By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to solve Unable to decrypt data key and one or more KMS CMKs had an error?

0

I have work on third-party message provide ( SendGrid ) with Cognito. for sending otp to user email whenever user signup or forget pass, ..etc, like this. here I am facing one issue.

"Error: Unable to decrypt data key and one or more KMS CMKs had an error. ",
      "  Error #1 ",
      " AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.",

**i am not able to decrypt the t cognito secret code ** Error for decode

i am writing my code following this blog:

https://blog.xiggit.com/blog/how-we-use-customer.io-to-send-custom-welcome-emails-through-cognito

https://www.thelambdablog.com/how-to-decrypt-aws-cognito-generated-temporary-codes-in-a-custom-sender-lambda-with-a-kms-key/

so, my quiz is: how to create IAM role + **KMS ** for decrypting Cognito code-parameter.

please anyone help me. thanks

const AWS = require("aws-sdk")
const b64 = require("base64-js")
const encryptionSdk = require("@aws-crypto/client-node")
const env = require("./config/environment.js")

const { encrypt, decrypt } = encryptionSdk.buildClient(
  encryptionSdk.CommitmentPolicy.REQUIRE_ENCRYPT_ALLOW_DECRYPT
)

const generatorKeyId = env.KMS_KEY_ALIAS
const keyIds = [env.KMS_KEY_ID]

const keyring = new encryptionSdk.KmsKeyringNode({ generatorKeyId, keyIds })

exports.handler = async (event) => {
  const { plaintext, messageHeader } = await decrypt(
    keyring,
    b64.toByteArray(event.request.code)
  )

  console.log(event)

  console.log("---------")
  console.log(event.request.code)

  console.log("otp code: " + plaintext)
  console.log("messageHeader: " + messageHeader)

  let triggerSource = event.triggerSource
  let email = event.request.userAttributes.email

  return
}```
Topics
Security, Identity, & ComplianceServerlessCompute
Tags
AWS Key Management ServiceAWS LambdaAWS Identity and Access ManagementAmazon CognitoIAM Policies
Language
English
jacksonkasi
asked a year ago245 views
1 Answer
0

Cause of the error :

  1. When the resource you are trying to get is not encrypted by the same KMS key, you are trying to decrypt.
  2. You are not using the ciphertextblob to decrypt the data but was used previously at the time of encryption.
  3. The KMS key doesn't exist or doesn't exist in that region.
  4. The principal trying to access the encrypted key doesn't have the correct KMS permissions.

Please Confirm Below :

  • If you are using same KMS key for decryption which was used while encryption.
  • Check if the role you are using to perform the action has permissions to access the kms key
  • Check if the KMS key policy you have created has the permissions to the role you are using to perform the action as below :
{
            "Sid": "Enable IAM Role Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "<Role_Arn_You_Are_Performing_Action_From>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
}
AWS
Sakshi M
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content