Problem:
If you copy an encrypted EBS snapshots between regions, you may encounter the following error in your Skeddly log:
E:6/24/2018 1:43:36 PM [16]: An error occurred copying the snapshot snap-01234567890123456. The snapshot state is 'error'.
I:6/24/2018 1:43:36 PM [16]: State message for snapshot snap-01234567890123456: Given key ID is not accessible
When an EBS snapshot is copied across regions, the snapshot must be decrypted by AWS using the original KMS key, then re-encrypted in the target region using the new KMS key.
This error may occur:
- When the IAM credentials used by Skeddly to access your AWS account does not have permissions to access the KMS key used to encrypt the source EBS snapshot, and/or
- AWS was not given permissions to access the KMS key.
Solution:
To resolve this issue, there are 2 possible options.
Option 1: Allow the IAM role/user used by Skeddly to access the KMS key
- Find the KMS key used to encrypt the source EBS snapshot in the IAM Management Console.
- Modify the "Key Policy" of the KMS key to allow the IAM role/user to "allow use of the key".
Once the user is allowed to "use" the KMS key, the EBS snapshot should copy correctly.
Option 2: Allow the IAM role/user used by Skeddly to execute kms:CreateGrant
- In the IAM Management Console, find the IAM role/user used by Skeddly.
- Add a new "Inline Policy" to the user with the following JSON body:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateGrant",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "*"
}
]
}
This policy will allow the user to grant permission to AWS to use the KMS key.
With this policy applied to the user, the EBS snapshot should copy correctly.