Unable to create AMI because packer keeps exiting with KMS incorrect state

Question

Unable to create AMI because packer keeps exiting with KMS incorrect state

megablend opened this issue a year ago · comments

Hi Folks,

I need help understanding why packer fails while retrieving KMS key state. The provided key actually is enabled but fails with this error when we are build:

Instance state change details: Client.InternalError: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state�[0m

Wilken Rivera · Answer 1 · Fri Nov 10 2023 19:55:40 GMT+0800 (China Standard Time)

Thanks for reaching out. In order for us to best help, could you provide the things requested in the issue template; including the simplest Packer configuration and scripts needed to reproduce the bug.

That said, this looks like an error coming directly from AWS that Packer may be outputting.

Have you tried to retrieve the key using the aws kms command with the same IAM or login being used by Packer?

Jason O'Connor · Answer 2 · Fri Nov 24 2023 20:07:38 GMT+0800 (China Standard Time)

Currently dealing with this as well..

==> amazon-ebs.linux: Error waiting for instance (i-0e19fe8f88662c2e9) to become ready: ResourceNotReady: failed waiting for successful resource state
==> amazon-ebs.linux: Instance state change details: Client.InternalError: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

vars.pkr.hcl

variable "encrypt_boot" {
  type    = bool
  default = "true"
}

variable "kms_key_id" {
  type    = string
  default = "arn:aws:kms:us-east-1:123456789123:key/blah-blah-blah-blah"
}

source.pkr.hcl

source "amazon-ebs" "linux" {
  encrypt_boot  = var.encrypt_boot
  kms_key_id    = var.kms_key_id

$ packer --version
1.9.4

Jason O'Connor · Answer 3 · Fri Nov 24 2023 21:16:13 GMT+0800 (China Standard Time)

I fixed by adding full KMS access to the IAM role assigned to the instance that packer spins up. Initially tried Read, Write only but failed with the same error, Only full access to KMS fixed it.

Henry Sachs · Answer 4 · Mon Dec 04 2023 19:19:53 GMT+0800 (China Standard Time)

I have the same issue, also I just had the chance to grant more permissions to the ec2

Dinesh Reddy Chittibala · Answer 5 · Sat Jan 13 2024 03:23:20 GMT+0800 (China Standard Time)

+1
I have the same issue, and it needs full kms:* on the key policy else it get following error
Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

Dinesh Reddy Chittibala · Answer 6 · Wed Jan 17 2024 00:49:38 GMT+0800 (China Standard Time)

                "kms:Decrypt",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:EnableKey",
                "kms:ImportKeyMaterial",
                "kms:GenerateRandom",
                "kms:Verify",
                "kms:GenerateDataKeyPair",
                "kms:GetParametersForImport",
                "kms:SynchronizeMultiRegionKey",
                "kms:UpdatePrimaryRegion",
                "kms:ScheduleKeyDeletion",
                "kms:DescribeKey",
                "kms:Sign",
                "kms:EnableKeyRotation",
                "kms:GetKeyPolicy",
                "kms:GenerateDataKey*",
                "kms:CreateGrant"

These were my permissions, I tried to granulize my permissions. I didnt want to give kms:*
Might help someone else.

Catherine Li · Answer 7 · Wed Jan 17 2024 02:05:43 GMT+0800 (China Standard Time)

@dchittibala I was facing this issue as well. I believe you only need the following permissions in the KMS key' policy:

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
"kms:CreateGrant"

The policy can then target the role that is running Packer. In our case, we have a other EC2 machines executing Packer to create the AMIs.

Reference: https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access