AWS ASG 错误状态转换原因 Server.InternalError

问题描述 投票:0回答:3

错误:- 状态转换原因:Server.InternalError Client.InternalError:启动时出现客户端错误

使用启动模板启动实例时,它工作正常,但如果我将 ASG 与启动模板一起使用,则会在 ec2 实例上出现上述错误。

enter image description here

用于 ebs 的 Kms 密钥策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
                    "arn:aws:iam::xxxxxxx:root",
                    "arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
                    "arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
                    "arn:aws:iam::xxxxxxx:root",
                    "arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
                    "arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@I+000"
                ]
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
                    "arn:aws:iam::xxxxxxx:root",
                    "arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
                    "arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        },
        {
            "Sid": "Allow use of the key for Cloudwatch Log Groups Encryption",
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.eu-west-1.amazonaws.com"
            },
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:eu-west-1:xxxxxxxx:log-group:*"
                }
            }
        }
    ]
}

实例的输出:-

 {
        "Reservations": [
            {
                "Instances": [
                    {
                        "Monitoring": {
                            "State": "pending"
                        },
                        "PublicDnsName": "",
                        "StateReason": {
                            "Message": "Client.InternalError: Client error on launch",
                            "Code": "Client.InternalError"
                        },
                        "State": {
                            "Code": 48,
                            "Name": "terminated"
                        },
                        "EbsOptimized": true,
                        "LaunchTime": "2021-11-08T11:38:29.000Z",
                        "ProductCodes": [],
                        "CpuOptions": {
                            "CoreCount": 8,
                            "ThreadsPerCore": 2
                        },
                        "StateTransitionReason": "Server.InternalError",
                        "InstanceId": "i-0a266c694eb414f70",
                        "EnaSupport": true,
                        "ImageId": "ami-0ed588d6f749dcf28",
                        "PrivateDnsName": "",
                        "SecurityGroups": [],
                        "ClientToken": "2c45f3fd-5ea9-acd3-d703-c39a55955c94",
                        "InstanceType": "m5.4xlarge",
                        "CapacityReservationSpecification": {
                            "CapacityReservationPreference": "open"
                        },
                        "NetworkInterfaces": [],
                        "Placement": {
                            "Tenancy": "default",
                            "GroupName": "",
                            "AvailabilityZone": "eu-west-1a"
                        },
                        "Hypervisor": "xen",
                        "BlockDeviceMappings": [],
                        "Architecture": "x86_64",
                        "RootDeviceType": "ebs",
                        "RootDeviceName": "/dev/sda1",
                        "VirtualizationType": "hvm",
                        "Tags": [
                            {
                                "Value": "False",
                                "Key": "AutoShutdown"
                            },
                            {
                                "Value": "False",
                                "Key": "AutoStart"
                            },
                            {
                                "Value": "AutoScalingGroup",
                                "Key": "aws:cloudformation:logical-id"
                            },
                            {
                                "Value": "lt-0014c04827c2647b7",
                                "Key": "aws:ec2launchtemplate:id"
                            },
                            {
                                "Value": "True",
                                "Key": "RunAtWeekends"
                            },
                            {
                                "Value": "arn:aws:cloudformation:eu-west-1:9887878787:stack/ppe-devops-ecs-06/d5763820-4087-11ec-933b-02d79c55316d",
                                "Key": "aws:cloudformation:stack-id"
                            },
                            {
                                "Value": "1",
                                "Key": "aws:ec2launchtemplate:version"
                            },
                            {
                                "Value": "True",
                                "Key": "KeepMe"
                            },
                            {
                                "Value": "True",
                                "Key": "SaveIfOrphaned"
                            },
                            {
                                "Value": "ppe-devops-ecs-06-asg",
                                "Key": "aws:autoscaling:groupName"
                            },
                            {
                                "Value": "ppe-devops-ecs-06",
                                "Key": "aws:cloudformation:stack-name"
                            }
                        ],
                        "HibernationOptions": {
                            "Configured": false
                        },
                        "AmiLaunchIndex": 0
                    }
                ],
                "ReservationId": "r-014c8f943e5ca3655",
                "RequesterId": "178953610797",
                "Groups": [],
                "OwnerId": "9887878787"
            }
        ]
    }
amazon-web-services amazon-ec2 aws-cloudformation aws-auto-scaling
3个回答
0
投票

KMS 密钥访问是问题所在。授予许可已解决该问题。 当附加了额外的加密卷时,这可能会出现错误


0
投票

嗨,我有同样的错误消息

Client.InternalError: Client error on launch
我尝试为 EBS 添加 KMS 密钥权限,但结果相同。 这是我的众多配置之一:

KmsKeyEbs:
Type: "AWS::KMS::Key"
Properties:
  Description: "KMS Key to enctypt and decrypt EBS volumes."
  KeyPolicy:
    Version: '2012-10-17'
    Statement:
     - Sid: "Allow administration of the key"
       Effect: Allow
       Principal:
         AWS: 
          - !Sub 'arn:aws:iam::${AWS::AccountId}:root'
          - !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
       Action:
        - 'kms:*'
       Resource: '*'
     - Sid: "Allow usage of the key"
       Effect: Allow
       Principal:
        AWS: '*'
       Action:
        - 'kms:Encrypt'
        - 'kms:Decrypt'
        - 'kms:ReEncrypt*'
        - 'kms:GenerateDataKey*'
        - 'kms:CreateGrant'
        - 'kms:RevokeGrant'
        - 'kms:List*'
        - 'kms:Describe*'
        - 'kms:Get*'
       Resource: '*'

编辑:

如果此解决方案不起作用,请检查您的 AMI 是否有更改。就我而言,AMI 经过一段时间后就被加密,而 AMI 提供商没有任何通知。


0
投票

通常,当 KMS 密钥加密的 EBS 卷无法解密时,就会出现此问题。

有 2 种类型的 KMS 密钥:

  1. AWS 托管。
  2. 客户管理。

如果提供的 KMS 密钥由 AWS 管理,则 ASG(Auto Scaling Group)将能够启动实例,但如果 KMS 密钥由客户管理,那么我们需要确保使用 KMS 密钥为 ASG 创建授权。

这无法从控制台实现,因此请参阅以下文章中的 AWS CLI 命令: https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html

如果您使用 terraform,请使用本文: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant

还要检查密钥策略并确保其正确。

© www.soinside.com 2019 - 2024. All rights reserved.