Hi, some time ago when I was using the lambda function, I received a “KMS Access Denied Exception” error. This was strange because everything was working fine until I increased the permissions for the IAM Role. You read that right, I gave more permissions and my lambda couldn’t start. I thought, what’s going on? I did some digging and it turned out that Terraform had deleted my IAM role during the update and created it again.
The IAM role had the same name, but my lambda function returned an error:
Calling the invoke API action failed with this message: Lambda was unable to decrypt the environment variables because KMS access was denied. Please check the function's AWS KMS key settings. KMS Exception: UnrecognizedClientExceptionKMS Message: The security token included in the request is invalid
To resolve the error, you must reset the AWS KMS grant for the function’s execution role. It sounds complicated, but all it takes for a moment is to assign a different IAM role. In the lambda function, you can temporarily assign a different IAM role and save your changes, then re-add the IAM role that was there at the beginning and save your changes again. And that’s all.
In my case it helped. If you want to learn more, I have prepared a video tutorial in which I describe everything step by step and give 3 ways to fix this error.
If you found this article interesting, you may also be interested in other articles from the AWS category.
By the way, if you think the article is helpful, you can share this information with others, I will be very happy. You can also check out my YouTube channel for other tips. New movie coming soon.