I want to use AMI which is located in another account to create spot instance with Terraform. AMI is shared with my account but EBS inside of it is created with custom KMS.
When I tried to use the AMI, it gave an error like below.
Instance launch failed because an EBS volume cannot be encrypted. If your launch specification includes an encrypted EBS volume, you must grant the AWSServiceRoleForEC2Spot service-linked role access to any custom KMS keys.
I gave access to AWSServiceRoleForEC2Spot in KMS policy and even for AWSServiceRoleForEC2SpotFleet but it still gives bad-parameter error when I try to create instance and when describe spot instance request, the error is same. What am I doing wrong?
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-1",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xx:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet",
"arn:aws:iam::xx:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xx:role/aws-service-role/spotfleet.amazonaws.com/AWSServiceRoleForEC2SpotFleet",
"arn:aws:iam::xx:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}