Aws lambda KMS解密AWS Lambda的权限
我做不出来,文件也帮不上什么忙 我有一个lambda,需要使用KMS解密一个值。我正在使用sam部署我的lambda。最初,我尝试添加一个策略声明Aws lambda KMS解密AWS Lambda的权限,aws-lambda,aws-kms,Aws Lambda,Aws Kms,我做不出来,文件也帮不上什么忙 我有一个lambda,需要使用KMS解密一个值。我正在使用sam部署我的lambda。最初,我尝试添加一个策略声明 - Effect: Allow Action: - kms:Decrypt Resource: - 'arn:aws:kms:us-west-2:<account>:key/<key>
- Effect: Allow
Action:
- kms:Decrypt
Resource:
- 'arn:aws:kms:us-west-2:<account>:key/<key>'
在KMS控制台中,我用作键的值被称为键id
检查lambda功能是否在钥匙所在的同一区域上运行
你能检查一下策略的语法吗?它应该如下面的示例所示:
策略:
-KMSDecryptPolicy:
KeyId:'arn:aws:kms:us-west-2::key/'
同时检查计算机中SAM CLI的版本:)
政策声明看起来不错,你怎么知道它不起作用?有错误信息吗?您还可以共享Lambda中运行的代码吗?也是key/
中的
密钥别名或密钥id吗?谢谢,我用错误消息更新了我的问题,密钥来自何处。您可以发布整个SAM YAML文件吗?+Lambda中运行的代码
{"errorType":"AccessDeniedException","errorMessage":"The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.","code":"AccessDeniedException","message":"The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
Policies:
- KMSDecryptPolicy:
KeyId: 'arn:aws:kms:us-west-2:<account>:key/<key>'