Unable to pass Customer Managed Key about ec2cryptomatic-serverless HOT 11 CLOSED

Hello @sanjeevim,

You can specify a KMS alias as input of the state machine (alias/aws/KMS is only used as default value).
The error message you got here explained that the snapshot operation execution time exceeded the value of the Boto3's waiter.

Can you tell me please how many volumes that you tried to encrypt and, most important, the size of these volumes ?

Regards,

from ec2cryptomatic-serverless.

Hello Julien,

I have windows machine and there are two volumes are associated and their size is 30gb each.

My CM KMS input as “alias/test123”.
Is this the right input format for Cm KMS or something else?

Thanks,
Sanjeevi

from ec2cryptomatic-serverless.

Hello again,

This CMK alias seems to be good, I think you can use it.
I have pushed few seconds ago a beta version that support a higher wait time for snapshot operations (with a maximum limit at 15 minutes per snapshots operation).

If you want you can test this version by using this bellow link:

https://github.com/jbrt/ec2cryptomatic-serverless/tree/1.1.1-beta

Regards,
Julien

from ec2cryptomatic-serverless.

Thank you Julien.

I will pull the latest and revert back to you.

You are the best.

I have enhanced tags creation during copy snapshot and volume creation from encrypted snapshots as well.

Thanks.

from ec2cryptomatic-serverless.

You're welcome, fell free to create a pull request if you want.

Please note that this version of the code could may fail to encrypt very big volumes (if the encrypting time takes longer than 15 minutes, the lambda will exit). When I'll have more time I'll change the structure of the state machine by adding SQS queues for handling a longer execution time.

Regards

from ec2cryptomatic-serverless.

Yeah sure.

I’ll create a PR and will inform you to approve and merge.

from ec2cryptomatic-serverless.

Hello @sanjeevim,

Thank you for your PR request. I've merged it few second ago.
In the meanwhile, did you tried this beta version ? If yes, can you tell me if this version has solved your problem ?

Regards,
Julien

from ec2cryptomatic-serverless.

from ec2cryptomatic-serverless.

Hello Julien,

I hope you are doing well today!

The default "/aws/ebs/kms" is working without any issues but, while going with customer managed key I am getting the below error. Requesting you to share your inputs on this.

Getting error like unable to find the "KMS Key".

I have windows machine and the volumes size is 8gb.

User Input to the step function:
{
"region": "us-east-1",
"instance_id": ["i-xyz12456b13"],
"kms_key": "alias/DND-KEY-MINE",
"delete_source": true
}

Error:

Waiter SnapshotCompleted failed: The snapshot 'snap-0037439nfkdln' does not exist.: WaiterError Traceback (most recent call last): File "/var/task/ebs_encrypt_snapshot.py", line 20, in lambda_handler kms_key=kms_key).start()}} File "/opt/python/aws_library/ebs_encrypt_snapshot.py", line 51, in start self._wait_snapshot.wait(SnapshotIds=[snap_id['SnapshotId']]) File "/var/runtime/botocore/waiter.py", line 53, in wait Waiter.wait(self, **kwargs) File "/var/runtime/botocore/waiter.py", line 313, in wait last_response=response botocore.exceptions.WaiterError: Waiter SnapshotCompleted failed: The snapshot 'snap-0037439nfkdln' does not exist.
-- | --

from ec2cryptomatic-serverless.

Julien,

This is fixed. I found that KMS policy doesn't have enough privilege.

from ec2cryptomatic-serverless.

Hello @sanjeevim

I'm so sorry, I've missed your previous message so that's why I only respond now :(
So, everything is fine on your side ? If yes it's great !
If everything is fine for you I'll merge this version onto master. I just wait for your confirmation.

Have a nice day !

from ec2cryptomatic-serverless.