creating io2 Block Express encrypted volumes from encrypted snapshots is broken

0

We're using a 17000GB io2 Block Express volume attached to an r5b.2xlarge instance in us-east-1 and us-east-2. We can create snapshots of the volume, no problem. However, we cannot create encrypted volumes from these snapshots due to the error "Cannot use encryption key ID when creating volume from encrypted snapshot." Using an encrypted snapshot smaller than 17000, I can create encrypted volumes in sizes up to 16384GB. As soon as I try 16385GB, I get that error. This is true in us-east-1 and us-east-2. Also, our io2 Block Express quota has been increased from 20TiB to 40TiB, so I don't think it's that. It's a customer managed KMS key that we've been using for years.

Anyone have any clues?

  • Does your IAM credentials have permissions to use the KMS key?

asked 3 years ago839 views
5 Answers
1
Accepted Answer

I got an update from AWS Support. There is a bug where if you use an encrypted snapshot to create an encrypted volume over 16384 GB, and specify the KMS key, you get that error. The UI specifies the KMS key even though it doesn't need to; a volume will be automatically encrypted with the same key as the one used by the snapshot. The workaround is to use the CLI to accomplish the same task until they fix the bug.

Thanks for the suggestions all.

answered 3 years ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 5 months ago
0

To clarify, you can launch a R5b instance with encrypted io2 volume greater than 16 TiB. However, the snapshot must be encrypted and the same key must be used while restoring the volume. If the snapshot is unencrypted, then you can make an encrypted copy to create volume/launch instance

AWS
answered 3 years ago
  • Right, I'm with you. Everything is encrypted with the same key. We're simply trying to replace an existing encrypted volume with a new one.

0

This is a restriction on io2bx

You can’t launch an R5b instance with an encrypted io2 Block Express volume that has a size greater than 16 TiB

You can refer here for more details

https://aws.amazon.com/blogs/aws/amazon-ebs-io2-block-express-volumes-with-amazon-ec2-r5b-instances-are-now-generally-available/

AWS
answered 3 years ago
0

Interesting. The full relevant quote:

You can’t launch an R5b instance with an encrypted io2 Block Express volume that has a size greater than 16 TiB or IOPS greater than 64,000 from an unencrypted AMI or a shared encrypted AMI. In this case, you must first create an encrypted AMI in your account and then use that AMI to launch the instance.

In our case the AMI and the snapshot are both encrypted and not shared. Note that I'm not trying to launch an instance here--I already have it.

Here's the use case. DB server with an encrypted io2 Block Express data volume at 17000 GB with 3000 IPS. Key is ours and not shared.

  • Stop instance
  • Make snapshot of data volume
  • Make new volume from that snapshot but 20000 GB instead of 17000 GB
  • Swap data volumes on the instance
  • Start instance
  • Enjoy the bigger drive!

It's at the third step that things fail. But from what I can tell I'm not doing anything prohibited.

answered 3 years ago
0

I can't respond to @Rodney Lester (how does this thing work?), but yes, I have full permissions on the key.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions