How can I resolve the AWS KMS decrypt error "InvalidCiphertextException"?

2 minute read

I tried to use AWS Lambda encryption helpers to decrypt environment variables for AWS Key Management Service (AWS KMS) and received the error "InvalidCiphertextException".

Short description

The AWS KMS API action error InvalidCiphertextException indicates that the decrypt request failed because Lambda updated how to encrypt environment variables. Lambda passes the function name as the encryption context that made the encrypt call to AWS KMS. For decrypt functions that were created before this change, you must update the code for decryption and pass the Lambda function name as encryption context.


To get the code with the decrypt call to AWS KMS for a specific SDK with the encryption context, complete the following steps:

  1. Open the Lambda console, and then choose Functions.
  2. In Function name, choose the Lambda function, and then choose the Configuration tab.
  3. For Environment variables, choose Edit, and then choose Add environment variable.
  4. Enter a key and value, and then expand Encryption configuration.
  5. Choose Enable helpers for encryption in transit, and then choose Encrypt.
  6. Expand Decrypt secrets snippet, and then enter a code snippet similar to the following one:
DECRYPTED = boto3.client('kms').decrypt(    CiphertextBlob=b64decode(ENCRYPTED),
    EncryptionContext={'LambdaFunctionName': os.environ['AWS_LAMBDA_FUNCTION_NAME']}

Use the preceding code snippet to decrypt new environment variables that are encrypted with encryption helpers.

Be sure to re-encrypt old environment variables so that they work with the new environment variables.

For more information, see Using AWS Lambda environment variables.

Related information

How can I verify that authenticated encryption with associated data encryption is used when calling AWS KMS APIs?

AWS OFFICIALUpdated 3 months ago