Using encrypted boot device with server-group module

I’m using the server-group module from module-asg. I’m trying to use an AMI that I have encrypted with my master key created using the kms-master-key. I can’t launch an instance from the ASG that server-group creates due to: “Client.InternalError: Client error on launch”.

My research on this suggests I need to allow CreateGrant to a resource or role. I haven’t found the magic to make this work. Anyone know how to configure the proper permissions to allow me to boot an encrypt boot volume?


It looks like all I needed was to add the service linked role to my list of cmk_user_iam_arns for the kms key.