Problem:
 
You are using Skeddly to start an EC2 instance and your EC2 instance starts, but it then immediately stops.
 
However, using the AWS Management Console, you are able to start the same EC2 instance without problems.
 
Please Check:
 
On the AWS Management Console:
 
Check your EC2 instance's "State Transition Reason" and "State Transition Reason Message" values:

  1. Go to the EC2 Management Console

  2. Click "Instances" on the left navigation bar

  3. Find your EC2 instance in the list of instances and select it.

  4. In the details pane, find the following:


 
 State transition reason: Server.InternalError
 State transition reason message: Client.InternalError: Client error on launch
 
 Check if your root EBS volume is encypted using a KMS key:

  1. Go to the EC2 Management Console

  2. Click "Volumes" on the left navigation bar

  3. Find your root EBS volume in the list of volumes and select it.

  4. In the details pane, find the following:


 
Solution:

To resolve this issue, there are 2 possible options.

Option 1: Allow the IAM role/user used by Skeddly to access the KMS key

  1. Find the KMS key used to encrypt the EBS volume in the IAM Management Console.

  2. Modify the "Key Policy" of the KMS key to allow the IAM role/user to "allow use of the key". You do this by adding your IAM role/user to the "Key users" section.

Once the user is allowed to "use" the KMS keys, the EC2 instance should start correctly.

Option 2: Allow the IAM role/user used by Skeddly to execute kms:CreateGrant

  1. In the IAM Management Console, find the IAM role/user used by Skeddly.

  2. Add a new "Inline Policy" to the user with the following JSON body:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCreateGrant",
"Effect": "Allow",
"Action": "kms:CreateGrant",
"Resource": "*"
}
]
}

This policy will allow the IAM role/user to grant permission to AWS to use the KMS key.

With this policy applied to the IAM role/user, the EC2 instance should start correctly.

Did this answer your question?