我正在嘗試在 AWS 中配置自動縮放設置,其中節點啟動模板包括加密根磁碟區 (EBS)。我已根據 IAM 策略在 Amazon KMS 中配置了服務連結角色和 CMK文件。
但是,當 ASG 嘗試建立實例時,我收到以下錯誤:
Launching a new EC2 instance: i-0123456789xxx. Status Reason: Instance became unhealthy while waiting for instance to be in InService state. Termination Reason: Client.InternalError: Client error on launch
這故障排除文檔只是指向原始文檔並表明 IAM 策略配置不正確 - 但我正在努力找出不正確的地方。
服務相關角色在 ASG 上設定:ASG 上的單眼,並且 SLR 在 IAM 策略中擁有用於加密磁碟區的金鑰的正確權限:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms: Encrypt",
"kms: Decrypt",
"kms: ReEncrypt*",
"kms: GenerateDataKey*",
"kms: DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms: CreateGrant",
"kms: ListGrants",
"kms: RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
請注意,手動啟動相同的 AMI,指定根磁碟區使用相同的金鑰加密,是可行的。這表明單眼相機可能有問題嗎?
或者,我需要建立根卷已加密的 AMI?
更新 11/05/2020:
結果發現有格式錯誤 - 操作部分每個冒號後面都有一個空格。刪除它已經修復了它,現在可以按預期工作。
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
答案1
結果發現有格式錯誤 - 操作部分每個冒號後面都有一個空格。刪除它已經修復了它,現在可以按預期工作。
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
答案2
我遇到了同樣的問題並通過以下方式解決了它將 Auto Scaling 的服務相關角色加入到重點政策相關鍵的(AWS 主控台 -> KMS -> 客戶管理的金鑰 -> YOUR_KEY -> 金鑰原則標籤下的“編輯”) 如下:
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::READCTED:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling",
"arn:aws:iam::REDACTED:root"
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}