Using encrypted boot device with server-group module

natefaerber · May 20, 2018, 11:07pm

I’m using the server-group module from module-asg. I’m trying to use an AMI that I have encrypted with my master key created using the kms-master-key. I can’t launch an instance from the ASG that server-group creates due to: “Client.InternalError: Client error on launch”.

My research on this suggests I need to allow CreateGrant to a resource or role. I haven’t found the magic to make this work. Anyone know how to configure the proper permissions to allow me to boot an encrypt boot volume?

natefaerber · May 20, 2018, 11:25pm

SOLVED

It looks like all I needed was to add the service linked role to my list of cmk_user_iam_arns for the kms key.

arn:aws:iam::REPLACE_ME:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

Topic		Replies	Views
Unable to decrypt secrets (infrastructure-live-acme) Gruntwork Customers kms , encryption	3	6858	May 1, 2018
Private TLS CA and cert: module-security vs terraform-aws-vault? Gruntwork Customers guidance	1	686	April 10, 2018
Redis on AWS - with encryption Gruntwork Customers redis , elasticache	4	1346	December 12, 2017
Comments on getting `infrastructure-live-acme` up and running Gruntwork Customers	2	742	May 21, 2018
Would be helpful to have a gruntsam example with custom authorization Gruntwork Customers guidance , gruntsam , lambda	1	765	May 31, 2018

Using encrypted boot device with server-group module

Related topics