Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EC2 failed to start by lambda, while can be started manually

0

I have some EC2 instances to be started by Lambda but failed. I tried to debug and seems the function do have been triggered, and event had been sent to EC2, as I print the response and got it as below:

[{'StartingInstances': [ {'CurrentState': {'Code': 0, 'Name': 'pending'}, 'InstanceId': 'i-0478e86f6d365a7e3', 'PreviousState': {'Code': 80, 'Name': 'stopped'}}, {'CurrentState': {'Code': 0, 'Name': 'pending'}, 'InstanceId': 'i-0aec2a47f534be8b0', 'PreviousState': {'Code': 80, 'Name': 'stopped'}}], 'ResponseMetadata': {'RequestId': 'a15ff429-06ae-4214-b29a-982e7958e8e9', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'a15ff429-06ae-4214-b29a-982e7958e8e9', 'cache-control': 'no-cache, no-store', 'strict-transport-security': 'max-age=31536000; includeSubDomains', 'content-type': 'text/xml;charset=UTF-8', 'content-length': '916', 'date': 'Tue, 04 Jun 2024 05:39:06 GMT', 'server': 'AmazonEC2'}, 'RetryAttempts': 0} }]

and I can see from console GUI, the EC2 instance's Launch Time has changed to the timestamp the function is triggered: Launch time: Tue Jun 04 2024 13:39:06 GMT+0800 (China Standard Time) (1 minute) but the Instance State keep as "Stopped", instead of "Pending" as if I start it manually.

I'm sure this function do work month ago, any clue or idea what's wrong?

Topics
ServerlessCompute
Tags
AWS LambdaAmazon EC2
Language
English
asked a year ago418 views
2 Answers
2
Accepted Answer

Hi,

You should check in CloudTrail to see the EC2 API calls made by your Lambda to start the EC2 instance and see if they succeed or fail.

Best,

Didier

AWS
EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
0

@Didier_Durand thank you very much! I checked the CloudTrail as you guide, and found there's error in CreateGrant: { ... "errorCode": "AccessDenied", "errorMessage": "User: arn:aws:sts::806782514604:assumed-role/a205925-lambda-start-instance-service-role/a205925-start-ec2-on-monday-morning is not authorized to perform: kms:CreateGrant on resource: arn:aws:kms:us-east-1:806782514604:key/8f702ef1-61cb-4ddc-a369-bb71c004955d because no identity-based policy allows the kms:CreateGrant action", } and this kms key helped me to recall that I replaced my EC2's non-encrypted EBS with a new encrypted EBS with this KMS id month ago. after I added my lambda iam role into this KMS key policy, the EC2 instance can be started successfully.

thanks again for your kindly & timely help!

answered a year ago
  • Didier_Durand EXPERT
    a year ago

    Hi zcb, very happy that you found and fixed your problem! thanks for accepting my answer. Didier

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content