When I launch an instance with AMI, I get an error: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

0

In the CDK code, I created a custom KMSKey, and then configured the Image Recipe of EC2 Image Builder to use the KMSKey as the encryption key of EBS, after successfully creating the AMI, I used the AMI to launch the instance, and the consistent message failed to start, the error is as follows: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state.

KMSKey's state is enabled, otherwise the AMI would not be successfully generated, so I don't understand why the state Incorrect is still prompted.

I looked up the answer on the Internet and saw a post saying that it was a permission issue, and then I associated a role with an EC2 instance with an inline policy like this::

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": "*"
		}
	]
}

But the startup failed with the same error.

Does anyone know why?

tong_K
질문됨 2달 전2322회 조회
1개 답변
1
수락된 답변

Hello.

Does your KMS key policy allow access from your AWS account?
Is there a policy in place to use KMS keys for the IAM user trying to launch EC2?
https://github.com/hashicorp/packer/issues/12683#issuecomment-1889831463

How about using the following KMS key policy?

{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::AWS Accout ID:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:DescribeKey",
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey",
              "kms:GenerateDataKeyWithoutPlaintext"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}
profile picture
전문가
답변함 2달 전
  • Thanks you.The permissions associated with KMS for the AWS user I use are like this: "kms:CreateAlias", "kms:CreateKey", "kms:DescribeKey", "kms:ListAliases", "kms:TagResource".

  • You may want to check the event from CloudTrail's event history as described in the documentation below. This will allow you to check which IAM policies are missing for IAM users. You probably need to add "kms:CreateGrant" to the IAM user's IAM policy. https://repost.aws/knowledge-center/kms-iam-ec2-permission

  • Thank you, issue solved.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠