How do I resolve "KMSAccessDeniedException" errors from AWS Lambda?

5 minute read
2

My AWS Lambda function returned a "KMSAccessDeniedException" error.

Short description

Update the AWS Key Management Service (AWS KMS) permissions of your AWS Identity and Access Management (IAM) identity based on the error message.

Important: If the AWS KMS key and IAM role belong to different AWS accounts, then both the IAM policy and AWS KMS key policy must be updated.

For more information about AWS KMS keys and policy management, see AWS KMS keys.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

To resolve "KMS Exception: UnrecognizedClientExceptionKMS Message" errors

The following error usually occurs when a Lambda function's execution role is deleted and then recreated using the same name, but with a different principal:

Calling the invoke API action failed with this message: Lambda was unable to decrypt the environment variables because KMS access was denied. Please check the function's AWS KMS key settings. KMS Exception: UnrecognizedClientExceptionKMS Message: The security token included in the request is invalid.

To resolve the error, you must reset the AWS KMS grant for the function's execution role by doing the following:

Note: The IAM user that creates and updates the Lambda function must have permission to use the AWS KMS key.

1.    Get the Amazon Resource Name (ARN) of the function's current execution role and AWS KMS key, by running the following AWS CLI command:

Note: Replace yourFunctionName with your function's name.

$ aws lambda get-function-configuration --function-name yourFunctionName

2.    Reset the AWS KMS grant by doing one of the following:

Update the function's execution role to a different, temporary value, by running the following update-function-configuration command:

Important: Replace temporaryValue with the temporary execution role ARN.

$ aws lambda update-function-configuration --function-name yourFunctionName --role temporaryValue

Then, update the function's execution role back to the original execution role by running the following command:

Important: Replace originalValue with the original execution role ARN.

$ aws lambda update-function-configuration --function-name yourFunctionName --role originalValue

-or-

Update the function's AWS KMS key to a different, temporary value, by running the following update-function-configuration command:

Important: Replace temporaryValue with a temporary AWS KMS key ARN. To use a default service key, set the kms-key-arn parameter to "".

$ aws lambda update-function-configuration --function-name yourFunctionName --kms-key-arn temporaryValue

Then, update the function's AWS KMS key back to the original AWS KMS key ARN by running the following command:

Important: Replace originalValue with the original AWS KMS key ARN.

$ aws lambda update-function-configuration --function-name yourFunctionName --kms-key-arn originalValue

For more information, see Key policies in AWS KMS.

To resolve "KMS Exception: AccessDeniedException KMS Message" errors

The following error indicates that your IAM identity doesn't have the permissions required to perform the kms:Decrypt API action:

Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

To resolve the error, add the following policy statement to your IAM user or role:

Important: Replace "your-KMS-key-arn" with your AWS KMS key ARN.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "your-KMS-key-arn"
    }
  ]
}

For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console), based on your use case.

To resolve "You are not authorized to perform" errors

The following errors indicate that your IAM identity doesn't have one of the permissions required to access the AWS KMS key:

You are not authorized to perform: kms:Encrypt.
You are not authorized to perform: kms:CreateGrant.
User: user-arn is not authorized to perform: kms:ListAliases on resource: * with an explicit deny.

Note: AWS KMS permissions aren't required for your IAM identity or the function's execution role if you use the default key policy.

To resolve these types of errors, verify that your IAM user or role has the permissions required to perform the following AWS KMS API actions:

For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console), based on your use case.

Example IAM policy statement that grants the permissions required to access a customer-managed AWS KMS key

Important: The Resource value must be "*". The kms:ListAliases action doesn't support low-level permissions. Also, make sure that you replace "your-kms-key-arn" with your AWS KMS key ARN.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement1",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:CreateGrant"
      ],
      "Resource": "your-kms-key-arn"
    },
    {
      "Sid": "statement2",
      "Effect": "Allow",
      "Action": "kms:ListAliases",
      "Resource": "*"
    }
  ]
}

To resolve "Access to KMS is not allowed" errors

The following error indicates that an IAM entity doesn't have permissions to get AWS Secrets Manager secrets:

Access to KMS is not allowed (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 123a4bcd-56e7-89fg-hij0-1kl2m3456n78)

Make sure that your IAM user or role has permissions required to make the following AWS KMS API actions:

For more information, see How can I resolve issues accessing an encrypted AWS Secrets Manager secret?


Related information

How do I troubleshoot HTTP 502 and HTTP 500 status code (server-side) errors from AWS Lambda?

How do I troubleshoot Lambda function failures?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago