Lambda can't decrypt the container image because KMS access is denied

I run lambdas in a multi account context. I have lambdas in A,B,C account and they pull images from an ECR into an account D. On account D there is a Client Managed Key (KMS), used by the ECR and allowed for USE in cross account context.

• Roles used by the lambdas are allowed to use KMS with right arn KMS
• KMS Key Policy allow usage in cross account context
• Lambdas are allowed to pull images in cross account context
• ECR allow pull images from cross account context

I use cloud formation to deploy theses objects and there is no problem with that. Lambdas work fines until next point.

If i use "aws lambda update-function-code" to update the image, i run into this problem:

"Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings. KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."

I m not able to resolve this problem without erasing all the previous stack created and recreate it from start but still impossible to use "update-function-code" without breaking all lambdas.