Problem:

If you copy an encrypted EBS snapshots between regions, you may encounter the following error in your Skeddly log:

E:6/24/2018 1:43:36 PM [16]: An error occurred copying the snapshot snap-01234567890123456. The snapshot state is 'error'.
I:6/24/2018 1:43:36 PM [16]: State message for snapshot snap-01234567890123456: Given key ID is not accessible

When an EBS snapshot is copied across regions, the snapshot must be decrypted by AWS using the original KMS key, then re-encrypted in the target region using the new KMS key.

This error may occur:

  1. When the IAM credentials used by Skeddly to access your AWS account does not have permissions to access the KMS key used to encrypt the source EBS snapshot, and/or
  2. AWS was not given permissions to access the KMS key.

Solution:

To resolve this issue, there are 2 possible options.

Option 1: Allow the IAM role/user used by Skeddly to access the KMS key

  1. Find the KMS key used to encrypt the source EBS snapshot in the IAM Management Console.
  2. Modify the "Key Policy" of the KMS key to allow the IAM role/user to "allow use of the key".

Once the user is allowed to "use" the KMS key, the EBS snapshot should copy correctly.

Option 2: Allow the IAM role/user used by Skeddly to execute kms:CreateGrant 

  1. In the IAM Management Console, find the IAM role/user used by Skeddly.
  2. Add a new "Inline Policy" to the user with the following JSON body:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCreateGrant",
            "Effect": "Allow",
            "Action": "kms:CreateGrant",
            "Resource": "*"
        }
    ]
}


This policy will allow the user to grant permission to AWS to use the KMS key.

With this policy applied to the user, the EBS snapshot should copy correctly.

Did this answer your question?