How do I resolve KMSAccessDeniedException errors from AWS Lambda?

Last updated: 2021-11-15

My AWS Lambda function returns a KMSAccessDeniedException error. How do I troubleshoot the issue?

Short description

Update the AWS Key Management Service (AWS KMS) permissions of your AWS Identity and Access Management (IAM) identity based on the error message.

Important: If the AWS KMS key and IAM role belong to different AWS accounts, then both the IAM policy and KMS key policy must be updated.

For more information about AWS KMS keys and policy management, see AWS managed KMS keys and customer managed keys.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

To resolve "KMS Exception: UnrecognizedClientExceptionKMS Message" errors

The following error usually occurs when a function's execution role is deleted and then recreated using the same name, but with a different principal:

Calling the invoke API action failed with this message: Lambda was unable to decrypt the environment variables because KMS access was denied. Please check the function's KMS key settings. KMS Exception: UnrecognizedClientExceptionKMS Message: The security token included in the request is invalid.

To resolve the error, you must reset the AWS KMS grant for the function's execution role by doing the following:

Note: The IAM user that creates and updates the Lambda function must have permission to use the KMS key.

1.    Get the Amazon Resource Name (ARN) of the function's current execution role and KMS key, by running the following AWS CLI command:

$ aws lambda get-function-configuration --function-name yourFunctionName

2.    Reset the AWS KMS grant by doing one of the following:

Update the function's execution role to a different, temporary value, by running the following update-function-configuration command:

Important: Replace temporaryValue with the temporary execution role ARN.

$ aws lambda update-function-configuration --function-name yourFunctionName --role temporaryValue

Then, update the function's execution role back to the original execution role by running the following command:

Important: Replace originalValue with the original execution role's ARN.

$ aws lambda update-function-configuration --function-name yourFunctionName --role originalValue

-or-

Update the function's AWS KMS key to a different, temporary value, by running the following update-function-configuration command:

Important: Replace temporaryValue with a temporary KMS key ARN. To use a default service key, set the kms-key-arn parameter to "".

$ aws lambda update-function-configuration --function-name yourFunctionName --kms-key-arn temporaryValue

Then, update the function's KMS key back to the original KMS key's ARN by running the following command:

Important: Replace originalValue with the original KMS key's ARN

$ aws lambda update-function-configuration --function-name yourFunctionName --kms-key-arn originalValue

For more information, see Key policies in AWS KMS.

To resolve "KMS Exception: AccessDeniedException KMS Message" errors

The following error indicates that your IAM identity doesn't have the permissions required to perform the kms:Decrypt API action:

Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

To resolve the error, add the following policy statement to your IAM user or role:

Important: Replace "your-KMS-key-arn" with your KMS key ARN.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "your-KMS-key-arn"
        }
    ]
}

To resolve "You are not authorized to perform" errors

The following errors indicate that your IAM identity doesn't have one of the permissions required to access the KMS key:

You are not authorized to perform: kms:Encrypt.
You are not authorized to perform: kms:CreateGrant.
User: user-arn is not authorized to perform: kms:ListAliases on resource: * with an explicit deny.

Note: KMS permissions aren't required for your IAM identity or the function's execution role if you use the default key policy.

To resolve these types of errors, verify that your IAM user or role has the permissions required to perform the following actions:

For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console), based on your use case.

Example IAM policy statement that grants the permissions required to access a customer-managed KMS key

Important: The Resource value must be "*". The kms:ListAliases action doesn't support low-level permissions. Also, make sure that you replace "your-kms-key-arn" with your KMS key's ARN.

"Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:CreateGrant",
            ],
            "Resource": "your-kms-key-arn"
        },
        {
            "Sid": "statement2",
            "Effect": "Allow",
            "Action": "kms:ListAliases",
            "Resource": "*"
        }
    ]

Did this article help?


Do you need billing or technical support?