Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve Lambda function "KMS Exception" permission errors?

5 minute read
2

My AWS Lambda function returned a "KMS Exception", "You are not authorized to perform", or "Access to KMS is not allowed" error.

Resolution

Update the AWS Key Management Service (AWS KMS) permissions of your AWS Identity and Access Management (IAM) identity based on the error message. If the AWS KMS key and IAM role are in different AWS accounts, then update both the IAM policy and AWS KMS key policy.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Resolve "KMS Exception: UnrecognizedClientExceptionKMS Message" errors

If a Lambda function's role is deleted and then recreated with the same name but with a different principal, then you receive the following error:

"Calling the invoke API action failed with this message: Lambda was unable to decrypt the environment variables because KMS access was denied. Please check the function's AWS KMS key settings. KMS Exception: UnrecognizedClientExceptionKMS Message: The security token included in the request is invalid."

To resolve the error, you must reset the AWS KMS grant for the function's execution role.

Note: The IAM user that creates and updates the Lambda function must have permission to use the AWS KMS key.

  1. To get the Amazon Resource Name (ARN) of the function's current execution role and AWS KMS key, run the following get-function-configuration command: 
    aws lambda get-function-configuration --function-name your-function-name
    Note: Replace your-function-name with your function's name.
  2. To update the function's execution role to a different, temporary value, run the following update-function-configuration command: 
    aws lambda update-function-configuration --function-name yourFunctionName --role temporary-value
    Note: Replace temporary-value with the temporary execution role ARN.
  3. To update the function's execution role back to the original execution role, run the following update-function-configuration command: 
    aws lambda update-function-configuration --function-name yourFunctionName --role originalValue
    Note: Replace originalValue with the original execution role ARN.

Resolve "KMS Exception: AccessDeniedException KMS Message" errors

If your IAM identity doesn't have the permissions required to perform the kms:Decrypt API action, then you receive the following error message:

"Lambda was unable to decrypt your environment variables because the KMS access was denied. Please check your KMS permissions. KMS Exception: AccessDeniedException KMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

To resolve the error, use the IAM console to add the following policy statement to your IAM user or role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "your-KMS-key-arn"
        }
    ]
}

Note: Replace your-KMS-key-arn with your AWS KMS key ARN.

Resolve "You are not authorized to perform" errors

If your IAM identity doesn't have the permissions required to access the AWS KMS key, then you receive one of the following error messages:

"You are not authorized to perform: kms:Encrypt."

"You are not authorized to perform: kms:CreateGrant."

"User: user-arn is not authorized to perform: kms:ListAliases on resource: * with an explicit deny."

Note: AWS KMS permissions aren't required for your IAM identity or the function's execution role if you use the default key policy.

To resolve these errors, make sure that your IAM user or role has the permissions required to perform the following AWS KMS API actions:

If your IAM user or role doesn't have the preceding permissions, then use the IAM console to add the permissions.

Example IAM policy that grants permissions to access a customer-managed AWS KMS key

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:CreateGrant"
            ],
            "Resource": "your-kms-key-arn"
        },
        {
            "Sid": "statement2",
            "Effect": "Allow",
            "Action": "kms:ListAliases",
            "Resource": "*"
        }
    ]
}

Note: The Resource value must be "*". The kms:ListAliases action doesn't support low-level permissions. Also, make sure that you replace your-kms-key-arn with your AWS KMS key ARN.

Resolve "Access to KMS is not allowed" errors

If an IAM entity doesn't have permissions to get AWS Secrets Manager secrets, then you receive the following error message:

"Access to KMS is not allowed (Service: AWSSecretsManager; Status Code: 400; Error Code: AccessDeniedException; Request ID: 123a4bcd-56e7-89fg-hij0-1kl2m3456n78)"

To resolve this error, make sure that your IAM user or role has permissions required to perform the following AWS KMS API actions:

If your IAM user or role doesn't have the preceding permissions, then use the IAM console to add the permissions.

For more information, see How do I resolve AWS KMS key access errors after I tried to retrieve an encrypted Secrets Manager secret?

Related information

How do I troubleshoot HTTP 502 and HTTP 500 status code errors from AWS Lambda?

How do I troubleshoot Lambda function failures?

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English

Related videos

Watch Xi's video to learn more (6:35)
Watch Xi's video to learn more (6:35)
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content