Using encrypted boot device with server-group module

natefaerber · May 20, 2018, 11:07pm

I’m using the server-group module from module-asg. I’m trying to use an AMI that I have encrypted with my master key created using the kms-master-key. I can’t launch an instance from the ASG that server-group creates due to: “Client.InternalError: Client error on launch”.

My research on this suggests I need to allow CreateGrant to a resource or role. I haven’t found the magic to make this work. Anyone know how to configure the proper permissions to allow me to boot an encrypt boot volume?

natefaerber · May 20, 2018, 11:25pm

SOLVED

It looks like all I needed was to add the service linked role to my list of cmk_user_iam_arns for the kms key.

arn:aws:iam::REPLACE_ME:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling

Topic		Replies	Views
Private TLS CA and cert: module-security vs terraform-aws-vault? Gruntwork Customers guidance	1	655	April 10, 2018
Comments on getting `infrastructure-live-acme` up and running Gruntwork Customers	2	712	May 21, 2018
Would be helpful to have a gruntsam example with custom authorization Gruntwork Customers guidance , gruntsam , lambda	1	746	May 31, 2018
Is there a way to generate random encrypted secrets Gruntwork Customers encryption	3	2123	January 7, 2019
Relation with hashicorp, specifically for registry.terraform.io Gruntwork Customers	11	1173	December 14, 2017

Using encrypted boot device with server-group module

Related Topics