# KMSInvalidCiphertextException: Unable to decrypt environment variable with KMS key - **ID:** `cloud/aws-lambda-kms-invalid-ciphertext` - **Domain:** cloud - **Category:** auth_error - **Error Code:** `KMSInvalidCiphertextException` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause Lambda's KMS key used to encrypt environment variables has been disabled, deleted, or the Lambda function lacks kms:Decrypt permission for that key. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | AWS Lambda runtime nodejs18.x | active | — | — | | AWS Lambda runtime python3.12 | active | — | — | | AWS SDK for JavaScript v3 | active | — | — | | AWS CLI 2.x | active | — | — | ## Workarounds 1. **Enable the KMS key if disabled: `aws kms enable-key --key-id `. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.** (90% success) ``` Enable the KMS key if disabled: `aws kms enable-key --key-id `. Then verify the Lambda function's execution role has kms:Decrypt permission for that key. ``` 2. **Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.** (95% success) ``` Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption. ``` ## Dead Ends - **** — If the KMS key is disabled or pending deletion, re-deployment does not fix the underlying key availability issue. (85% fail) - **** — The policy must reference the exact key ARN used to encrypt the environment variables; a mismatch results in the same error. (75% fail) - **** — Environment variables remain encrypted with the old key; rotation does not automatically re-encrypt them. (90% fail)