Unable to load credentials from system settings. AWS_ACCESS_KEY_ID

Question

I am new to AWS, And I have developed a Lambda function with to Encrypt and decrypt with the KmsClient.

And this is how i am building the KmsClient with aws reagion,

final KmsClient kmsClient = KmsClient.builder().region(awsRegion).build();

I am using the Envelope Encryption to encryption , so i am using the GenerateDataKeyRequest to generate and key for the plain text,

GenerateDataKeyRequest generateDataKeyRequest = GenerateDataKeyRequest.builder().keyId(arnKey).encryptionContext(encryptionContext).
keySpec(DataKeySpec.AES_256).build();
   
GenerateDataKeyResponse generateDataKeyResponse = kmsClient.generateDataKey(generateDataKeyRequest);

at the above line i am getting below exception:

software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).

I tried to solve this by setting the environment variable , but still it did not work.

My kms key policy is looks like as follows :

    {
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARN-role-y6nnbdp3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEncryptDecryptARNEnvironmentVariable-role-2pwqzde3",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-4qmx465k",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnryptLambdaTest-role-1bz9t33s",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN13-role-fflntszk",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedDecrypt-role-w176vn3b",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/lambda_for_apigateway-role-rm37oxr6",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-5p55uuig",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/DecryptLmabdaTest-role-zmggdsbr",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/suchi13role",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptARNb1808271-role-dh6l7e9p",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EncryptDecrptFunction-role-0ouhuwpj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-oje1caln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBaseEncryptDecryptARN-role-ageva6cf",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedDecryptARN-role-yq6d97v7",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopEncryptDecryptTenantBased-role-js8d5hln",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantListBasedEncryptDecryptARN-role-eowajg5x",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-hgv79ytd",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/TenantBasedEnvelopEncryptDecrypt-role-n4nn6tdj",
                    "arn:aws:iam::xxxxxxxxxxxxxx:role/service-role/EnvelopeBasedEncrypt-role-7jewd19s"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

any help would be much appreciated:

Thanks in advance , Pradeep

Answer 1

Instead of using IAM keys, as you're using a Lambda function you should use the Lambda functions IAM role.

Ensure the Lambda role has the correct IAM permissions including the KMS permission for GenerateDataKey, DescribeKey and Decrypt. The recommended policy from Amazon is below.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey",
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:*:111122223333:key/*"
    ]
  }
}

Finally if you get any issues with these permissions ensure that the KMS key grants allow access to the IAM role in its key policy.