When I launch an instance with AMI, I get an error: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

0

In the CDK code, I created a custom KMSKey, and then configured the Image Recipe of EC2 Image Builder to use the KMSKey as the encryption key of EBS, after successfully creating the AMI, I used the AMI to launch the instance, and the consistent message failed to start, the error is as follows: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state.

KMSKey's state is enabled, otherwise the AMI would not be successfully generated, so I don't understand why the state Incorrect is still prompted.

I looked up the answer on the Internet and saw a post saying that it was a permission issue, and then I associated a role with an EC2 instance with an inline policy like this::

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "kms:*",
			"Resource": "*"
		}
	]
}

But the startup failed with the same error.

Does anyone know why?

tong_K
已提問 2 個月前檢視次數 2206 次
1 個回答
1
已接受的答案

Hello.

Does your KMS key policy allow access from your AWS account?
Is there a policy in place to use KMS keys for the IAM user trying to launch EC2?
https://github.com/hashicorp/packer/issues/12683#issuecomment-1889831463

How about using the following KMS key policy?

{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
      {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
              "AWS": "arn:aws:iam::AWS Accout ID:root"
          },
          "Action": "kms:*",
          "Resource": "*"
      },
      {
          "Sid": "Allow use of the key",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:DescribeKey",
              "kms:Encrypt",
              "kms:Decrypt",
              "kms:ReEncrypt*",
              "kms:GenerateDataKey",
              "kms:GenerateDataKeyWithoutPlaintext"
          ],
          "Resource": "*"
      },
      {
          "Sid": "Allow attachment of persistent resources",
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::AWS Accout ID:role/EC2 IAM Role"
              ]
          },
          "Action": [
              "kms:CreateGrant",
              "kms:ListGrants",
              "kms:RevokeGrant"
          ],
          "Resource": "*",
          "Condition": {
              "Bool": {
                  "kms:GrantIsForAWSResource": "true"
              }
          }
      }
  ]
}
profile picture
專家
已回答 2 個月前
  • Thanks you.The permissions associated with KMS for the AWS user I use are like this: "kms:CreateAlias", "kms:CreateKey", "kms:DescribeKey", "kms:ListAliases", "kms:TagResource".

  • You may want to check the event from CloudTrail's event history as described in the documentation below. This will allow you to check which IAM policies are missing for IAM users. You probably need to add "kms:CreateGrant" to the IAM user's IAM policy. https://repost.aws/knowledge-center/kms-iam-ec2-permission

  • Thank you, issue solved.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南