Migration Fails with a KMS key Error
Reference Number: AA-00413 Views: 251 Created: 03-07-2017 09:19 Last Updated: 03-07-2017 10:28

Symptoms:

A server workload migration to your Amazon environment failed to complete successfully; the DynaCenter log indicates the following issue:

Failed to copy image with KMS key: Waiter ImageAvailable failed: Waiter encountered a terminal failure state

Applies To:

DynaCenter 6.7.0 and later

Background:

When you migrate a server workload to an Amazon environment using a customer master key (CMK) for EBS volume encryption, you must ensure that the IAM identity (the IAM user, the IAM user who is assuming an IAM role, or the IAM user who belongs to an IAM group) being used to run the migration operation from DynaCenter has permission to use the CMK.

More Information:

For more Information about the AWS Key Management Service (KMS):

http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

Resolution:

To ensure the IAM identity has permission to use a specified CMK for volume encryption:

1. On the AWS Management console, navigate to Security, Identity & Compliance→IAM.

2. In the navigation pane on the left, click Encryption keys:


3. Use the Region filter to select the region where the key exists:


4. In the list of keys, click the Alias for the key you want to add an IAM identity to.

5. On the key page, locate the Key Users section, and then click Add.

6. In the list of users and roles, select the users and/or roles that can use this key, and then click Attach.

7. Retry the workload migration using the IAM identity that was attached to the CMK you are using for EBS encryption.