Annoying error messages that don’t inform you what the issue is.
That is certainly one of my most dreaded and annoying error messages.
Consumer.InternalError: Consumer.InternalError: Consumer error on launch
I do know from previous expertise what it normally refers to, however the message is in no way useful. Are you attempting to be cryptic, AWS EC2 programmers? Folks will ultimately determine it out through a Google search, however I’ve spent hours of my life on this error message over time after I neglect what it was the final time as I’m all the time leaping round on tasks.
I’m guessing this has to do with the KMS key I handed in to encrypt the AMI. The function that’s operating my Packer script doesn’t have entry to the important thing to encrypt the Amazon Machine Picture I’m attempting to construct encrypted.
It additionally happens whenever you encrypt and attempt to share an AMI with one other account and that account doesn’t have permissions.
Let’s examine that speculation.
Initially I would like to try the important thing coverage related to the important thing and see who’s allowed to make use of it. I presume Packer packer must solely encrypt on first run, however I construct AMIs in levels. The following stage that makes use of my base AMI can even must decrypt. I in all probability don’t want fairly this many permissions however I added the next to the top of my KMS key coverage (repair the function title to match your individual).
, {
"Sid": "Enable use of the important thing",
"Impact": "Enable",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:function/xxxxx-role"
},
"Motion": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Useful resource": "*"
},
{
"Sid": "Enable attachment of persistent assets",
"Impact": "Enable",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:function/xxxxx-role"
},
"Motion": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Useful resource": "*",
"Situation": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
I ought to in all probability add an exterior ID to that function. Moreover, I must examine that the function that’s assigned to my ec2-instance has permissions to make use of KMS as nicely. I already comprehend it does, so I’m good there.
And…success. Lastly, as soon as once more, we’re constructing AMIs with Packer. A number of the different errors on this weblog took manner too lengthy to resolve as defined — and that is from somebody who’s been programming since 1994 (not even counting programming as a child again in 1980). If it’s exhausting for me to determine these items out contemplate how a starting programmer feels.
This additionally occurs within the EC2 dashboard. An occasion shuts down instantly with this cryptic error message. Think about coping with 11,000 builders asking you questions like I did at Capital One and so they all need to know why their situations received’t run. All of them spend time googling or asking the cloud crew questions once they attempt to do issues they aren’t allowed to do. Tons of wasted time over my life as a result of this cryptic error message.
Repair: Make your error messages higher so individuals can resolve points in a well timed method!
If this helped you otherwise you had this drawback, please clap!
Teri Radichel — Comply with me @teriradichel on Twitter
© 2nd Sight Lab 2022
____________________________________________
About this weblog:
Need to be taught extra about Cybersecurity and Cloud Safety? Try: Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts
