Why does the new Amazon EBS volume that I create from an encrypted snapshot not exist?
4 minute read
I used the AWS Command Line Interface (AWS CLI) create-volume command to create an Amazon Elastic Block Store (Amazon EBS) volume from an encrypted snapshot. The command successfully completes and returns a volume ID. When I try to attach the volume to an instance, I can't find the volume.
When you create an Amazon EBS volume from a snapshot, two operations run:
Amazon EBS initiates the volume creation. This returns a volume ID, and sets the volume state to creating, as returned in the API or AWS CLI output. This means that the createVolume API is valid and registered successfully.
An asynchronous call initiates to validate the AWS Key Management Service (AWS KMS) key that's used to encrypt and decrypt the volume that you create.
If the AWS KMS validation succeeds, then the volume state is set to available, and the EBS volume becomes accessible. If the specified AWS KMS key ID, Alias, or ARN aren't valid, then the action appears complete. However, the volume creation eventually fails and doesn't return any errors.
You might notice the problem when you attach or access the EBS volume. Though the createVolume API returns a volume ID, the EBS volume doesn't exist and the AWS CloudTrail logs doesn't show any errors.
Example of issue
This example shows the createVolume API in use with a not valid alias for the AWS KMS key. The createVolume API succeeds and returns a volume ID, and then sets the volume state to creating. Because the alias for the AWS KMS key isn't valid, the asynchronous authentication fails. This causes the whole operation to fail. When you check the AWS CloudTrail logs for the create volume event, no errors are found because the createVolume operation succeeded.
When you run the describe-volume-status, you find that the volume doesn't exist:
$ aws ec2 describe-volume-status --volume-ids vol-043fe27d0ccf74b36An error occurred (InvalidVolume.NotFound) when calling the DescribeVolumeStatus operation:
The volume 'vol-043fe27d0ccf74b36' does not exist.
Subscribe to the public CloudWatch createVolume events for more information on volume creation failure. In this example, the notification shows the createVolume CloudWatch event. The notification shows that the createVolume result fails because of a not valid keyId.
Note: If you create an EBS volume from an encrypted snapshot, then the snapshot creation can also fail to create for these reasons:
The AWS Identity and Access Management (IAM) user or role that creates the volume doesn't have sufficient permissions. The IAM user or role must have permissions to access the AWS KMS key that's used to encrypt the snapshot.
The AWS KMS key that's used to encrypt the snapshot is turned off, deleted, or isn't in the AWS Region.