By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Receiving InvalidRequest when calling the CreateRestoreImageTask operation

0

Hi all,

aws --version
aws-cli/1.22.34 Python/3.10.12 Linux/5.19.0-1025-aws botocore/1.23.34

I stored an AMI to S3 using:

aws ec2 create-store-image-task --image-id ami-111 --bucket bucket-test --region us-east-2 --output table

I was able to see that the image was created on S3 using aws ec2 describe-store-image-tasks.

Then, I tried to restore the image using:

aws ec2 create-restore-image-task --object-key ami-111.bin --bucket bucket-test --name "Restored AMI"

and I receive an error like this:

An error occurred (InvalidRequest) when calling the CreateRestoreImageTask operation: Invalid parameters for a dependent service: com.amazonaws.services.kms.model.NotFoundException: Key 'arn:aws:kms:us-east-2:999:key/07e4d1e6-a9ef-4306-af44-58c0c385aaa4' does not exist (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request ID: 64894327-f244-4733-b539-66062fe89b2e; Proxy: null) (Service: AmazonEBS; Status Code: 400; Error Code: ValidationException; Request ID: 7147243a-fadb-4f2a-8c61-54499baefaba; Proxy: null)

I am not able to find that key from KMS in any of the regions, let alone us-east-2. The aws cli account I am using has admin access. Can someone point out what I might be doing wrong and what I must do to restore an AMI from S3?

Topics
StorageSecurity, Identity, & ComplianceManagement & GovernanceCompute
Tags
Amazon Simple Storage ServiceAWS Key Management ServiceAWS Command Line InterfaceAmazon Machine Images (AMI)
Language
English
ras001
asked 6 months ago326 views
2 Answers
0
Accepted Answer

I bought AWS Developer Support and asked them this question. They asked me to go to EC2 and then look at Data protection and security. Sure enough, the default encryption key was the one that showed up in the error message. Once I changed the default encryption key to a valid encryption key, create-restore-image-task began working well. If anyone comes across this same issue, hope this will post will help them.

ras001
answered 5 months ago
0

Hello. Ensure that the KMS key is accessible and its policy allows usage by the necessary IAM entities.

Regards, Andrii

profile picture
EXPERT
Andrii S
answered 6 months ago
  • ras001
    6 months ago

    Hi Andrii, I cannot find the KMS key referenced in the error message in any region. I am looking for the key from the web management console. Is there a spot where keys are stored but not visible through the web management console?

    Also, the aws cli creds are that of an administrator (policy AdministratorAccess). Shouldn't administrator already have the right access? Additionally, I have also set inline policy specifically for the ARN in the error message:

    {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": [
				"kms:Encrypt",
				"kms:Decrypt",
				"kms:GenerateDataKey",
				"kms:GenerateDataKeyWithoutPlaintext",
				"kms:ReEncrypt*",
				"kms:CreateGrant",
				"ec2:CreateTags",
				"kms:DescribeKey"
			],
			"Resource": "arn:aws:kms:us-east-2:999:key/07e4d1e6-a9ef-4306-af44-58c0c385aaa4",
			"Condition": {
				"Bool": {
					"kms:GrantIsForAWSResource": true
				}
			}
		}
	]
}

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content