Problem:

If you try to copy an encrypted EBS snapshot between regions, you may encounter the following error in your Skeddly log:

E:9/9/2020 11:13:00 AM [15]: Error executing request: Given key ID is not accessible

When an EBS snapshot is copied across regions, the snapshot must be decrypted by AWS using the original KMS key, then re-encrypted in the target region using the new KMS key.

This error may occur:

  1. When the IAM credentials used by Skeddly to access your AWS account does not have permissions to access the KMS key used to encrypt the source EBS snapshot, and/or
  2. AWS was not given permissions to access the KMS key.

Solution:

To resolve this issue, there are 2 possible options.

Option 1: Allow the IAM role/user used by Skeddly to access the KMS key

  1. Find the KMS key used to encrypt the source EBS snapshot in the IAM Management Console.
  2. Modify the "Key Policy" of the KMS key to allow the IAM role/user to "allow use of the key". You do this by adding your IAM role/user to the "Key users" section.

Note: The same should be done with the KMS key used in the target region.

Once the user is allowed to "use" the KMS keys, the EBS snapshot should copy correctly.

Option 2: Allow the IAM role/user used by Skeddly to execute kms:CreateGrant

  1. In the IAM Management Console, find the IAM role/user used by Skeddly.
  2. Add a new "Inline Policy" to the user with the following JSON body:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateGrant",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "*"
}
]
}

This policy will allow the IAM role/user to grant permission to AWS to use the KMS key.

With this policy applied to the IAM role/user, the EBS snapshot should copy correctly.

Did this answer your question?