1 Answer
- Newest
- Most votes
- Most comments
0
Cause of the error :
- When the resource you are trying to get is not encrypted by the same KMS key, you are trying to decrypt.
- You are not using the ciphertextblob to decrypt the data but was used previously at the time of encryption.
- The KMS key doesn't exist or doesn't exist in that region.
- The principal trying to access the encrypted key doesn't have the correct KMS permissions.
Please Confirm Below :
- If you are using same KMS key for decryption which was used while encryption.
- Check if the role you are using to perform the action has permissions to access the kms key
- Check if the KMS key policy you have created has the permissions to the role you are using to perform the action as below :
{
"Sid": "Enable IAM Role Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "<Role_Arn_You_Are_Performing_Action_From>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
answered 7 months ago
Relevant content
- asked 5 months ago
- asked 8 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago