AWS ASG 错误状态转换原因 Server.InternalError
Posted
技术标签:
【中文标题】AWS ASG 错误状态转换原因 Server.InternalError【英文标题】:AWS ASG Error State transition reason Server.InternalError 【发布时间】:2021-12-21 04:34:32 【问题描述】:错误:- 状态转换原因:Server.InternalError Client.InternalError:启动时出现客户端错误
当使用启动模板启动实例时,它工作正常,但如果我使用 ASG 和启动模板,则会在 ec2 实例上出现错误。
用于 ebs 的 Kms 密钥策略
"Version": "2012-10-17",
"Statement": [
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::xxxxxxx:root"
,
"Action": "kms:*",
"Resource": "*"
,
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal":
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
]
,
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
,
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal":
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@I+000"
]
,
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition":
"Bool":
"kms:GrantIsForAWSResource": "true"
,
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal":
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB@000"
]
,
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition":
"Bool":
"kms:GrantIsForAWSResource": "true"
,
"Sid": "Allow use of the key for Cloudwatch Log Groups Encryption",
"Effect": "Allow",
"Principal":
"Service": "logs.eu-west-1.amazonaws.com"
,
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition":
"ArnEquals":
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:eu-west-1:xxxxxxxx:log-group:*"
]
实例的输出:-
"Reservations": [
"Instances": [
"Monitoring":
"State": "pending"
,
"PublicDnsName": "",
"StateReason":
"Message": "Client.InternalError: Client error on launch",
"Code": "Client.InternalError"
,
"State":
"Code": 48,
"Name": "terminated"
,
"EbsOptimized": true,
"LaunchTime": "2021-11-08T11:38:29.000Z",
"ProductCodes": [],
"CpuOptions":
"CoreCount": 8,
"ThreadsPerCore": 2
,
"StateTransitionReason": "Server.InternalError",
"InstanceId": "i-0a266c694eb414f70",
"EnaSupport": true,
"ImageId": "ami-0ed588d6f749dcf28",
"PrivateDnsName": "",
"SecurityGroups": [],
"ClientToken": "2c45f3fd-5ea9-acd3-d703-c39a55955c94",
"InstanceType": "m5.4xlarge",
"CapacityReservationSpecification":
"CapacityReservationPreference": "open"
,
"NetworkInterfaces": [],
"Placement":
"Tenancy": "default",
"GroupName": "",
"AvailabilityZone": "eu-west-1a"
,
"Hypervisor": "xen",
"BlockDeviceMappings": [],
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"RootDeviceName": "/dev/sda1",
"VirtualizationType": "hvm",
"Tags": [
"Value": "False",
"Key": "AutoShutdown"
,
"Value": "False",
"Key": "AutoStart"
,
"Value": "AutoScalingGroup",
"Key": "aws:cloudformation:logical-id"
,
"Value": "lt-0014c04827c2647b7",
"Key": "aws:ec2launchtemplate:id"
,
"Value": "True",
"Key": "RunAtWeekends"
,
"Value": "arn:aws:cloudformation:eu-west-1:9887878787:stack/ppe-devops-ecs-06/d5763820-4087-11ec-933b-02d79c55316d",
"Key": "aws:cloudformation:stack-id"
,
"Value": "1",
"Key": "aws:ec2launchtemplate:version"
,
"Value": "True",
"Key": "KeepMe"
,
"Value": "True",
"Key": "SaveIfOrphaned"
,
"Value": "ppe-devops-ecs-06-asg",
"Key": "aws:autoscaling:groupName"
,
"Value": "ppe-devops-ecs-06",
"Key": "aws:cloudformation:stack-name"
],
"HibernationOptions":
"Configured": false
,
"AmiLaunchIndex": 0
],
"ReservationId": "r-014c8f943e5ca3655",
"RequesterId": "178953610797",
"Groups": [],
"OwnerId": "9887878787"
]
【问题讨论】:
提前致谢 您有实例 ID 和 AWS CLI 吗?如果是这样,请运行aws ec2 describe-instances --instance-id INSTANCEID 并将输出添加到问题中 - 这很可能与您的 EBS 卷有关
您是否对实例的卷使用 KMS 加密?
谢谢 Ermiya Eskandary。谢谢你,马尔辛。我已经添加了 cmets。
对上述查询有任何帮助吗?
【参考方案1】:
KMS 密钥访问是问题所在。授予权限已解决问题。 当附加了额外的加密卷时,这可能是错误
【讨论】:
【参考方案2】:嗨,我有同样的错误消息Client.InternalError: Client error on launch
我尝试为 EBS 添加对 KMS 密钥的权限,但结果相同。
这是我的众多配置之一:
KmsKeyEbs:
Type: "AWS::KMS::Key"
Properties:
Description: "KMS Key to enctypt and decrypt EBS volumes."
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: "Allow administration of the key"
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::$AWS::AccountId:root'
- !Sub 'arn:aws:iam::$AWS::AccountId:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
Action:
- 'kms:*'
Resource: '*'
- Sid: "Allow usage of the key"
Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:RevokeGrant'
- 'kms:List*'
- 'kms:Describe*'
- 'kms:Get*'
Resource: '*'
编辑:
如果此解决方案不起作用,请检查您的 AMI 是否有变化。就我而言,AMI 在一段时间后被加密,而 AMI 提供商没有发出任何通知。
【讨论】:
您正在用其他答案回答问题。请避免这样做。以上是关于AWS ASG 错误状态转换原因 Server.InternalError的主要内容,如果未能解决你的问题,请参考以下文章
AWS CodeDeploy Blue/Green with ASG - 失败的部署不断重启 EC2 实例
从 S3 复制文件时出现 AWS CodeBuild 错误 - COMMAND_EXECUTION_ERROR:原因:退出状态 1 (NodeJS)