- Newest
- Most votes
- Most comments
Ensure your Lambda execution role also has KMS:Decrypt for the Key used to encrypt the secrect
Another thing to take into consideration, is the accounts, if this is a cross account situation or not. Anyway, the first thing that I would check is the KMS policy you have attached to the KMS key. It's not enough providing permissions to the principal executing the lambda function. You need also to allow on the KMS key policy the usage by that principal. You can give on the KMS policy permissions to all the principals in one account to use it, or just to specific principals.
Here you have examples: https://docs.aws.amazon.com/dms/latest/userguide/security_iam_resource-based-policy-examples.html
To be more precise for your use case you would need something like this:
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321098:role/<your-lambda-role>"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
Hope this helps,
Best.
Relevant content
- asked 4 years ago
- asked a year ago
- asked 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Good point, added another statement to the allowing policy, but sadly did not helped.