Lambda issue with Kms

Question

In my lambda code I'm getting Calling the invoke API action failed with this message lambda was unable to decrypt the environment variables because KMS access was denied.Please check the functions KMS key settings.

SHAJAM · Answer

If you use default AWS-managed key (aws/lambda), you shouldn't have to do anything. If you use a customer managed key, then you will need to update the Lambda's role to allow access to KMS and optionally KMS resource to allow Lambda's IAM role.

```
## Lambda IAM
{
  "Effect": "Allow",
  "Action": [
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "arn:aws:kms:your-region:your-account-id:key/your-kms-key-id"
}
```

```
## KMS policy example
{
  "Sid": "AllowLambdaUseOfKey",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam:::role/"
  },
  "Action": [
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

```

Lambda issue with Kms

新增您的答案

相關內容