Lambda can't decrypt the container image because KMS access is denied


I run lambdas in a multi account context. I have lambdas in A,B,C account and they pull images from an ECR into an account D. On account D there is a Client Managed Key (KMS), used by the ECR and allowed for USE in cross account context.

  • Roles used by the lambdas are allowed to use KMS with right arn KMS
  • KMS Key Policy allow usage in cross account context
  • Lambdas are allowed to pull images in cross account context
  • ECR allow pull images from cross account context

I use cloud formation to deploy theses objects and there is no problem with that. Lambdas work fines until next point.

If i use "aws lambda update-function-code" to update the image, i run into this problem:

"Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings. KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

I m not able to resolve this problem without erasing all the previous stack created and recreate it from start but still impossible to use "update-function-code" without breaking all lambdas.

1 Answer

does the KMS policy has kms:Decrypt ? Probably yes but just confirming. Did you look into CloudTrail logs to see more detailed information about the KMS access denied exception?

answered a year ago
  • Yes, this permission is present..

  • I m currently debugging step by step with cloud trail

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions