Giters

aws-solutions / instance-scheduler-on-aws

A cross-account and cross-region solution that allows customers to automatically start and stop EC2 and RDS Instances

Home Page:https://aws.amazon.com/solutions/implementations/instance-scheduler-on-aws/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Instance not starting up

easante817 opened this issue · comments

commented

Saw that I needed to Add the kms:CreateGrant permission to the Instance Scheduler role (-SchedulerRole-). I did but instance is still not starting up. Wonder if I did it right

commented

hi @easante817 The kms:CreateGrant permission is only required when scheduling instances that have encrypted EBS volumes using customer-managed KMS keys. In that scenario, you need to make sure that you grant the scheduling role permission to use the specific KMS key that is being used to encrypt your EBS volume.

If possible, I would recommend double-checking that you are able to schedule a test instance with the exact same region & scheduling tags that is not using encrypted EBS volumes (you can use a micro instance for this to keep it as cheap as possible, the scheduling logic should work the same).

If you continue having problems after confirming that the issue is not elsewhere in the configuration and double checking that the kms:CreateGrant permission applies to the specific KMS key you are using, please enable debug logging on the main control stack within CloudFormation and send me the logs around the specific region and time that the instance is not correctly scheduling.

commented

hi @easante817 The kms:CreateGrant permission is only required when scheduling instances that have encrypted EBS volumes using customer-managed KMS keys. In that scenario, you need to make sure that you grant the scheduling role permission to use the specific KMS key that is being used to encrypt your EBS volume.

If possible, I would recommend double-checking that you are able to schedule a test instance with the exact same region & scheduling tags that is not using encrypted EBS volumes (you can use a micro instance for this to keep it as cheap as possible, the scheduling logic should work the same).

If you continue having problems after confirming that the issue is not elsewhere in the configuration and double checking that the kms:CreateGrant permission applies to the specific KMS key you are using, please enable debug logging on the main control stack within CloudFormation and send me the logs around the specific region and time that the instance is not correctly scheduling.

I used the instructions from this like http://www.1strategy.com/blog/2018/01/09/ec2-encrypted-ebs-and-iam-users/
in which I used this used the KMS:CreateGrant below. Now my question is I replaced the resource section with the ARN with the ARN of the on from the Cloudformation ARN. Was that right??? which ARN Should I be replacing it with I guess is my question and am I even using the right KMS:CreateGrant???
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": [
"arn:aws:kms::<account #>:key/"
],
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}

commented

Hi @easante817

The IAM role created by the solution should have the following permissions,

        {
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "arn:aws:kms:us-west-1:[ACCOUNT_ID]:key/[KMS_KEY_UUID]"
        }

and the KMS Key Resource Policy should have

 {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[ACCOUNT_ID]:role/[ROLE_NAME_CREATED_BY_INSTANCE_SCHEDULER_IN_THE_ACCOUNT]*"
            },
            "Action": [
                "kms:CreateGrant",
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }