The ciphertext refers to a customer master key that does not exist,

Question

I have a lambda which accesses the S3.

Before, this lambda program worked well. But recently I changed KMS key of S3 or some other security group setting, (lambda source code doesn't change)

There comes error.

I guess this lambda and S3 is not on VPC so security group is not relevant.

then,,, is it related with KMS key ????

S3 is encrypted bf3cf318-1376-44de-a014-XXXXXXXXX, so I must give the kms access permission to this lambda ?? but how?

Or am I completely wrong??

[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
Traceback (most recent call last):
  File "/var/task/app.py", line 48, in handler
    raise e
  File "/var/task/app.py", line 45, in handler
    obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
  File "/var/runtime/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)
[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. Traceback (most recent call last):   File "/var/task/app.py", line 48, in handler     raise e   File "/var/task/app.py", line 45, in handler     obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)

The source code error occurs is here.

    try:
        logger.info(f"Try to get the object from bucket [{bucket_name}], key [{obj_key}]")
        obj = s3_client.get_object(Bucket=bucket_name, Key=obj_key)
    except Exception as e:
        logger.exception(e)
        raise e

Adding this pollicy lambda role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "kms:Decrypt",
            "Resource": "arn:aws:kms:*:678100228133:key/*"
        }
    ]
}

the message is changed

[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::678100228133:assumed-role/cm-dev-resource-ResizerLambdaServiceRoleAE27CE82-1WN6YXPJAJDCX/cm-dev-lambda-resizer is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:ap-northeast-1:678100228133:key/e08d0542-a4ba-42e7-9725-106a48fd24c2 because no identity-based policy allows the kms:GenerateDataKey action
Traceback (most recent call last):
  File "/var/task/app.py", line 82, in handler
    s3_client.put_object(Bucket=out_bk_name, Key=key, Body=data, ContentType=content_type)
  File "/var/runtime/botocore/client.py", line 391, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 719, in _make_api_call
    raise error_class(parsed_response, operation_name)
[ERROR] ClientError: An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:sts::678100228133:assumed-role/cm-dev-resource-ResizerLambdaServiceRoleAE27CE82-1WN6YXPJAJDCX/cm-dev-lambda-resizer is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:ap-northeast-1:678100228133:key/e08d0542-a4ba-42e7-9725-106a48fd24c2 because no identity-based policy allows the kms:GenerateDataKey action Traceback (most recent call last):   File "/var/task/app.py", line 82, in handler     s3_client.put_object(Bucket=out_bk_name, Key=key, Body=data, ContentType=content_type)   File "/var/runtime/botocore/client.py", line 391, in _api_call     return self._make_api_call(operation_name, kwargs)   File "/var/runtime/botocore/client.py", line 719, in _make_api_call     raise error_class(parsed_response, operation_name)

Answer 1

I had this issue after deleting IAM role policy and recreated it with the same name. what I did was switch the Lambda execution role to another role, and switch it back, it resolved the issue.

Answer 2

We were not setting the KMS encryption key so the default was being used. If your attempting to access cross-account, then the keys won't match. So, adding the EncryptionKey property on the CodePipeline ensures your using the same key cross-account for artifact push/pull activity:

Answer 3

I was getting this error The ciphertext refers to a customer master key... inspite of having kms decrypt policy attached with Lambda. The problem was, I had to add following policy statement in resource-based policy of KMS key itself, as follows;

{
  "Sid": "AllowLambdaDecrypt",
  "Action": [
    "kms:Decrypt", "<add more required actions here>"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:s3:::<bucketName>/*",
  "Principal": {
    "AWS": [
      "arn:aws:iam:::<account_id>:role/service-role/<lambdaRole>"
    ]
  }
}

NOTE: If you have aws-managed kms key, then you won't be able to modify its policy. (read this limitation). So make sure you are using your own generated customer managed kms key. Checkout full details in my YouTube video

Answer 4

See the part of the error message in bold:

[ERROR] ClientError: An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.

And your question:

so I must give the kms access permission to this lambda

It appears that you have not provided KMS permission in the IAM role assigned to the Lambda function.

KMS keys also have an access policy that may be blocking Lambda access. If fixing the Lambda function's IAM role doesn't resolve this issue then I would look at that.