fbpx

Introduction

The previous post discussed KMS keys, what they are used for, and how to use them with our ElastiGroup.

This works just fine, as everything is being done within the same AWS account.

How about if you wanted to do this cross-account? Here’s a short overview.

Let’s start with few assumptions:

  • You’ve done the key creation as specified on our previous post regarding.
  • Account actKey will represent the account that holds the KMS key.
  • Account actInst will represent the account that will run the Instances.
  • Key and Instances must be in the same region

 

follow these steps:

    1. Create KMS key in account actKey
    2. Add Account actInst account number in External Accounts inside the key properties and save the changes:

    3. Switch to policy view inside the key properties, and remove the following condition, save the changes:

    4. Save the key ARN:
    5. Create a policy in account actInst, inserting the following JSON (please remember to change the Key ARN): 
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "AllowUseOfTheKey",
                  "Effect": "Allow",
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:ReEncrypt*",
                      "kms:GenerateDataKey*",
                      "kms:DescribeKey"
                  ],
                  "Resource": [
                      ""
                  ]
              },
              {
                  "Sid": "AllowAttachmentOfPersistentResources",
                  "Effect": "Allow",
                  "Action": [
                      "kms:CreateGrant",
                      "kms:ListGrants",
                      "kms:RevokeGrant"
                  ],
                  "Resource": [
                      ""
                  ]
              }
          ]
      }
      
      

       

    6. The next steps will be performed in account actInst using AWS CLI, please note the user that your AWS CLI is configured with.
    7. Attach the policy you created, to the user from the previous step:
    8. Copy Spotinst Role ARN (Can be found in the spotinst console, after clicking on the person icon on the top right corner):
    9. Run the following command in a terminal (grant for the Spotinst role):aws kms create-grant --key-id <KMS key-ARN> --grantee-principal <Spotinst role ARN> --operations "Encrypt" "Decrypt" "RetireGrant" "DescribeKey" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "ReEncryptFrom" "ReEncryptTo" "CreateGrant" --name spotinst-grant

    10. Look for AWSServiceRoleForEC2Spot role and copy its ARN:
    11. Run the following command in terminal (grant for the spot instances role):
      aws kms create-grant --key-id <KMS key-ARN> --grantee-principal <AWSServiceRoleForEC2Spot ARN> --operations "Encrypt" "Decrypt" "RetireGrant" "DescribeKey" "GenerateDataKey" "GenerateDataKeyWithoutPlaintext" "ReEncryptFrom" "ReEncryptTo" "CreateGrant" --name spot-grant

 

That’s it! You can now add your KMS key-id to the BDM section in Elastigroup’s configuration:

(https://api.spotinst.com/elastigroup-for-aws/concepts/compute-concepts/block-device-mapping/)

 "blockDeviceMappings": [
    {
      "deviceName": "/dev/sdf",
      "ebs": {
        "encrypted": true,
        "kmsKeyId": "",
        "volumeSize": 20
      }
    }
  ]