Fatal编程技术网
  • aws-lambda/
  • Aws lambda KMS解密AWS Lambda的权限

Aws lambda KMS解密AWS Lambda的权限

aws-lambda

Aws lambda KMS解密AWS Lambda的权限,aws-lambda,aws-kms,Aws Lambda,Aws Kms,我做不出来,文件也帮不上什么忙 我有一个lambda,需要使用KMS解密一个值。我正在使用sam部署我的lambda。最初,我尝试添加一个策略声明 - Effect: Allow Action: - kms:Decrypt Resource: - 'arn:aws:kms:us-west-2:<account>:key/<key>

我做不出来,文件也帮不上什么忙

我有一个lambda,需要使用KMS解密一个值。我正在使用sam部署我的lambda。最初,我尝试添加一个策略声明

            - Effect: Allow
              Action:
                - kms:Decrypt
              Resource:
                - 'arn:aws:kms:us-west-2:<account>:key/<key>'
在KMS控制台中,我用作
键的值被称为
键id


  • 检查lambda功能是否在钥匙所在的同一区域上运行
    • 

  • 你能检查一下策略的语法吗?它应该如下面的示例所示:
    • 

    策略:
-KMSDecryptPolicy:
KeyId:'arn:aws:kms:us-west-2::key/'

    

  • 同时检查计算机中SAM CLI的版本:)
    • 

    政策声明看起来不错,你怎么知道它不起作用?有错误信息吗?您还可以共享Lambda中运行的代码吗?也是
    key/
    中的
    密钥别名或密钥id吗?谢谢,我用错误消息更新了我的问题,密钥来自何处。您可以发布整个SAM YAML文件吗?+Lambda中运行的代码

    {"errorType":"AccessDeniedException","errorMessage":"The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.","code":"AccessDeniedException","message":"The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

    

          Policies:
        - KMSDecryptPolicy:
            KeyId: 'arn:aws:kms:us-west-2:<account>:key/<key>'