AWS ASG 错误状态转换原因 Server.InternalError

Posted

技术标签:

【中文标题】AWS ASG 错误状态转换原因 Server.InternalError【英文标题】:AWS ASG Error State transition reason Server.InternalError 【发布时间】:2021-12-21 04:34:32 【问题描述】:

错误:- 状态转换原因:Server.InternalError Client.InternalError:启动时出现客户端错误

当使用启动模板启动实例时,它工作正常,但如果我使用 ASG 和启动模板,则会在 ec2 实例上出现错误。

用于 ebs 的 Kms 密钥策略


    "Version": "2012-10-17",
    "Statement": [
        
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": 
                "AWS": "arn:aws:iam::xxxxxxx:root"
            ,
            "Action": "kms:*",
            "Resource": "*"
        ,
        
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": 
                "AWS": [
                    "arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
                    "arn:aws:iam::xxxxxxx:root",
                    "arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
                    "arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
                ]
            ,
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        ,
        
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": 
                "AWS": [
                    "arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
                    "arn:aws:iam::xxxxxxx:root",
                    "arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
                    "arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@I+000"
                ]
            ,
            "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*",
            "Condition": 
                "Bool": 
                    "kms:GrantIsForAWSResource": "true"
                
            
        ,
        
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": 
                "AWS": [
                    "arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
                    "arn:aws:iam::xxxxxxx:root",
                    "arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
                    "arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
                ]
            ,
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": 
                "Bool": 
                    "kms:GrantIsForAWSResource": "true"
                
            
        ,
        
            "Sid": "Allow use of the key for Cloudwatch Log Groups Encryption",
            "Effect": "Allow",
            "Principal": 
                "Service": "logs.eu-west-1.amazonaws.com"
            ,
            "Action": [
                "kms:Encrypt*",
                "kms:Decrypt*",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Describe*"
            ],
            "Resource": "*",
            "Condition": 
                "ArnEquals": 
                    "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:eu-west-1:xxxxxxxx:log-group:*"
                
            
        
    ]

实例的输出:-

 
        "Reservations": [
            
                "Instances": [
                    
                        "Monitoring": 
                            "State": "pending"
                        ,
                        "PublicDnsName": "",
                        "StateReason": 
                            "Message": "Client.InternalError: Client error on launch",
                            "Code": "Client.InternalError"
                        ,
                        "State": 
                            "Code": 48,
                            "Name": "terminated"
                        ,
                        "EbsOptimized": true,
                        "LaunchTime": "2021-11-08T11:38:29.000Z",
                        "ProductCodes": [],
                        "CpuOptions": 
                            "CoreCount": 8,
                            "ThreadsPerCore": 2
                        ,
                        "StateTransitionReason": "Server.InternalError",
                        "InstanceId": "i-0a266c694eb414f70",
                        "EnaSupport": true,
                        "ImageId": "ami-0ed588d6f749dcf28",
                        "PrivateDnsName": "",
                        "SecurityGroups": [],
                        "ClientToken": "2c45f3fd-5ea9-acd3-d703-c39a55955c94",
                        "InstanceType": "m5.4xlarge",
                        "CapacityReservationSpecification": 
                            "CapacityReservationPreference": "open"
                        ,
                        "NetworkInterfaces": [],
                        "Placement": 
                            "Tenancy": "default",
                            "GroupName": "",
                            "AvailabilityZone": "eu-west-1a"
                        ,
                        "Hypervisor": "xen",
                        "BlockDeviceMappings": [],
                        "Architecture": "x86_64",
                        "RootDeviceType": "ebs",
                        "RootDeviceName": "/dev/sda1",
                        "VirtualizationType": "hvm",
                        "Tags": [
                            
                                "Value": "False",
                                "Key": "AutoShutdown"
                            ,
                            
                                "Value": "False",
                                "Key": "AutoStart"
                            ,
                            
                                "Value": "AutoScalingGroup",
                                "Key": "aws:cloudformation:logical-id"
                            ,
                            
                                "Value": "lt-0014c04827c2647b7",
                                "Key": "aws:ec2launchtemplate:id"
                            ,
                            
                                "Value": "True",
                                "Key": "RunAtWeekends"
                            ,
                            
                                "Value": "arn:aws:cloudformation:eu-west-1:9887878787:stack/ppe-devops-ecs-06/d5763820-4087-11ec-933b-02d79c55316d",
                                "Key": "aws:cloudformation:stack-id"
                            ,
                            
                                "Value": "1",
                                "Key": "aws:ec2launchtemplate:version"
                            ,
                            
                                "Value": "True",
                                "Key": "KeepMe"
                            ,
                            
                                "Value": "True",
                                "Key": "SaveIfOrphaned"
                            ,
                            
                                "Value": "ppe-devops-ecs-06-asg",
                                "Key": "aws:autoscaling:groupName"
                            ,
                            
                                "Value": "ppe-devops-ecs-06",
                                "Key": "aws:cloudformation:stack-name"
                            
                        ],
                        "HibernationOptions": 
                            "Configured": false
                        ,
                        "AmiLaunchIndex": 0
                    
                ],
                "ReservationId": "r-014c8f943e5ca3655",
                "RequesterId": "178953610797",
                "Groups": [],
                "OwnerId": "9887878787"
            
        ]
    

【问题讨论】:

提前致谢 您有实例 ID 和 AWS CLI 吗?如果是这样,请运行 aws ec2 describe-instances --instance-id INSTANCEID 并将输出添加到问题中 - 这很可能与您的 EBS 卷有关 您是否对实例的卷使用 KMS 加密? 谢谢 Ermiya Eskandary。谢谢你,马尔辛。我已经添加了 cmets。 对上述查询有任何帮助吗? 【参考方案1】:

KMS 密钥访问是问题所在。授予权限已解决问题。 当附加了额外的加密卷时,这可能是错误

【讨论】:

【参考方案2】:

嗨,我有同样的错误消息Client.InternalError: Client error on launch 我尝试为 EBS 添加对 KMS 密钥的权限,但结果相同。 这是我的众多配置之一:

KmsKeyEbs:
Type: "AWS::KMS::Key"
Properties:
  Description: "KMS Key to enctypt and decrypt EBS volumes."
  KeyPolicy:
    Version: '2012-10-17'
    Statement:
     - Sid: "Allow administration of the key"
       Effect: Allow
       Principal:
         AWS: 
          - !Sub 'arn:aws:iam::$AWS::AccountId:root'
          - !Sub 'arn:aws:iam::$AWS::AccountId:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
       Action:
        - 'kms:*'
       Resource: '*'
     - Sid: "Allow usage of the key"
       Effect: Allow
       Principal:
        AWS: '*'
       Action:
        - 'kms:Encrypt'
        - 'kms:Decrypt'
        - 'kms:ReEncrypt*'
        - 'kms:GenerateDataKey*'
        - 'kms:CreateGrant'
        - 'kms:RevokeGrant'
        - 'kms:List*'
        - 'kms:Describe*'
        - 'kms:Get*'
       Resource: '*'

编辑:

如果此解决方案不起作用,请检查您的 AMI 是否有变化。就我而言,AMI 在一段时间后被加密,而 AMI 提供商没有发出任何通知。

【讨论】:

您正在用其他答案回答问题。请避免这样做。

以上是关于AWS ASG 错误状态转换原因 Server.InternalError的主要内容,如果未能解决你的问题,请参考以下文章

AWS 如何让 ASG 始终使用最新的 AMI?

Terraform - 具有混合实例策略的 ASG

AWS CodeDeploy Blue/Green with ASG - 失败的部署不断重启 EC2 实例

AWS SAM 模板中的 Auth 部分出错

从 S3 复制文件时出现 AWS CodeBuild 错误 - COMMAND_EXECUTION_ERROR:原因:退出状态 1 (NodeJS)

执行命令时出错:mvn test。原因:退出状态 1 - AWS