KMS.DecryptionException
cloud
auth_error
ai_generated
true
KMS 解密异常:无法使用 KMS 密钥解密环境变量
KMS.DecryptionException: Unable to decrypt environment variable with KMS key
ID: cloud/aws-lambda-kms-decryption-failure
92%修复率
90%置信度
1证据数
2024-01-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS Lambda | active | — | — | — |
| AWS KMS | active | — | — | — |
| boto3 1.34.0 | active | — | — | — |
根因分析
AWS Lambda 函数使用 KMS 密钥加密了环境变量,但 Lambda 执行角色缺少对该特定密钥的 `kms:Decrypt` 权限,或者密钥已被删除或禁用。
English
AWS Lambda function has encrypted environment variables using a KMS key, but the Lambda execution role lacks the `kms:Decrypt` permission for that specific key, or the key has been deleted or disabled.
官方文档
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption解决方案
-
Attach a policy to the Lambda execution role granting `kms:Decrypt` on the specific KMS key ARN. Example IAM policy: `{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:Decrypt","Resource":"arn:aws:kms:us-east-1:123456789012:key/abc123-..."}]}`. Update the role via AWS Console or CLI. -
If the KMS key was deleted, restore it within the 30-day waiting period via `aws kms restore-key --key-id <key-id>`. If the key is disabled, re-enable it: `aws kms enable-key --key-id <key-id>`. Then retry the Lambda invocation.
无效尝试
常见但无效的做法:
-
60% 失败
The error is about permission, not encryption itself; unencrypted env vars bypass the KMS check but expose secrets in plaintext in the Lambda console and logs.
-
20% 失败
While it resolves the decryption issue, it violates least-privilege principles and could allow unintended KMS operations like key deletion.