调用 Decrypt 操作时发生错误 (KMSInvalidStateException):请求被拒绝,因为密钥状态为 PendingDeletion
An error occurred (KMSInvalidStateException) when calling the Decrypt operation: request was rejected because the key state is PendingDeletion
ID: aws/kms-key-deleted-or-disabled
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| KMS 2014-11-01 | active | — | — | — |
| AWS CLI 2.18.0 | active | — | — | — |
| AWS SDK for Python 1.34.0 | active | — | — | — |
根因分析
用于解密的 KMS 密钥处于 'PendingDeletion' 状态,意味着它已被计划删除,无法用于加密操作。
English
The KMS key used for decryption is in 'PendingDeletion' state, meaning it has been scheduled for deletion and cannot be used for cryptographic operations.
官方文档
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html解决方案
-
如果密钥处于 'PendingDeletion' 状态且等待期尚未到期,请通过计划密钥恢复来取消密钥删除。
-
如果密钥已被删除,请使用不同的密钥从加密数据的备份中恢复,或者在可用时使用最后的已知明文。对于关键数据,请确保密钥具有更长的删除窗口(例如 30 天)。
无效尝试
常见但无效的做法:
-
Recreate the KMS key with the same alias and try again.
95% 失败
A new key has a different key ID, so data encrypted with the old key cannot be decrypted with the new one.
-
Use the AWS managed key instead of a customer managed key.
80% 失败
AWS managed keys have different permissions and may not be accessible for the specific data, and the original encrypted data still references the old key.
-
Force delete the key immediately and recreate it.
90% 失败
Force deletion destroys the key material permanently, making decryption of existing data impossible.