- Newest
- Most votes
- Most comments
I got an update from AWS Support. There is a bug where if you use an encrypted snapshot to create an encrypted volume over 16384 GB, and specify the KMS key, you get that error. The UI specifies the KMS key even though it doesn't need to; a volume will be automatically encrypted with the same key as the one used by the snapshot. The workaround is to use the CLI to accomplish the same task until they fix the bug.
Thanks for the suggestions all.
To clarify, you can launch a R5b instance with encrypted io2 volume greater than 16 TiB. However, the snapshot must be encrypted and the same key must be used while restoring the volume. If the snapshot is unencrypted, then you can make an encrypted copy to create volume/launch instance
Right, I'm with you. Everything is encrypted with the same key. We're simply trying to replace an existing encrypted volume with a new one.
This is a restriction on io2bx
You can’t launch an R5b instance with an encrypted io2 Block Express volume that has a size greater than 16 TiB
You can refer here for more details
Interesting. The full relevant quote:
You can’t launch an R5b instance with an encrypted io2 Block Express volume that has a size greater than 16 TiB or IOPS greater than 64,000 from an unencrypted AMI or a shared encrypted AMI. In this case, you must first create an encrypted AMI in your account and then use that AMI to launch the instance.
In our case the AMI and the snapshot are both encrypted and not shared. Note that I'm not trying to launch an instance here--I already have it.
Here's the use case. DB server with an encrypted io2 Block Express data volume at 17000 GB with 3000 IPS. Key is ours and not shared.
- Stop instance
- Make snapshot of data volume
- Make new volume from that snapshot but 20000 GB instead of 17000 GB
- Swap data volumes on the instance
- Start instance
- Enjoy the bigger drive!
It's at the third step that things fail. But from what I can tell I'm not doing anything prohibited.
I can't respond to @Rodney Lester (how does this thing work?), but yes, I have full permissions on the key.
Relevant content
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Does your IAM credentials have permissions to use the KMS key?