# KMSInvalidCiphertextException：无法使用KMS密钥解密环境变量

- **ID:** `cloud/aws-lambda-kms-invalid-ciphertext`
- **领域:** cloud
- **类别:** auth_error
- **错误码:** `KMSInvalidCiphertextException`
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

用于加密Lambda环境变量的KMS密钥已被禁用、删除，或者Lambda函数缺少对该密钥的kms:Decrypt权限。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS Lambda runtime nodejs18.x | active | — | — |
| AWS Lambda runtime python3.12 | active | — | — |
| AWS SDK for JavaScript v3 | active | — | — |
| AWS CLI 2.x | active | — | — |

## 解决方案

1. ```
   Enable the KMS key if disabled: `aws kms enable-key --key-id <key-id>`. Then verify the Lambda function's execution role has kms:Decrypt permission for that key.
   ```
2. ```
   Re-encrypt environment variables with a new active KMS key: 1) Create a new KMS key. 2) Update Lambda function: `aws lambda update-function-configuration --function-name my-function --kms-key-arn arn:aws:kms:region:account:key/new-key-id` 3) Set environment variables again via console to trigger re-encryption.
   ```

## 无效尝试

- **** — If the KMS key is disabled or pending deletion, re-deployment does not fix the underlying key availability issue. (85% 失败率)
- **** — The policy must reference the exact key ARN used to encrypt the environment variables; a mismatch results in the same error. (75% 失败率)
- **** — Environment variables remain encrypted with the old key; rotation does not automatically re-encrypt them. (90% 失败率)