Problem description
Whenever DR restore triggers it will update the EBS Volumes on AWS console If EBS volumes have KMS encryption enabled, Druva IAM role is unable to access the EBS volumes due to the KMS encryption
Cause
Whenever DR restore triggers, DR restores fails while updating the EBS Volumes on AWS console, If EBS volumes have KMS encryption enabled, Druva IAM role is unable to access the EBS volumes due to the KMS encryption.
Traceback
[2021-04-30 13:01:54,992] [ERROR] EC2Client : Failed to create EBS volume for vol-type=gp2, size=50, avail_zone=us-west-2b, tag_spec=[{'ResourceType': 'volume', 'Tags': [{'Value': u'Phoenix_3479_880650429586_1098_us-west-2_871467_6000C297-9575-ed6f-82fe-9c4e92194af0_706', 'Key': 'Name'}]}]: error = Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.
[2021-04-30 13:01:54,992] [ERROR] Error <class 'botocore.exceptions.WaiterError'>:Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.. Traceback -Traceback (most recent call last):
File "roboClientLib/boto3/ec2client.py", line 104, in create_ebs_volume
File "botocore/waiter.py", line 53, in wait
File "botocore/waiter.py", line 313, in wait
WaiterError: Waiter VolumeAvailable failed: The volume 'vol-004751b5136334cb1' does not exist.
Resolution
Click on Roles.
Now search for DruvaIAMRolePL
Click on DruvaIAMRolePL and then open the policy.
Click on Edit Policy.
Then go to the Visual editor and click Additional Permissions..
Choose a Service as a KMS.
Select Action by selecting below KMS Actions
Then select all the resources if you want this to apply on all the regions.
If you want to specify any region we can go to alias and select Add ARN
Once we click on ADD ARN, We will have a popup to fill in the details about the region and alias and save the changes.
Finally, we can see KMS in the above section and click on preview policy
We can also perform the above steps by editing the JSON file with the below script.
{
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt",
"kms:ListGrants",
"kms:CreateGrant",
"kms:RevokeGrant"
],
"Resource": [
"arn:aws:kms:us-west-2:80629586:key/*"
],
"Effect": "Allow"
},
Note:: From the above example script
Us-west-2:: Location of encrypted volumes.
80629586:: AWS account number