"kms:DescribeKey"
			],
			"Resource": "arn:aws:kms:us-east-2:999:key/07e4d1e6-a9ef-4306-af44-58c0c385aaa4",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": true
				}
			}
		}
	]
}

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente