AWS lamba start_instances gives pending response but console still shows stopped

amazon-ec2 amazon-lambda

I have a lambda function that I have setup to start an instance:

import boto3
ec2 = boto3.client('ec2')
response = ec2.start_instances(
    InstanceIds=['i-xxx']
)
print(response)

The response looks good, showing it going to pending from stopped:

START RequestId: 26c0cf5e-6d70-4701-b0bd-68276b06d30d Version: $LATEST
{
    "StartingInstances": [
        {
            "CurrentState": {"Code": 0, "Name": "pending"},
            "InstanceId": "i-xxxxxx",
            "PreviousState": {"Code": 80, "Name": "stopped"},
        }
    ],
    "ResponseMetadata": {
        "RequestId": "fdab5818-0536-457f-a19e-17fea60100f4",
        "HTTPStatusCode": 200,
        "HTTPHeaders": {
            "x-amzn-requestid": "fdab5818-0536-457f-a19e-17fea60100f4",
            "content-type": "text/xml;charset=UTF-8",
            "content-length": "579",
            "date": "Wed, 16 Dec 2020 18:38:57 GMT",
            "server": "AmazonEC2",
        },
        "RetryAttempts": 0,
    },
}
END RequestId: f2ed2be9-e2f2-4beb-a69b-4cddee35bef4
REPORT RequestId: f2ed2be9-e2f2-4beb-a69b-4cddee35bef4  Duration: 1381.48 ms    Billed Duration: 1382 ms    Memory Size: 256 MB Max Memory Used: 97 MB  Init Duration: 688.96 ms

However, when I look at the console, it still shows as stopped and never starts.

It doesnt seem like it failed to start:

                "StateReason": {
                    "Code": "Client.UserInitiatedShutdown",
                    "Message": "Client.UserInitiatedShutdown: User initiated shutdown",
                },

Execution Based Policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "xxxxxxx",
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "xxxxxxFunction",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "xxxxxxxx"
        }
      }
    }
  ]
}

It seems like it didn't really try to start. I've used this code to start other instances. I'm wondering if it is a permissions issue, but there is no error. The lambda function execution role has EC2fullaccess.

Note, another datapoint. I have tried further code that uses ssm send command to send a command once its running (after manually starting). If I try that while it's running it succeeds.


Your EBS volume is encrypted using a KMS key, and the IAM role your Lambda function is using does not have permission to decrypt using that KMS key. In this case, the EC2 instance starts, but then immediately stops.

So there are two possible solutions.

Solution 1: Add your IAM role as a "user" of your KMS key. This requires you to edit the permission policy attached to your KMS key, and add your IAM role as a "user" of the key (to encrypt/decrypt).

Solution 2: Add kms:CreateGrant to your Lambda's IAM role. With this on your IAM role, AWS will allow the EC2 instance to start.

Related

Unable to delete primordial storage pool from Win 10 storage spaces
Running script as user with root permissions
Synthesize A records when only having AAAA [closed]
How do I get Bugzilla to authenticate with Active Directory LDAP?
Using Docker with firewalld
Large accumulation of log files under ~/.config/gcloud/logs
How to turn off SSL certificate verification for RedHat Kickstartfile downloading
Upgrade from SQL 2008 to SQL 2012: do we need to change connection string?
extract timestamp from p7s(signature file)
Exchange crashed, backups failed, only mail is on my mobile (andriod) device, is it possible to move that data to Exchange Online?
Restore Mailboxes from Exchange 2007
AAAA with no ANSWER section