背景

最近用一个terraform asg模块部署asg时一直报错
Error: Termination Reason: Client.InternalError: Client error on launch
搜索资料发现和KMS下面的asg 对应的policy有关系.

解决方法

在AWS界面找到KMS, 然后找到customer managed key导航栏, 最后找到对应AMI加密用的key修改其key policy即可, 需要在key policy中添加AWSServiceRoleForAutoScaling的policy.
如下, 注意需要把<AWS Account Number> 替换成自己的aws账号:

{"Sid": "Allow use of the key","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::<AWS Account Number>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]},"Action": ["kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"],"Resource": "*"},{"Sid": "Allow attachment of persistent resources","Effect": "Allow","Principal": {"AWS": ["arn:aws:iam::<AWS Account Number>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"]},"Action": ["kms:CreateGrant","kms:ListGrants","kms:RevokeGrant"],"Resource": "*","Condition": {"Bool": {"kms:GrantIsForAWSResource": "true"}}}

参考

Termination Reason: Client.InternalError: Client error on launch