Unable to create AMI because packer keeps exiting with KMS incorrect state

[megablend]

Hi Folks,

I need help understanding why packer fails while retrieving KMS key state. The provided key actually is enabled but fails with this error when we are build:

Instance state change details: Client.InternalError: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state�[0m

[nywilken]

Thanks for reaching out. In order for us to best help, could you provide the things requested in the issue template; including the simplest Packer configuration and scripts needed to reproduce the bug.

That said, this looks like an error coming directly from AWS that Packer may be outputting.

Have you tried to retrieve the key using the aws kms command with the same IAM or login being used by Packer?

[jason-oc]

Currently dealing with this as well..

==> amazon-ebs.linux: Error waiting for instance (i-0e19fe8f88662c2e9) to become ready: ResourceNotReady: failed waiting for successful resource state
==> amazon-ebs.linux: Instance state change details: Client.InternalError: Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

vars.pkr.hcl

variable "encrypt_boot" {
  type    = bool
  default = "true"
}

variable "kms_key_id" {
  type    = string
  default = "arn:aws:kms:us-east-1:123456789123:key/blah-blah-blah-blah"
}

source.pkr.hcl

source "amazon-ebs" "linux" {
  encrypt_boot  = var.encrypt_boot
  kms_key_id    = var.kms_key_id

$ packer --version
1.9.4

[jason-oc]

I fixed by adding full KMS access to the IAM role assigned to the instance that packer spins up. Initially tried Read, Write only but failed with the same error, Only full access to KMS fixed it.

[henrysachs]

I have the same issue, also I just had the chance to grant more permissions to the ec2

[dchittibala]

+1
I have the same issue, and it needs full kms:* on the key policy else it get following error
Client.InvalidKMSKey.InvalidState: The KMS key provided is in an incorrect state

[dchittibala]

                "kms:Decrypt",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:EnableKey",
                "kms:ImportKeyMaterial",
                "kms:GenerateRandom",
                "kms:Verify",
                "kms:GenerateDataKeyPair",
                "kms:GetParametersForImport",
                "kms:SynchronizeMultiRegionKey",
                "kms:UpdatePrimaryRegion",
                "kms:ScheduleKeyDeletion",
                "kms:DescribeKey",
                "kms:Sign",
                "kms:EnableKeyRotation",
                "kms:GetKeyPolicy",
                "kms:GenerateDataKey*",
                "kms:CreateGrant"

These were my permissions, I tried to granulize my permissions. I didnt want to give kms:*
Might help someone else.

[PurplePros]

@dchittibala I was facing this issue as well. I believe you only need the following permissions in the KMS key' policy:

"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
"kms:CreateGrant"

The policy can then target the role that is running Packer. In our case, we have a other EC2 machines executing Packer to create the AMIs.

Reference: https://docs.aws.amazon.com/autoscaling/ec2/userguide/key-policy-requirements-EBS-encryption.html#policy-example-cmk-access