Fixing “com.amazon.coral.service.InternalFailure” when using ACM

If you’re using the AWS ACM console to create a certificate, and at the final stage you get this annoying and useless com.amazon.coral.service.InternalFailure, I’ve got the solution for you.

You’re probably working in an AWS Organization with a Service Control Policy (SCP) or a restricted IAM user where you’ve been given the acm:* permissions thinking this is enough. Sadly not, the solution is you additionally need to add:

kms:CreateGrant

to your IAM or SCP policy in order to successfully create the certificate request. Given certificates need to be accessed by Key Management Service (kms) it makes sense that a new certificate needs the permission to create a grant for it.

That’s it, hope this saved you from fruitless googling!

About the Author

Pete
Pete is the person that owns this website. This is his face. His opinions are his own except when they're not, at which point you're forced to guess and your perception of what is truly real is diminished that little bit more.