我正在尝试在 AWS 中配置自动扩展设置,其中节点启动模板包括加密根卷 (EBS)。我已根据以下要求在 Amazon KMS 中配置了服务关联角色和 CMK,并制定了 IAM 策略:文档。
但是,当 ASG 尝试创建实例时,出现了以下错误:
Launching a new EC2 instance: i-0123456789xxx. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch
这故障排除文档只是指向原始文档并表明 IAM 策略配置不正确 - 我正在努力找出错误所在。
服务关联角色在 ASG 上配置:ASG 上的 SLR并且 SLR 在 IAM 策略中具有用于加密卷的密钥的正确权限:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms: Encrypt",
"kms: Decrypt",
"kms: ReEncrypt*",
"kms: GenerateDataKey*",
"kms: DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms: CreateGrant",
"kms: ListGrants",
"kms: RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
请注意,手动启动相同的 AMI,指定使用相同密钥加密的根卷,即可正常工作。这可能表明 SLR 存在问题?
或者,我是否需要创建一个根卷已加密的 AMI?
更新日期:2020/11/05:
原来是格式错误 - Actions 部分中每个冒号后面都有一个空格。删除该空格后问题已解决,现在一切正常。
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
答案1
原来是格式错误 - Actions 部分中每个冒号后面都有一个空格。删除该空格后问题已解决,现在一切正常。
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
答案2
我遇到了同样的问题,并通过将 Auto Scaling 的服务相关角色添加到密钥策略相关的关键(AWS 控制台 -> KMS -> 客户管理密钥 -> YOUR_KEY -> 密钥策略选项卡下的“编辑”) 如下:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::READCTED:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::REDACTED:root"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}