Question 194543 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS ASG Error: Client.InternalError: Client error on launch

I created a new ASG that creates instances using an AMI that has been created and encrypted in another account (account id: 111). Any instance that creates in the ASG crashes right away with an error of Client.InternalError: Client error on launch. It seems that the instance has no permissions to the KMS key. I went over similar questions and checked the relevant documentation, but I haven’t figured out the issue.

Here is the key policy in account id 111. I gave privileges to the relevant user from account id 222, which is where i created the ASG.

{
    "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::222:role/instances_profile",
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

Here is the relevant grant:

aws kms list-grants --key-id arn:aws:kms:us-east-1:111:key/84848484 --region us-east-1
{
    "Grants": [
        {
            "KeyId": "arn:aws:kms:us-east-1:111:key/84848484",
            "Name": "stage",
            "GranteePrincipal": "arn:aws:iam::222:role/instances_profile",
            "IssuingAccount": "arn:aws:iam::111:root",
            "Operations": [
                "Decrypt",
                "Encrypt",
                "GenerateDataKey",
                "GenerateDataKeyWithoutPlaintext",
                "ReEncryptFrom",
                "ReEncryptTo",
                "CreateGrant",
                "DescribeKey"
            ]
        }
    ]
}

The EC2 instance has the following policy:

{
    "Effect": "Allow",
    "Action": "kms:Decrypt",
    "Resource": "arn:aws:kms:us-east-1:111:key/84848484"
}

Does anyone know what could be the issue?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    The issue was resolved. I had to use the service-linked role and not the service role.

    I had to use: arn:aws:iam::222:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling for the GranteePrincipal parameter.


  2. 0

    The KMS key policy you’ve provided gives permissions to the root user in account 222. However, the EC2 instances created by the ASG likely aren’t running with the permissions of the root user. Instead, they’re probably running with the permissions of an EC2 instance profile, which is a role that’s attached to the EC2 instances when they’re launched.

    To solve the issue, you would need to modify your KMS key policy to allow the EC2 instance profile used by the ASG in account 222 to use the KMS key. You would replace "arn:aws:iam::222:root" in the key policy with the ARN of the instance profile.

    Here’s an example of what the modified key policy might look like:

    {
    "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::222:role/your-instance-profile-role",
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

    Replace "arn:aws:iam::222:role/your-instance-profile-role" with the ARN of your instance profile. You can find this information in the IAM console in your AWS account.

    Please note that the permissions in the policy above are quite broad ("kms:*" and "Resource": "*") and may not follow the best security practices. It’s generally recommended to restrict the permissions to the minimum necessary for your application to function properly.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search