简体繁体 English

Boto3：EBS IAM需求的加密

[英]Boto3 : encryption of EBS IAM requirements

原文 2017-04-28 07:34:58 4 2 python/ amazon-web-services/ boto3

I am trying to create an EBS encrypted volume.我正在尝试创建一个 EBS 加密卷。 If I keep encryption as False, it works as expected, when I turn it to True, a response with Http header 200 is returned, I get everything on my python console, but in reality the volume doesn't get created.如果我将加密设置为 False，它会按预期工作，当我将其设置为 True 时，返回 Http header 200 的响应，我在 python 控制台上获得了所有内容，但实际上并没有创建卷。

I think I lack IAM policies, what could be the required policies as I am not going to get IAM Full Access.我认为我缺少 IAM 策略，可能需要什么策略，因为我不会获得 IAM 完全访问权限。

This is the response这是回应

{u'AvailabilityZone': 'ap-south-1a', 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '1c51475f-592c-4d78-bc31-242132b820ae', 'HTTPHeaders': {'transfer-encoding': 'chunked', 'vary': 'Accept-Encoding', 'server': 'AmazonEC2', 'content-type': 'text/xml;charset=UTF-8', 'date': 'Fri, 28 Apr 2017 07:09:38 GMT'}}, u'Encrypted': True, u'VolumeType': 'standard', u'VolumeId': 'vol-0fbbd415077636557', u'State': 'creating', u'SnapshotId': '', u'CreateTime': datetime.datetime(2017, 4, 28, 7, 9, 38, 612000, tzinfo=tzutc()), u'Size': 1} {u'AvailabilityZone': 'ap-south-1a', 'ResponseMetadata': {'RetryAttempts': 0, 'HTTPStatusCode': 200, 'RequestId': '1c51475f-592c-4d78-bc31-242132b820ae', 'HTTPHeaders' : {'transfer-encoding': 'chunked', 'vary': 'Accept-Encoding', 'server': 'AmazonEC2', 'content-type': 'text/xml;charset=UTF-8', 'date '：'星期五，2017 年 4 月 28 日格林尼治标准时间 07:09:38'}}，u'Encrypted'：真，u'VolumeType'：'标准'，u'VolumeId'：'vol-0fbbd415077636557'，u'State'： '创建', u'SnapshotId': '', u'CreateTime': datetime.datetime(2017, 4, 28, 7, 9, 38, 612000, tzinfo=tzutc()), u'Size': 1}

If Encrypted=False, it works fine如果 Encrypted=False，它工作正常

2 个解决方案

You are most probably attempting to create an encrypted volume from an unencrypted snapshot. 您很可能尝试从未加密的快照创建加密卷。

The create_volume() documentation says: create_volume（）文档说：

Volumes that are created from encrypted snapshots are automatically encrypted. 从加密快照创建的卷会自动加密。 There is no way to create an encrypted volume from an unencrypted snapshot or vice versa. 无法从未加密的快照创建加密卷，反之亦然。

Make sure the role or user (using which you are trying to make the create_volume() call) has the following set of permissions-确保角色或用户（您尝试使用其进行 create_volume() 调用）具有以下权限集 -

"kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:ListGrants", "kms:RevokeGrant", "kms:Encrypt", "kms:DescribeKey"

Since you are trying to encrypt the volumes you need to make sure your code is able to access the CMK that you intend to use.由于您正在尝试加密卷，因此您需要确保您的代码能够访问您打算使用的 CMK。