How can I resolve the AWS KMS decrypt error "InvalidCiphertextException"?

Last updated: 2021-02-15

I tried to decrypt environment variables using AWS Lambda encryption helpers and received the error "InvalidCiphertextException". All AWS Identity and Access Management (IAM) and AWS Key Management Service (AWS KMS) permissions are correct.

Short description

The AWS KMS API action error InvalidCiphertextException indicates the decrypt request failed because Lambda has updated how to encrypt environment variables. Lambda passes the function name as the encryption context making the encrypt call to AWS KMS. For decrypt functions created before this change, you must update the code for decryption and pass the Lambda function name as encryption context.

Resolution

To get the code with the decrypt call to AWS KMS for a specific SDK with the encryption context, follow these steps:

  1. Open the Lambda console, and then choose Functions.
  2. In Function name, choose the Lambda function.
  3. In Environment variable, choose Edit, and then choose Add environment variable.
  4. Enter a Key and Value, and then expand Encryption configuration.
  5. Choose Enable helpers for encryption in transit, and then choose Encrypt.
  6. Expand Decrypt secret snippet, copy and paste the snippet similar to the following:
DECRYPTED = boto3.client('kms').decrypt(
    CiphertextBlob=b64decode(ENCRYPTED),
    EncryptionContext={'LambdaFunctionName': os.environ['AWS_LAMBDA_FUNCTION_NAME']}
)['Plaintext'].decode('utf-8')

Use this code snippet to Decrypt new environment variables encrypted with encryption helpers.

Be sure to re-encrypt old environment variables so that they work with the new environment variables.

For more information, see Using AWS Lambda environment variables.