KMSInvalidStateException
aws
auth_error
ai_generated
true
An error occurred (KMSInvalidStateException) when calling the Encrypt operation: request was rejected because the key state is PendingDeletion.
ID: aws/kms-key-deletion-pending
95%Fix Rate
90%Confidence
1Evidence
2024-04-22First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| aws-kms-2024 | active | — | — | — |
| boto3-1.34.0 | active | — | — | — |
| aws-sdk-java-2.25.0 | active | — | — | — |
Root Cause
The KMS key is scheduled for deletion and cannot be used for cryptographic operations until canceled.
generic中文
KMS 密钥已计划删除,在取消删除前无法用于加密操作。
Official Documentation
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.htmlWorkarounds
-
95% success Cancel the key deletion: `aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` and wait for the key state to return to 'Enabled'.
Cancel the key deletion: `aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` and wait for the key state to return to 'Enabled'.
-
80% success If the key is irrecoverable, create a new KMS key and re-encrypt all data using the new key with a data key re-encryption process.
If the key is irrecoverable, create a new KMS key and re-encrypt all data using the new key with a data key re-encryption process.
中文步骤
取消密钥删除:`aws kms cancel-key-deletion --key-id 1234abcd-12ab-34cd-56ef-1234567890ab` 并等待密钥状态恢复为 'Enabled'。
如果密钥不可恢复,创建新的 KMS 密钥并使用数据密钥重新加密过程重新加密所有数据。
Dead Ends
Common approaches that don't work:
-
70% fail
Re-creating a new key with the same alias but different ID breaks existing encrypted data; old data can't be decrypted.
-
100% fail
Waiting for the deletion to complete is irreversible; the key becomes permanently unusable.