{ "id": "cloud/aws-lambda-kms-decryption-failure", "signature": "KMS.DecryptionException: Unable to decrypt environment variable with KMS key", "signature_zh": "KMS 解密异常:无法使用 KMS 密钥解密环境变量", "regex": "KMS\\.DecryptionException.*Unable to decrypt environment variable", "domain": "cloud", "category": "auth_error", "subcategory": null, "root_cause": "AWS Lambda function has encrypted environment variables using a KMS key, but the Lambda execution role lacks the `kms:Decrypt` permission for that specific key, or the key has been deleted or disabled.", "root_cause_type": "generic", "root_cause_zh": "AWS Lambda 函数使用 KMS 密钥加密了环境变量,但 Lambda 执行角色缺少对该特定密钥的 `kms:Decrypt` 权限,或者密钥已被删除或禁用。", "versions": [ { "version": "AWS Lambda", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS KMS", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "boto3 1.34.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The error is about permission, not encryption itself; unencrypted env vars bypass the KMS check but expose secrets in plaintext in the Lambda console and logs.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "", "why_fails": "While it resolves the decryption issue, it violates least-privilege principles and could allow unintended KMS operations like key deletion.", "fail_rate": 0.2, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"kms:Decrypt\",\"Resource\":\"arn:aws:kms:us-east-1:123456789012:key/abc123-...\"}]}`. Update the role via AWS Console or CLI.", "success_rate": 0.95, "how": "Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"kms:Decrypt\",\"Resource\":\"arn:aws:kms:us-east-1:123456789012:key/abc123-...\"}]}`. Update the role via AWS Console or CLI.", "condition": "", "sources": [] }, { "action": "If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id `. If the key is disabled, re-enable it: `aws kms enable-key --key-id `. Then retry the Lambda invocation.", "success_rate": 0.85, "how": "If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id `. If the key is disabled, re-enable it: `aws kms enable-key --key-id `. Then retry the Lambda invocation.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"kms:Decrypt\",\"Resource\":\"arn:aws:kms:us-east-1:123456789012:key/abc123-...\"}]}`. Update the role via AWS Console or CLI.", "If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id `. If the key is disabled, re-enable it: `aws kms enable-key --key-id `. Then retry the Lambda invocation." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption", "official_doc_section": null, "error_code": "KMS.DecryptionException", "verification_tier": "ai_generated", "confidence": 0.9, "fix_success_rate": 0.92, "resolvable": "true", "first_seen": "2024-01-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }