I am working in a multi aws account context.
I have Lambdas in account A,B,C and an ECR in account D. Lambdas pull image from account D.
There is a client managed KMS with a dedicated key that is used by the ECR in account D.
The KMS policy key allows ROLE used by lambda to do KMS operations.
Lambda roles in account A,B,C allow use of KMS.
When i try to run my lambdas i have the following response:
Lambda can't decrypt the container image because KMS access is denied. Check the function's KMS key settings.
KMS Exception: AccessDeniedExceptionKMS Message: The ciphertext refers to acustomer master key that does not exist,
does not exist in this region, or you are not allowed to access.
Here is my KMS key policy strategy
And following, here is my role used by the Lambda:
And finally my ECR using the key
I have followed this docs from aws : https://aws.amazon.com/fr/premiumsupport/knowledge-center/lambda-kmsaccessdeniedexception-errors/
but error messages discussed in this link are slighty differents
Related
I have administrator access to my AWS account and I'm trying to copy a DB snapshot that has has encryption on it. I'm specifying the key ID but it's still giving me the following error:
/opt/homebrew/lib/ruby/gems/3.0.0/gems/aws-sdk-core-3.124.0/lib/seahorse/client/plugins/raise_response_errors.rb:17:in
`call': The target KMS key [<my_key_id>] does not exist, is not
enabled or you do not have permissions to access it.
(Aws::RDS::Errors::KMSKeyNotAccessibleFault)
The only thing that has changed from the time it worked to the time it no longer works is me enabling encryption on the database, so now its snapshots are encrypted. As a result, I've added the kms_key_id parameter to my copy_db_snapshot method.
Here's how I'm doing this with the aws-sdk-rds gem:
client.copy_db_snapshot({
source_db_snapshot_identifier: source_db_arn,
target_db_snapshot_identifier: target_db_snapshot_identifier,
source_region: source_db_region,
kms_key_id: '<my_key_id>'
})
I don't quite fully understand this error message. The key definitely exists (I've tried just the key ID and the full ARN), and I definitely have permission. I'm using a key generated by AWS so not sure if this helps.
https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/RDS/Client.html#copy_db_snapshot-instance_method
If you copy an encrypted snapshot to a different Amazon Web Services
Region, then you must specify an Amazon Web Services KMS key
identifier for the destination Amazon Web Services Region. KMS keys
are specific to the Amazon Web Services Region that they are created
in, and you can't use KMS keys from one Amazon Web Services Region in
another Amazon Web Services Region.
You need to specify the KMS key id of a KMS key in the destination region. This is because the kms_key_id parameter is actually supposed to be the ID of the KMS Key used to encrypt the new snapshot copy, not your original snapshot.
What are permissions that my lambda function need to be able to retrieve secrets from AWS Secrets Manager and change it also ?
You need the secretsmanager:GetSecretValue policy to retrieve secrets and the secretsmanager:UpdateSecret policy to update secrets.
Note that if you are using a customer-managed AWS KMS key for encryption you will also need some KMS permissions:
kms:Decrypt for retrieving the secret.
kms:Decrypt and kms:GenerateDataKey for updating the secret.
https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/get-secret-value.html
https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html
If you are using the Lambda functions provided by AWS, then (as described in the docs) you will need: DescribeSecret, GetSecretValue, PutSecretValue, UpdateSecretVersionStage and GetRandomPassword. If you are using a Custom KMS Key (CMK) you will also need Decrypt and GenerateDataKey permissions for that CMK (both in the Lambda policy and in the KMS key policy).
If you are seeing Task timed out errors, it is likely your Lambda can not access either the secrets manager endpoint (try using a VPC endpoint), or the Lambda can not connect to the DB (check security group settings).
With each lambda invoke either with AWS API or API Gateway HTTP, kms usage is increasing while I haven't added any key management with KMS. Is this indirect cost by aws on lambda usage or there is option to disable kms on lambda invoke.
Each AWS account has a default KMS managed key to encrypt/decrypt the data store and connections.
There should be a section to ask you if you want to encrypt/protect your data when you create Lambda/EC2/DBs, if you click yes, then the default key will be used.
That's how you get charged. You can ask their customer service, and they may refund with unnecessary calls.
I am trying to upload a file from an EC2 instance to S3 bucket and get this error:
[ec2-user#zzzzzzz parsers]$ aws s3 cp file.txt s3://bucket/output/file.txt
upload failed: ./file.txt to s3://bucket/output/file.txt A client error (InvalidAccessKeyId) occurred when calling the PutObject operation: The AWS Access Key Id you provided does not exist in our records.
I have already configured the aws configure file in EC2 as follows:
[ec2-user#zzzzz parsers]$ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************NTr6 config-file
secret_key ****************AFJQ config-file
region us-west-2 config-file ~/.aws/config
What else should I do to make this work?
InvalidAccessKeyId indicates that the Access Key and Secret Key are not valid.
Access Keys (and their corresponding Secret Keys) can be associated to either either:
Master (or root) credentials, or
An Identity and Access Management (IAM) user
It is recommended that Master credentials not be used on a daily basis. (See IAM Best Practices.)
If your credentials are associated with an IAM user, you can generate a new set of credentials:
Go to Identity and Access Management (IAM)
Select the User
Manage Access Keys
Create Access Key
A new Access Key and Secret Key will be displayed. Try using them in CLI configuration.
Up to two sets of Access Keys can be associated with a User at any time.
It's recommended to use IAM roles instead of IAM access keys for EC2 instances. By simply creating a IAM role to access S3 and link it to your EC2 instance, you can list, download and upload files from and to your S3 bucket(s) based on the role's policy.
It's more secure and you don't have to configure your aws credentials.
I know amazon ec2 public key, key-pair name and SSH authorized_keys in .ssh directory.
During PHP SDK configuration, i have fill config.inc.php with key and secret field.
I am unable to relate public key, key-pair name and SSH authorized_keys with key and secret fields.
Where will i get these values?
// Amazon Web Services Key. Found in the AWS Security Credentials. You can also pass
// this value as the first parameter to a service constructor.
'key' => 'development-key',
// Amazon Web Services Secret Key. Found in the AWS Security Credentials. You can also
// pass this value as the second parameter to a service constructor.
'secret' => 'development-secret',
The api credentials are completely unrelated to ssh keys. Your api key info can be found on the security credentials page (follow the my account link from the amazon web console)
You can read about the various amazon credentials and their uses here