# KMS.DecryptionException: Unable to decrypt environment variable with KMS key - **ID:** `cloud/aws-lambda-kms-decryption-failure` - **Domain:** cloud - **Category:** auth_error - **Error Code:** `KMS.DecryptionException` - **Verification:** ai_generated - **Fix Rate:** 92% ## Root Cause AWS Lambda function has encrypted environment variables using a KMS key, but the Lambda execution role lacks the `kms:Decrypt` permission for that specific key, or the key has been deleted or disabled. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | AWS Lambda | active | — | — | | AWS KMS | active | — | — | | boto3 1.34.0 | active | — | — | ## Workarounds 1. **Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI.** (95% success) ``` Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI. ``` 2. **If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id `. If the key is disabled, re-enable it: `aws kms enable-key --key-id `. Then retry the Lambda invocation.** (85% success) ``` If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id `. If the key is disabled, re-enable it: `aws kms enable-key --key-id `. Then retry the Lambda invocation. ``` ## Dead Ends - **** — The error is about permission, not encryption itself; unencrypted env vars bypass the KMS check but expose secrets in plaintext in the Lambda console and logs. (60% fail) - **** — While it resolves the decryption issue, it violates least-privilege principles and could allow unintended KMS operations like key deletion. (20% fail)