KMSInvalidCiphertextException
cloud
auth_error
ai_generated
true
KMSInvalidCiphertextException: Unable to decrypt environment variable with KMS key
ID: cloud/aws-lambda-kms-invalid-ciphertext
90%Fix Rate
85%Confidence
1Evidence
2023-04-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS Lambda runtime nodejs18.x | active | — | — | — |
| AWS Lambda runtime python3.12 | active | — | — | — |
| AWS SDK for JavaScript v3 | active | — | — | — |
| AWS CLI 2.x | active | — | — | — |
Root Cause
Lambda's KMS key used to encrypt environment variables has been disabled, deleted, or the Lambda function lacks kms:Decrypt permission for that key.
generic中文
用于加密Lambda环境变量的KMS密钥已被禁用、删除,或者Lambda函数缺少对该密钥的kms:Decrypt权限。
Official Documentation
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryptionWorkarounds
-
90% success Enable the KMS key if disabled: `aws kms enable-key --key-id <key-id>`. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.
Enable the KMS key if disabled: `aws kms enable-key --key-id <key-id>`. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.
-
95% success Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.
Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.
中文步骤
Enable the KMS key if disabled: `aws kms enable-key --key-id <key-id>`. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.
Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.
Dead Ends
Common approaches that don't work:
-
85% fail
If the KMS key is disabled or pending deletion, re-deployment does not fix the underlying key availability issue.
-
75% fail
The policy must reference the exact key ARN used to encrypt the environment variables; a mismatch results in the same error.
-
90% fail
Environment variables remain encrypted with the old key; rotation does not automatically re-encrypt them.