I created a new ASG that creates instances using an AMI that has been created and encrypted in another account (account id: 111). Any instance that creates in the ASG crashes right away with an error of Client.InternalError: Client error on launch. It seems that the instance has no permissions to the KMS key. I went over similar questions and checked the relevant documentation, but I haven't figured out the issue.
Here is the key policy in account id 111. I gave privileges to the relevant user from account id 222, which is where i created the ASG.
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::222:role/instances_profile",
]
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Here is the relevant grant:
aws kms list-grants --key-id arn:aws:kms:us-east-1:111:key/84848484 --region us-east-1
{
"Grants": [
{
"KeyId": "arn:aws:kms:us-east-1:111:key/84848484",
"Name": "stage",
"GranteePrincipal": "arn:aws:iam::222:role/instances_profile",
"IssuingAccount": "arn:aws:iam::111:root",
"Operations": [
"Decrypt",
"Encrypt",
"GenerateDataKey",
"GenerateDataKeyWithoutPlaintext",
"ReEncryptFrom",
"ReEncryptTo",
"CreateGrant",
"DescribeKey"
]
}
]
}
The EC2 instance has the following policy:
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:111:key/84848484"
}
Does anyone know what could be the issue?
The issue was resolved. I had to use the service-linked role and not the service role.
I had to use: arn:aws:iam::222:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling for the GranteePrincipal parameter.