2

I'm trying to create a EBS Volume with the AWS CDK that is encrypted by my own KMS key in C#, with this snippet:

var kmsProps = new EncryptionKeyProps
{
    Description = "Encryption key for Storage",
    EnableKeyRotation = true,
    Enabled = true,
    Retain = true
};

var kms = new EncryptionKey(stack, "kms-storage", kmsProps);

var kmsAlias = kms.AddAlias("alias/" + stack.StackName + "/storage");

var storageVolume = new CfnVolume(stack, "server-storage-encrypted", new CfnVolumeProps
{
    AvailabilityZone = privateSubnet1.AvailabilityZone,
    KmsKeyId = kmsAlias.AliasName,
    Size = 30,
    Encrypted = true,
    Tags = new ICfnTag[]
    {
        new CfnTag {Key = "Name", Value = "Server Storage"}
    },
    VolumeType = "gp2"
});

But the deploy command fails with a Volume vol-0e88979f5568c16fa is still creating error

Any idea if i'm doing something wrong the the KMS policy etc? Tried looking for it, only thing i found was that auto scaling needed access to the key, nothing about EBS/EC2

Erik Karlsson
  • 570
  • 1
  • 6
  • 17
  • When you say "deploy command fails" what exactly do you mean? I'm confused as you also linked AWS cloudformation, but this isn't CFN. Does the KMS key (and its alias) get created correctly? Have you tried separating the code, as in one snippet creates the key then, once you've verified that, you use its ARN to create the volume in a separate snippet? – Marakai Jun 15 '19 at 02:32
  • PS: apologies for the confusion re: CFN or not. I generally use the Python and boto3, so wasn't immediately familiar with the C# (or Java SDKs). Still my advice holds: break things up and test each resource separately. – Marakai Jun 16 '19 at 03:24
  • Yeah tested an unencrypted volume and it worked, and it works if i allow everything to everyone on the key policy. Dunno if its a CFN or CDK error, but i assume its something worng in the CFN created – Erik Karlsson Jun 17 '19 at 09:08
  • Have you tried creating if via a good old YAML/JSON template? Then maybe with Python? To lock down whether it's a C# SDK issue? – Marakai Jun 17 '19 at 09:40

1 Answers1

0

I ran to this issue today. It turned out using alias in KmsKeyId was causing the issue. The stack was created successfully after changing alias to the actual key ID. Although the documentation says alias can be used, it didn't work for me.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html

barryku
  • 2,496
  • 25
  • 16
  • Actually, alias works. My alias was misspelled, but the CF stack operation didn't report that. It just hung for a long time until timed out. – barryku Jul 31 '21 at 03:31