KMS.DecryptionException cloud auth_error ai_generated true

KMS.DecryptionException: Unable to decrypt environment variable with KMS key

ID: cloud/aws-lambda-kms-decryption-failure

Also available as: JSON · Markdown · 中文
92%Fix Rate
90%Confidence
1Evidence
2024-01-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
AWS Lambda active
AWS KMS active
boto3 1.34.0 active

Root Cause

AWS Lambda function has encrypted environment variables using a KMS key, but the Lambda execution role lacks the `kms:Decrypt` permission for that specific key, or the key has been deleted or disabled.

generic

中文

AWS Lambda 函数使用 KMS 密钥加密了环境变量,但 Lambda 执行角色缺少对该特定密钥的 `kms:Decrypt` 权限,或者密钥已被删除或禁用。

Official Documentation

https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption

Workarounds

  1. 95% success Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI. 
    Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI.
  2. 85% success If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id <key-id>`. If the key is disabled, re-enable it: `aws kms enable-key --key-id <key-id>`. Then retry the Lambda invocation. 
    If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id <key-id>`. If the key is disabled, re-enable it: `aws kms enable-key --key-id <key-id>`. Then retry the Lambda invocation.

中文步骤

  1. Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI.
  2. If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id <key-id>`. If the key is disabled, re-enable it: `aws kms enable-key --key-id <key-id>`. Then retry the Lambda invocation.

Dead Ends

Common approaches that don't work:

  1. 60% fail

    The error is about permission, not encryption itself; unencrypted env vars bypass the KMS check but expose secrets in plaintext in the Lambda console and logs.

  2. 20% fail

    While it resolves the decryption issue, it violates least-privilege principles and could allow unintended KMS operations like key deletion.