- Newest
- Most votes
- Most comments
AutoScaling is the one launching the instances, not EKS. So you need to make sure that AutoScaling has access to the key https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-internal-solution
If the key is cross-account, you'll also need to make sure to make the create-grant call listed in the doc from the ASG account
To confirm the correct key is in use, check CloudTrail for EventSource=kms.amazonaws.com around the time of the failures and see if there's any calls erroring out. These will likely have info on the specific key being used.
For the DryRun call, check the specific error message, if its something like "Would have succeeded, but DryRun flag was set", then you can ignore it. That's a "good" error and is AutoScaling validating that you have permissions to launch the instances which the group is configured to use.
Relevant content
- Accepted Answerasked 4 months ago
- asked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hello Shadad!
Thank you for your time do answer my question!
I already insert the correct policy in KMS Key, but, I saw now in CloudTrail that I was setting the policy in a wrong KMS. CloudTrail give the correct key that I've had problem, so I put the policy in the key and I can now Scaling my node cluster.
Thank you for you help me! The tips about Cloudtrail was the key to identify the problem. In my case, there are key to EKS and key to EBS, I need to set the correct policy in this EBS Key.
Thank You so Much!
Glad that resolved your issue. And thank you for the feedback + confirmation :D