EC2 failed to start by lambda, while can be started manually

0

I have some EC2 instances to be started by Lambda but failed. I tried to debug and seems the function do have been triggered, and event had been sent to EC2, as I print the response and got it as below:

[{'StartingInstances': [ {'CurrentState': {'Code': 0, 'Name': 'pending'}, 'InstanceId': 'i-0478e86f6d365a7e3', 'PreviousState': {'Code': 80, 'Name': 'stopped'}}, {'CurrentState': {'Code': 0, 'Name': 'pending'}, 'InstanceId': 'i-0aec2a47f534be8b0', 'PreviousState': {'Code': 80, 'Name': 'stopped'}}], 'ResponseMetadata': {'RequestId': 'a15ff429-06ae-4214-b29a-982e7958e8e9', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'a15ff429-06ae-4214-b29a-982e7958e8e9', 'cache-control': 'no-cache, no-store', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'content-type': 'text/xml;charset=UTF-8', 'content-length': '916', 'date': 'Tue, 04 Jun 2024 05:39:06 GMT', 'server': 'AmazonEC2'}, 'RetryAttempts': 0} }]

and I can see from console GUI, the EC2 instance's Launch Time has changed to the timestamp the function is triggered: Launch time: Tue Jun 04 2024 13:39:06 GMT+0800 (China Standard Time) (1 minute) but the Instance State keep as "Stopped", instead of "Pending" as if I start it manually.

I'm sure this function do work month ago, any clue or idea what's wrong?

zcb
asked 16 days ago192 views
2 Answers
2
Accepted Answer

Hi,

You should check in CloudTrail to see the EC2 API calls made by your Lambda to start the EC2 instance and see if they succeed or fail.

Best,

Didier

profile pictureAWS
EXPERT
answered 16 days ago
profile picture
EXPERT
reviewed 16 days ago
profile picture
EXPERT
reviewed 16 days ago
0

@Didier_Durand thank you very much! I checked the CloudTrail as you guide, and found there's error in CreateGrant: { ... "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::806782514604:assumed-role/a205925-lambda-start-instance-service-role/a205925-start-ec2-on-monday-morning is not authorized to perform: kms:CreateGrant on resource: arn:aws:kms:us-east-1:806782514604:key/8f702ef1-61cb-4ddc-a369-bb71c004955d because no identity-based policy allows the kms:CreateGrant action", } and this kms key helped me to recall that I replaced my EC2's non-encrypted EBS with a new encrypted EBS with this KMS id month ago. after I added my lambda iam role into this KMS key policy, the EC2 instance can be started successfully.

thanks again for your kindly & timely help!

zcb
answered 16 days ago
  • Hi zcb, very happy that you found and fixed your problem! thanks for accepting my answer. Didier

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions