0

I want to use AMI which is located in another account to create spot instance with Terraform. AMI is shared with my account but EBS inside of it is created with custom KMS.

When I tried to use the AMI, it gave an error like below.

Instance launch failed because an EBS volume cannot be encrypted. If your launch specification includes an encrypted EBS volume, you must grant the AWSServiceRoleForEC2Spot service-linked role access to any custom KMS keys.

I gave access to AWSServiceRoleForEC2Spot in KMS policy and even for AWSServiceRoleForEC2SpotFleet but it still gives bad-parameter error when I try to create instance and when describe spot instance request, the error is same. What am I doing wrong?

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-1",
    "Statement": [
        
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xx:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet",
                    "arn:aws:iam::xx:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xx:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet",
                    "arn:aws:iam::xx:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
nevincansel
  • 23
  • 5
  • 1
    Did the other account also grant your account access to the KMS key? – luk2302 Nov 23 '22 at 11:54
  • Yes, i run the command before creating instance. aws kms create-grant \ --region $REGION \ --key-id arn:aws:kms:eu-central-1:xx:key/xx \ --grantee-principal arn:aws:iam::$ACCOUNT_ID:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot \ --operations "Decrypt" "Encrypt" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "CreateGrant" "DescribeKey" "ReEncryptFrom" "ReEncryptTo" – nevincansel Nov 23 '22 at 11:55
  • How is the terraform script trying to ref to the KMS key? If you gonna use a KMS key cross account you need to ref it by the ARN. – Erik Asplund Nov 23 '22 at 12:05
  • I added KMS key with id, should i use arn? ebs_block_device { device_name = "/dev/sda1" encrypted = true kms_key_id = "xx" } } – nevincansel Nov 23 '22 at 12:49
  • It didn't work with kms arn either. @ErikAsplund – nevincansel Nov 23 '22 at 13:53

0 Answers0