Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Lambda issue with Kms

0

In my lambda code I'm getting Calling the invoke API action failed with this message lambda was unable to decrypt the environment variables because KMS access was denied.Please check the functions KMS key settings.

Topics
ServerlessCompute
Tags
AWS Lambda
Language
English
asked a year ago285 views
1 Answer
0

If you use default AWS-managed key (aws/lambda), you shouldn't have to do anything. If you use a customer managed key, then you will need to update the Lambda's role to allow access to KMS and optionally KMS resource to allow Lambda's IAM role.

## Lambda IAM
{
  "Effect": "Allow",
  "Action": [
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "arn:aws:kms:your-region:your-account-id:key/your-kms-key-id"
}

## KMS policy example
{
  "Sid": "AllowLambdaUseOfKey",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<your-account-id>:role/<your-lambda-execution-role-name>"
  },
  "Action": [
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content