0

I have the following code in a Lambda function:

        var ssmConfig = new AmazonSimpleSystemsManagementConfig
        {
            RegionEndpoint = RegionEndpoint.APSoutheast2
        };

        using (var ssmClient = new AmazonSimpleSystemsManagementClient(ssmConfig))
        {
            var myParameter = await ssmClient.GetParameterAsync(
                new GetParameterRequest
                {
                    Name = "myParameter",
                    WithDecryption = true
                });

The Lambda function has the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:ap-southeast-2:23314131242:parameter/myParameters/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:ap-southeast-2:23314131242:key/myKey"
            ]
        }
    ]
}

I am receiving the following error though:

Amazon.SimpleSystemsManagement.AmazonSimpleSystemsManagementException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access

Using the IAM Policy Simulator, I've verified that the Lambda's role has the expected permissions.

Do I need to specify the CMK alias somehow? What else could be wrong?

cbp
  • 299
  • 1
  • 3
  • 12

1 Answers1

1

I figured out that I also need to add the Lambda's role as a "key user" of the CMK. See https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-users for details.

This can be done through the console by editing the CMK, then scrolling down to the Key Users section.

cbp
  • 299
  • 1
  • 3
  • 12