Based on your description, it seems like you're encountering an issue where Atlassian Bamboo Elastic Agents, specifically when using an AMI with an EBS volume encrypted via a customer-managed AWS KMS key, fail to start properly. Here are some potential causes and troubleshooting steps to help resolve this issue:
- IAM Permissions:
- Double-check that the IAM roles associated both with the Bamboo server and the Elastic Agents have the necessary permissions to use the KMS key. This includes not just kms:Decrypt, but also kms:Encrypt, kms:ReEncrypt*, kms:DescribeKey, and kms:GenerateDataKey* as these are often required for operations involving encrypted volumes.
- Ensure that the IAM roles are properly attached and that there are no policy conflicts or typos.
- KMS Key Policy:
- Review the policy attached to your customer-managed KMS key. It needs to explicitly allow the IAM roles used by your Bamboo server and its Elastic Agents to interact with the key. This policy should include permissions for actions such as kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey.
- Make sure the key policy doesn't restrict the key usage to specific resources or conditions that are not being met when Bamboo attempts to launch the Elastic Agents.
- Networking and Access:
- Verify that the network configuration (like VPC settings, subnets, security groups) where the Bamboo Elastic Agents are launched allows outbound connections to KMS endpoints. Sometimes, network restrictions can prevent instances from communicating with KMS.
- Check if there are any VPC endpoint configurations required for accessing KMS securely within your VPC.
- AMI and EBS Snapshot Permissions:
- Confirm that the AMI and any associated snapshots are accessible to the account where Bamboo is running. If the AMI or snapshots are shared from another account, ensure that the permissions are set correctly.
- Verify that the encryption settings of the snapshots used to create the AMI align with what your IAM roles and KMS key policies allow.
- Logs and Monitoring:
- Utilize CloudTrail logs to monitor and check for any denied requests or other anomalies that occur when Bamboo attempts to launch the Elastic Agents. This can provide clues as to what might be going wrong.
- Review the system logs from the instances if they're accessible before termination. Sometimes the instance logs can provide a clue on failures related to filesystem mounting, EBS volume decryption errors, etc.
- Test with a Simplified Scenario:
- Try to manually launch an EC2 instance using the same AMI and EBS encryption settings, under the same IAM role as Bamboo uses, to see if the issue replicates. This can help isolate whether the issue is with Bamboo or the AWS configuration.
These steps should help you identify the root cause of the issue and apply the appropriate fixes. If all configurations look correct, it might be a specific issue with how Bamboo handles KMS-encrypted EBS volumes, and Atlassian Support would be the next best resource.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.