Using encrypted boot device with server-group module


#1

I’m using the server-group module from module-asg. I’m trying to use an AMI that I have encrypted with my master key created using the kms-master-key. I can’t launch an instance from the ASG that server-group creates due to: “Client.InternalError: Client error on launch”.

My research on this suggests I need to allow CreateGrant to a resource or role. I haven’t found the magic to make this work. Anyone know how to configure the proper permissions to allow me to boot an encrypt boot volume?


#2

SOLVED

It looks like all I needed was to add the service linked role to my list of cmk_user_iam_arns for the kms key.

arn:aws:iam::REPLACE_ME:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling