终止原因：Client.InternalError：启动时出现客户端错误

Question

请帮忙

如何确保 EC2 使用自定义 KMS 密钥；我们使用 terraform 部署 EC2 实例，每次在自动缩放组中启动 EC2 实例时，它都会崩溃并出现以下错误。似乎 EC2 实例无法访问 KMS 密钥

错误： 终止原因：Client.InternalError：启动时出现客户端错误

resource "aws_autoscaling_group" "autoscaling-group" {
  name                 = var.name
  availability_zones   = var.availability_zones
  min_size             = var.min_size
  desired_capacity     = var.desired_capacity
  max_size             = var.max_size
  health_check_type    = "EC2"
  launch_configuration = aws_launch_configuration.launch_configuration.name
  vpc_zone_identifier  = local.subnet_id
  termination_policies = ["OldestInstance"]
}

resource "aws_launch_configuration" "launch_configuration" {
  name                        = var.name
  image_id                    = var.ami
  instance_type               = var.instance_type
  iam_instance_profile        = var.iam_instance_profile_name
  security_groups             = [aws_security_group.security_group.id]
  associate_public_ip_address = true
}

resource "aws_autoscaling_policy" "autoscaling-policy" {
  name                      = var.name
  policy_type               = "TargetTrackingScaling"
  estimated_instance_warmup = "90"
  adjustment_type           = "ChangeInCapacity"
  autoscaling_group_name    = aws_autoscaling_group.autoscaling-group.name
}

- 谢谢

Answer 1

谢谢大家的支持，我才得以解决；问题出在 EC2 自动扩展服务的 kms 密钥授予上，我们使用了以下模块，问题得到了解决

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_grant

resource "aws_kms_grant" "a" {
  name              = "my-grant"
  key_id            = aws_kms_key.a.key_id
  grantee_principal = aws_iam_role.a.arn
  operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]

}

Answer 2

发生这种情况的原因可能是 Auto Scaling 组无法将 EBS 卷附加到您的 EC2 实例。看起来您选择了要加密的 EBS 卷，但KMSkey policy中customer managed key没有针对特定 IAM 角色自动缩放使用的正确策略，即AWSServiceRoleForAutoScaling。您需要在key policy用于加密 EBS 卷的 KMS 密钥下添加以下策略块：

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::*<AWS Account Number>*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::*<AWS Account Number>*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }