{ "id": "cloud/aws-lambda-kms-invalid-ciphertext", "signature": "KMSInvalidCiphertextException: Unable to decrypt environment variable with KMS key", "signature_zh": "KMSInvalidCiphertextException:无法使用KMS密钥解密环境变量", "regex": "KMSInvalidCiphertextException.*Unable to decrypt environment variable with KMS key", "domain": "cloud", "category": "auth_error", "subcategory": null, "root_cause": "Lambda's KMS key used to encrypt environment variables has been disabled, deleted, or the Lambda function lacks kms:Decrypt permission for that key.", "root_cause_type": "generic", "root_cause_zh": "用于加密Lambda环境变量的KMS密钥已被禁用、删除,或者Lambda函数缺少对该密钥的kms:Decrypt权限。", "versions": [ { "version": "AWS Lambda runtime nodejs18.x", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS Lambda runtime python3.12", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS SDK for JavaScript v3", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS CLI 2.x", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "If the KMS key is disabled or pending deletion, re-deployment does not fix the underlying key availability issue.", "fail_rate": 0.85, "condition": "", "sources": [] }, { "action": "", "why_fails": "The policy must reference the exact key ARN used to encrypt the environment variables; a mismatch results in the same error.", "fail_rate": 0.75, "condition": "", "sources": [] }, { "action": "", "why_fails": "Environment variables remain encrypted with the old key; rotation does not automatically re-encrypt them.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Enable the KMS key if disabled: `aws kms enable-key --key-id `. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.", "success_rate": 0.9, "how": "Enable the KMS key if disabled: `aws kms enable-key --key-id `. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.", "condition": "", "sources": [] }, { "action": "Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.", "success_rate": 0.95, "how": "Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Enable the KMS key if disabled: `aws kms enable-key --key-id `. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.", "Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption", "official_doc_section": null, "error_code": "KMSInvalidCiphertextException", "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-04-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }