packer-plugin-amazon icon indicating copy to clipboard operation
packer-plugin-amazon copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Documenation on KMS permissions is inaccurate

Open hc-github-team-packer opened this issue 3 years ago • 0 comments

This issue was originally opened by @sblask in https://github.com/hashicorp/packer/issues/11852 and has been migrated to this repository. The original issue description is below.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Overview of the Issue

After moving infrastructure around (packer build in account A to share an AMI with encryption in account B using an encryption key in account C after previously having the build and the key in the same account) I suddenly got:

Error waiting for AMI (ami-XXX) in region (ap-southeast-2): Failed with ResourceNotReady error, which can have a variety of causes. For help troubleshooting, check our docs: https://www.packer.io/docs/builders/amazon.html#resourcenotready-error
original error: ResourceNotReady: failed waiting for successful resource state

The linked document says kms permissions on the key are required. So I double and triple checked the permissions on the key and it was all there. After some more testing I found that I need the kms permissions not just on the key but also on the role. I think there might be some magic going on when build and key are in the same account because that worked without permissions on the role, but if they are in separate accounts the role definitely needs permissions as well.

Note to other people with the same problem: I also ran into the issue that I need to provide an ARN and not just the alias if the key is in a different account than the build so AWS can find it. So: arn:aws:kms:ap-southeast-2:XXXXX:alias/foo/bar instead of alias/foo/bar. Kind of obvious when you think about it, but not if nothing works and you get an obscure error message.

hc-github-team-packer avatar Jul 29 '22 14:07 hc-github-team-packer