Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Permission needed for Role to Use KMS key as part of a Lambda function

0

Hi re:Post!

I have a lambda function that first deletes (2) manual snapshot copies in west-2 region and then copies (2) system made snapshots from west-2 to manual snapshot area in west-2.

The lambda function and KMS key is located in west-2, the role and policy are global.

(Note: When manually coping from system to manual in west-2, that process uses the same KMS key.)

The delete part works.

The copy part has error:

"Target KMS key does not exist, is not enabled or you do not have permissions to access it."

Copying snapshot rds:db-drtest20250410-2025-08-21-05-10 to copy-rds-db-drtest20250410-2025-08-21 Error copying snapshot rds:db-drtest20250410-2025-08-21-05-10: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target KMS key [arn:aws:kms:us-west-2:(info removed)] does not exist, is not enabled or you do not have permissions to access it. Copying snapshot rds:db-drtest20250410-2025-08-20-05-10 to copy-rds-db-drtest20250410-2025-08-21 Error copying snapshot rds:db-drtest20250410-2025-08-20-05-10: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target KMS key [arn:aws:kms:us-west-2::(info removed)] does not exist, is not enabled or you do not have permissions to access it. Copying snapshot rds:db-drtest20240314-2025-08-21-05-05 to copy-rds-db-drtest20240314-2025-08-21 Error copying snapshot rds:db-drtest20240314-2025-08-21-05-05: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target KMS key [arn:aws:kms:us-west-2::(info removed)] does not exist, is not enabled or you do not have permissions to access it. Copying snapshot rds:db-drtest20240314-2025-08-20-05-05 to copy-rds-db-drtest20240314-2025-08-21 Error copying snapshot rds:db-drtest20240314-2025-08-20-05-05: An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The target KMS key [arn:aws:kms:us-west-2::(info removed)] does not exist, is not enabled or you do not have permissions to access it.

I added this to Role's policy:

"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "VisualEditor0",
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": "arn:aws:iam::910286192445:role/*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"kms:Decrypt",
				"kms:Encrypt",
				"kms:GenerateDataKey"
			],
			"Resource": "arn:aws:kms:us-west-2:(info removed):(info removed)"
		},

But I am still getting the same errors in the copy part.

Should have instead added this to the policy's permissions?

{
            "Sid": "Allow use of the key by Lambda role",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::(info removed):(info removed)"
            },
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        }

Thank you for your time and help!

Best Regards,

Donald

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS Key Management ServiceIAM PoliciesAWS Lambda
Language
English
asked 9 months ago271 views
2 Answers
1
Accepted Answer

Hello.

Are you using the AWS managed KMS key "aws/rds"?
If you are using customer-managed keys instead of "aws/rds", please check not only the Lambda IAM role but also the KMS key policy.
For example, if you need access to a KMS key from Lambda, you can access it by setting the following key policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${your_account_id}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "AllowUseOfTheKey",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${your_account_id}:role/lambda-iam-role"
            },
            "Action": [
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt",
                "kms:CreateGrant"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowAttachmentOfPersistentResources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${your_account_id}:role/lambda-iam-role"
            },
            "Action": [
                "kms:RevokeGrant",
                "kms:ListGrants",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
EXPERT
answered 9 months ago
  • DC
    9 months ago

    Hi Riku! Thank for your time and help. We are using a customer managed key. It is production so I will have to get approval etc... It may be that I need to make copy of key and use that one vs real production key. I see your point that I may need to add permissions to the lambda role's policy and the kms key. Best Regards, Donald

0

Based on the error message "The target KMS key does not exist, is not enabled or you do not have permissions to access it," your Lambda function's execution role needs additional permissions to use the KMS key for copying RDS snapshots.

The permissions you added to the role's policy are on the right track, but they're not complete for the snapshot copying operation. When copying encrypted snapshots, you need more comprehensive KMS permissions.

Here's what you should add to your Lambda execution role policy:

{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": "arn:aws:kms:us-west-2:(info removed):(info removed)"
}

Additionally, you might need to add grant-related permissions:

{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "arn:aws:kms:us-west-2:(info removed):(info removed)",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}

The key difference from your original policy is the inclusion of additional permissions like ReEncrypt*, DescribeKey, and the grant-related permissions which are often required for operations like copying encrypted snapshots.

If updating the IAM role policy doesn't resolve the issue, then yes, you should also check the KMS key policy itself to ensure it allows your Lambda role to use the key. Your suggested KMS key policy statement is correct and should be added to the key policy:

{
"Sid": "Allow use of the key by Lambda role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::910286192445:role/RL-Lambda-RDS-Snapshot-Management"
},
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": "*"
}

Remember that for KMS permissions to be effective, both the IAM role policy AND the KMS key policy must allow the actions. This is known as the "AND" principle in AWS permissions.
Sources
Sharing Amazon DocumentDB cluster snapshots - Amazon DocumentDB
Community | AWS Cross Account S3 Access Through Lambda Functions

answered 9 months ago
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content