错误:- 状态转换原因:Server.InternalError Client.InternalError:启动时出现客户端错误
使用启动模板启动实例时,它工作正常,但如果我将 ASG 与启动模板一起使用,则会在 ec2 实例上出现上述错误。
用于 ebs 的 Kms 密钥策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@I+000"
]
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow use of the key for Cloudwatch Log Groups Encryption",
"Effect": "Allow",
"Principal": {
"Service": "logs.eu-west-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:eu-west-1:xxxxxxxx:log-group:*"
}
}
}
]
}
实例的输出:-
{
"Reservations": [
{
"Instances": [
{
"Monitoring": {
"State": "pending"
},
"PublicDnsName": "",
"StateReason": {
"Message": "Client.InternalError: Client error on launch",
"Code": "Client.InternalError"
},
"State": {
"Code": 48,
"Name": "terminated"
},
"EbsOptimized": true,
"LaunchTime": "2021-11-08T11:38:29.000Z",
"ProductCodes": [],
"CpuOptions": {
"CoreCount": 8,
"ThreadsPerCore": 2
},
"StateTransitionReason": "Server.InternalError",
"InstanceId": "i-0a266c694eb414f70",
"EnaSupport": true,
"ImageId": "ami-0ed588d6f749dcf28",
"PrivateDnsName": "",
"SecurityGroups": [],
"ClientToken": "2c45f3fd-5ea9-acd3-d703-c39a55955c94",
"InstanceType": "m5.4xlarge",
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"NetworkInterfaces": [],
"Placement": {
"Tenancy": "default",
"GroupName": "",
"AvailabilityZone": "eu-west-1a"
},
"Hypervisor": "xen",
"BlockDeviceMappings": [],
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"RootDeviceName": "/dev/sda1",
"VirtualizationType": "hvm",
"Tags": [
{
"Value": "False",
"Key": "AutoShutdown"
},
{
"Value": "False",
"Key": "AutoStart"
},
{
"Value": "AutoScalingGroup",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "lt-0014c04827c2647b7",
"Key": "aws:ec2launchtemplate:id"
},
{
"Value": "True",
"Key": "RunAtWeekends"
},
{
"Value": "arn:aws:cloudformation:eu-west-1:9887878787:stack/ppe-devops-ecs-06/d5763820-4087-11ec-933b-02d79c55316d",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "1",
"Key": "aws:ec2launchtemplate:version"
},
{
"Value": "True",
"Key": "KeepMe"
},
{
"Value": "True",
"Key": "SaveIfOrphaned"
},
{
"Value": "ppe-devops-ecs-06-asg",
"Key": "aws:autoscaling:groupName"
},
{
"Value": "ppe-devops-ecs-06",
"Key": "aws:cloudformation:stack-name"
}
],
"HibernationOptions": {
"Configured": false
},
"AmiLaunchIndex": 0
}
],
"ReservationId": "r-014c8f943e5ca3655",
"RequesterId": "178953610797",
"Groups": [],
"OwnerId": "9887878787"
}
]
}
KMS 密钥访问是问题所在。授予许可已解决该问题。 当附加了额外的加密卷时,这可能会出现错误
嗨,我有同样的错误消息
Client.InternalError: Client error on launch
我尝试为 EBS 添加 KMS 密钥权限,但结果相同。
这是我的众多配置之一:
KmsKeyEbs:
Type: "AWS::KMS::Key"
Properties:
Description: "KMS Key to enctypt and decrypt EBS volumes."
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: "Allow administration of the key"
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:root'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
Action:
- 'kms:*'
Resource: '*'
- Sid: "Allow usage of the key"
Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:RevokeGrant'
- 'kms:List*'
- 'kms:Describe*'
- 'kms:Get*'
Resource: '*'
编辑:
如果此解决方案不起作用,请检查您的 AMI 是否有更改。就我而言,AMI 经过一段时间后就被加密,而 AMI 提供商没有任何通知。
通常,当 KMS 密钥加密的 EBS 卷无法解密时,就会出现此问题。
有 2 种类型的 KMS 密钥:
如果提供的 KMS 密钥由 AWS 管理,则 ASG(Auto Scaling Group)将能够启动实例,但如果 KMS 密钥由客户管理,那么我们需要确保使用 KMS 密钥为 ASG 创建授权。
这无法从控制台实现,因此请参阅以下文章中的 AWS CLI 命令: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html
如果您使用 terraform,请使用本文: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant
还要检查密钥策略并确保其正确。