Fixing incorrect KMS Key Policy when deploying Lambda with an IAM Role
Often you'll want to create environment variables to pass as CLI arguments to a Lambda function. Lambda as a service does not support passing CLI arguments using things like argparse, but rather you have to configure individual environment variables within the AWS console.
Lambda was unable to configure access to your environment variables because the KMS key is invalid for CreateGrant. Please check your KMS key settings. KMS Exception: InvalidArnException KMS Message: ARN does not refer to a valid principal
The above error message is clear in that the IAM Role your Lambda function is using does not have the correct policy, nor existing KMS keys refer to a valid principal. After a lot of troubleshooting, and careful reading of the AWS documentation, I identified that the problem could be by adding an additional statement to the relevant KMS Key Policy.
The solution:
Identify the specific IAM Role that your Lambda function is using to encrypt environment variables using KMS.
Edit the KMS Key Policy to include the IAM Role as an AWS
Principal.Add the following statement to your Key Policy.
"Principal": {
"AWS": "arn:aws:iam::471112566722:role/service-role/iss_locations_lambda-role-grcyflva"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
And just like that, my Lambda function was able to use a customer-manager KMS key, customised with the correct key policy, to create and encrypt the required environment variables for the application.