Lambda can't decrypt the container image because KMS access is denied
I run lambdas in a multi account context. I have lambdas in A,B,C account and they pull images from an ECR into an account D. On account D there is a Client Managed Key (KMS), used by the ECR and allowed for USE in cross account context.
- Roles used by the lambdas are allowed to use KMS with right arn KMS
- KMS Key Policy allow usage in cross account context
- Lambdas are allowed to pull images in cross account context
- ECR allow pull images from cross account context
I use cloud formation to deploy theses objects and there is no problem with that. Lambdas work fines until next point.
If i use "aws lambda update-function-code" to update the image, i run into this problem:
"Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings. KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
I m not able to resolve this problem without erasing all the previous stack created and recreate it from start but still impossible to use "update-function-code" without breaking all lambdas.
- Language
- English
asked 3 years ago800 views
- Newest
- Most votes
- Most comments
does the KMS policy has kms:Decrypt ? Probably yes but just confirming. Did you look into CloudTrail logs to see more detailed information about the KMS access denied exception?
answered 3 years ago
Relevant content
asked 2 years ago
