From b98f6e0db841ee16b3896ca3995951bc0a88bd42 Mon Sep 17 00:00:00 2001 From: Megan Marsh Date: Wed, 6 Nov 2019 10:37:01 -0800 Subject: [PATCH] add kms policies to amazon docs --- website/source/docs/builders/amazon.html.md | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/website/source/docs/builders/amazon.html.md b/website/source/docs/builders/amazon.html.md index e29b0be0e..f70776790 100644 --- a/website/source/docs/builders/amazon.html.md +++ b/website/source/docs/builders/amazon.html.md @@ -233,6 +233,21 @@ IAM policies. } ``` +In cases where you are using a KMS key for encryption, your key will need the +following policies at a minimum: + +``` +{ + "Sid": "Allow use of the key", + "Effect": "Allow", + "Action": [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*" + ], + "Resource": "*" +} +``` + ### Checking that system time is current Amazon uses the current time as part of the [request signing @@ -264,3 +279,17 @@ Excepting tasks that we know can take an extremely long time, this defaults to `AWS_POLL_DELAY_SECONDS` - How many seconds to wait in between status update requests. Generally defaults to 2 or 5 seconds, depending on the task. + +### `ResourceNotReady: failed waiting for successful resource state` + +This error message can appear for several reasons, generally during image +copy/encryption. It is often the result of a KMS misconfiguration. Examples of +possible misconfigurations are: + +- You provided an invalid kms_key_id. +- The kms key you provided is a valid key, but not in the region you've said to + use it in. +- The kms key you provided is a valid key, but does not have all of the + necessary policy permissions for an image copy. (see above for the necessary + kms policies) +- You are using STS credentials that expired during a long-running call. \ No newline at end of file