背景
最近用一个terraform asg模块部署asg时一直报错
Error: Termination Reason: Client.InternalError: Client error on launch
搜索资料发现和KMS下面的asg 对应的policy有关系.
解决方法
在AWS界面找到KMS, 然后找到customer managed key导航栏, 最后找到对应AMI加密用的key修改其key policy即可, 需要在key policy中添加AWSServiceRoleForAutoScaling的policy.
如下, 注意需要把<AWS Account Number> 替换成自己的aws账号:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS Account Number>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS Account Number>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
参考
Termination Reason: Client.InternalError: Client error on launch