I run lambdas in a multi account context. I have lambdas in A,B,C account and they pull images from an ECR into an account D.
On account D there is a Client Managed Key (KMS), used by the ECR and allowed for USE in cross account context.
- Roles used by the lambdas are allowed to use KMS with right arn KMS
- KMS Key Policy allow usage in cross account context
- Lambdas are allowed to pull images in cross account context
- ECR allow pull images from cross account context
I use cloud formation to deploy theses objects and there is no problem with that. Lambdas work fines until next point.
If i use "aws lambda update-function-code" to update the image, i run into this problem:
"Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings. KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
I m not able to resolve this problem without erasing all the previous stack created and recreate it from start but still impossible to use "update-function-code" without breaking all lambdas.
Yes, this permission is present..
I m currently debugging step by step with cloud trail