KMSInvalidCiphertextException
cloud
auth_error
ai_generated
true
KMSInvalidCiphertextException:无法使用KMS密钥解密环境变量
KMSInvalidCiphertextException: Unable to decrypt environment variable with KMS key
ID: cloud/aws-lambda-kms-invalid-ciphertext
90%修复率
85%置信度
1证据数
2023-04-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS Lambda runtime nodejs18.x | active | — | — | — |
| AWS Lambda runtime python3.12 | active | — | — | — |
| AWS SDK for JavaScript v3 | active | — | — | — |
| AWS CLI 2.x | active | — | — | — |
根因分析
用于加密Lambda环境变量的KMS密钥已被禁用、删除,或者Lambda函数缺少对该密钥的kms:Decrypt权限。
English
Lambda's KMS key used to encrypt environment variables has been disabled, deleted, or the Lambda function lacks kms:Decrypt permission for that key.
官方文档
https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-encryption解决方案
-
Enable the KMS key if disabled: `aws kms enable-key --key-id <key-id>`. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.
-
Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.
无效尝试
常见但无效的做法:
-
85% 失败
If the KMS key is disabled or pending deletion, re-deployment does not fix the underlying key availability issue.
-
75% 失败
The policy must reference the exact key ARN used to encrypt the environment variables; a mismatch results in the same error.
-
90% 失败
Environment variables remain encrypted with the old key; rotation does not automatically re-encrypt them.