Lambda cannot access KMS Key











up vote
0
down vote

favorite












When I run my lambda code, I get the following error:



The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.



I have mostly followed this to create the stack using aws-sam-cli, and the relevant sections of the template are below the code.



The relevant code is:



const ssm = new AWS.SSM();
const param = {
Name: "param1",
WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();


The relevant part of the template.yaml file is:



KeyAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: 'param1Key'
TargetKeyId: !Ref Key
Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Id: default
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
Sid: Allow root account all permissions except to decrypt the key
Version: 2012-10-17

LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- "ssm:GetParameter"
Effect: Allow
Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"


Does the KMSDecryptPolicy not allow the use of the key? What am I missing? Thanks!



EDIT: Changing the template to below works, but I'd really like to use the KMSDecryptPolicy in the lambda definition if possible.



LambdaFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ../
Handler: app.lambda
Runtime: nodejs8.10
Policies:
- DynamoDBReadPolicy:
TableName: !Ref Table
- KMSDecryptPolicy:
KeyId: !Ref Key
- Statement:
- Action:
- "ssm:GetParameter"
Effect: Allow
Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"

Key:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Id: default
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action:
- 'kms:Create*'
- 'kms:Encrypt'
- 'kms:Describe*'
- 'kms:Enable*'
- 'kms:List*'
- 'kms:Put*'
- 'kms:Update*'
- 'kms:Revoke*'
- 'kms:Disable*'
- 'kms:Get*'
- 'kms:Delete*'
- 'kms:ScheduleKeyDeletion'
- 'kms:CancelKeyDeletion'
Resource: '*'
Sid: Allow root account all permissions except to decrypt the key
- Sid: 'Allow use of the key for decryption by the LambdaFunction'
Effect: Allow
Principal:
AWS: !GetAtt LambdaFunctionRole.Arn
Action:
- 'kms:Decrypt'
Resource: '*'
Version: 2012-10-17









share|improve this question




























    up vote
    0
    down vote

    favorite












    When I run my lambda code, I get the following error:



    The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.



    I have mostly followed this to create the stack using aws-sam-cli, and the relevant sections of the template are below the code.



    The relevant code is:



    const ssm = new AWS.SSM();
    const param = {
    Name: "param1",
    WithDecryption: true
    };
    const secret = await ssm.getParameter(param).promise();


    The relevant part of the template.yaml file is:



    KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
    AliasName: 'param1Key'
    TargetKeyId: !Ref Key
    Key:
    Type: AWS::KMS::Key
    Properties:
    KeyPolicy:
    Id: default
    Statement:
    - Effect: Allow
    Principal:
    AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
    Action:
    - 'kms:Create*'
    - 'kms:Encrypt'
    - 'kms:Describe*'
    - 'kms:Enable*'
    - 'kms:List*'
    - 'kms:Put*'
    - 'kms:Update*'
    - 'kms:Revoke*'
    - 'kms:Disable*'
    - 'kms:Get*'
    - 'kms:Delete*'
    - 'kms:ScheduleKeyDeletion'
    - 'kms:CancelKeyDeletion'
    Resource: '*'
    Sid: Allow root account all permissions except to decrypt the key
    Version: 2012-10-17

    LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
    CodeUri: ../
    Handler: app.lambda
    Runtime: nodejs8.10
    Policies:
    - DynamoDBReadPolicy:
    TableName: !Ref Table
    - KMSDecryptPolicy:
    KeyId: !Ref Key
    - Statement:
    - Action:
    - "ssm:GetParameter"
    Effect: Allow
    Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"


    Does the KMSDecryptPolicy not allow the use of the key? What am I missing? Thanks!



    EDIT: Changing the template to below works, but I'd really like to use the KMSDecryptPolicy in the lambda definition if possible.



    LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
    CodeUri: ../
    Handler: app.lambda
    Runtime: nodejs8.10
    Policies:
    - DynamoDBReadPolicy:
    TableName: !Ref Table
    - KMSDecryptPolicy:
    KeyId: !Ref Key
    - Statement:
    - Action:
    - "ssm:GetParameter"
    Effect: Allow
    Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"

    Key:
    Type: AWS::KMS::Key
    Properties:
    KeyPolicy:
    Id: default
    Statement:
    - Effect: Allow
    Principal:
    AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
    Action:
    - 'kms:Create*'
    - 'kms:Encrypt'
    - 'kms:Describe*'
    - 'kms:Enable*'
    - 'kms:List*'
    - 'kms:Put*'
    - 'kms:Update*'
    - 'kms:Revoke*'
    - 'kms:Disable*'
    - 'kms:Get*'
    - 'kms:Delete*'
    - 'kms:ScheduleKeyDeletion'
    - 'kms:CancelKeyDeletion'
    Resource: '*'
    Sid: Allow root account all permissions except to decrypt the key
    - Sid: 'Allow use of the key for decryption by the LambdaFunction'
    Effect: Allow
    Principal:
    AWS: !GetAtt LambdaFunctionRole.Arn
    Action:
    - 'kms:Decrypt'
    Resource: '*'
    Version: 2012-10-17









    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      When I run my lambda code, I get the following error:



      The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.



      I have mostly followed this to create the stack using aws-sam-cli, and the relevant sections of the template are below the code.



      The relevant code is:



      const ssm = new AWS.SSM();
      const param = {
      Name: "param1",
      WithDecryption: true
      };
      const secret = await ssm.getParameter(param).promise();


      The relevant part of the template.yaml file is:



      KeyAlias:
      Type: AWS::KMS::Alias
      Properties:
      AliasName: 'param1Key'
      TargetKeyId: !Ref Key
      Key:
      Type: AWS::KMS::Key
      Properties:
      KeyPolicy:
      Id: default
      Statement:
      - Effect: Allow
      Principal:
      AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
      Action:
      - 'kms:Create*'
      - 'kms:Encrypt'
      - 'kms:Describe*'
      - 'kms:Enable*'
      - 'kms:List*'
      - 'kms:Put*'
      - 'kms:Update*'
      - 'kms:Revoke*'
      - 'kms:Disable*'
      - 'kms:Get*'
      - 'kms:Delete*'
      - 'kms:ScheduleKeyDeletion'
      - 'kms:CancelKeyDeletion'
      Resource: '*'
      Sid: Allow root account all permissions except to decrypt the key
      Version: 2012-10-17

      LambdaFunction:
      Type: AWS::Serverless::Function
      Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
      TableName: !Ref Table
      - KMSDecryptPolicy:
      KeyId: !Ref Key
      - Statement:
      - Action:
      - "ssm:GetParameter"
      Effect: Allow
      Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"


      Does the KMSDecryptPolicy not allow the use of the key? What am I missing? Thanks!



      EDIT: Changing the template to below works, but I'd really like to use the KMSDecryptPolicy in the lambda definition if possible.



      LambdaFunction:
      Type: AWS::Serverless::Function
      Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
      TableName: !Ref Table
      - KMSDecryptPolicy:
      KeyId: !Ref Key
      - Statement:
      - Action:
      - "ssm:GetParameter"
      Effect: Allow
      Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"

      Key:
      Type: AWS::KMS::Key
      Properties:
      KeyPolicy:
      Id: default
      Statement:
      - Effect: Allow
      Principal:
      AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
      Action:
      - 'kms:Create*'
      - 'kms:Encrypt'
      - 'kms:Describe*'
      - 'kms:Enable*'
      - 'kms:List*'
      - 'kms:Put*'
      - 'kms:Update*'
      - 'kms:Revoke*'
      - 'kms:Disable*'
      - 'kms:Get*'
      - 'kms:Delete*'
      - 'kms:ScheduleKeyDeletion'
      - 'kms:CancelKeyDeletion'
      Resource: '*'
      Sid: Allow root account all permissions except to decrypt the key
      - Sid: 'Allow use of the key for decryption by the LambdaFunction'
      Effect: Allow
      Principal:
      AWS: !GetAtt LambdaFunctionRole.Arn
      Action:
      - 'kms:Decrypt'
      Resource: '*'
      Version: 2012-10-17









      share|improve this question















      When I run my lambda code, I get the following error:



      The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.



      I have mostly followed this to create the stack using aws-sam-cli, and the relevant sections of the template are below the code.



      The relevant code is:



      const ssm = new AWS.SSM();
      const param = {
      Name: "param1",
      WithDecryption: true
      };
      const secret = await ssm.getParameter(param).promise();


      The relevant part of the template.yaml file is:



      KeyAlias:
      Type: AWS::KMS::Alias
      Properties:
      AliasName: 'param1Key'
      TargetKeyId: !Ref Key
      Key:
      Type: AWS::KMS::Key
      Properties:
      KeyPolicy:
      Id: default
      Statement:
      - Effect: Allow
      Principal:
      AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
      Action:
      - 'kms:Create*'
      - 'kms:Encrypt'
      - 'kms:Describe*'
      - 'kms:Enable*'
      - 'kms:List*'
      - 'kms:Put*'
      - 'kms:Update*'
      - 'kms:Revoke*'
      - 'kms:Disable*'
      - 'kms:Get*'
      - 'kms:Delete*'
      - 'kms:ScheduleKeyDeletion'
      - 'kms:CancelKeyDeletion'
      Resource: '*'
      Sid: Allow root account all permissions except to decrypt the key
      Version: 2012-10-17

      LambdaFunction:
      Type: AWS::Serverless::Function
      Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
      TableName: !Ref Table
      - KMSDecryptPolicy:
      KeyId: !Ref Key
      - Statement:
      - Action:
      - "ssm:GetParameter"
      Effect: Allow
      Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"


      Does the KMSDecryptPolicy not allow the use of the key? What am I missing? Thanks!



      EDIT: Changing the template to below works, but I'd really like to use the KMSDecryptPolicy in the lambda definition if possible.



      LambdaFunction:
      Type: AWS::Serverless::Function
      Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
      TableName: !Ref Table
      - KMSDecryptPolicy:
      KeyId: !Ref Key
      - Statement:
      - Action:
      - "ssm:GetParameter"
      Effect: Allow
      Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/param1"

      Key:
      Type: AWS::KMS::Key
      Properties:
      KeyPolicy:
      Id: default
      Statement:
      - Effect: Allow
      Principal:
      AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
      Action:
      - 'kms:Create*'
      - 'kms:Encrypt'
      - 'kms:Describe*'
      - 'kms:Enable*'
      - 'kms:List*'
      - 'kms:Put*'
      - 'kms:Update*'
      - 'kms:Revoke*'
      - 'kms:Disable*'
      - 'kms:Get*'
      - 'kms:Delete*'
      - 'kms:ScheduleKeyDeletion'
      - 'kms:CancelKeyDeletion'
      Resource: '*'
      Sid: Allow root account all permissions except to decrypt the key
      - Sid: 'Allow use of the key for decryption by the LambdaFunction'
      Effect: Allow
      Principal:
      AWS: !GetAtt LambdaFunctionRole.Arn
      Action:
      - 'kms:Decrypt'
      Resource: '*'
      Version: 2012-10-17






      amazon-web-services aws-lambda aws-serverless aws-sam-local serverless-application-model






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 19 at 15:40

























      asked Nov 19 at 15:12









      holtc

      1,060621




      1,060621





























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53377544%2flambda-cannot-access-kms-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53377544%2flambda-cannot-access-kms-key%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          404 Error Contact Form 7 ajax form submitting

          How to know if a Active Directory user can login interactively

          Refactoring coordinates for Minecraft Pi buildings written in Python