KMSKeyNotAccessibleFault

Question

KMSKeyNotAccessibleFault

Closed this issue 6 years ago · 5 comments

After running the stack and executing a Lambda test I get the following: "errorMessage": "An error occurred (KMSKeyNotAccessibleFault) when calling the CopyDBSnapshot operation: The source snapshot KMS key does not exist, is not enabled or you do not have permissions to access it"

Is there something I need to add to the IAM role to get this working?

Answer 1 · 2018-12-04T19:40:52.000Z

Hi @mickengland
Did you set the KMSKeyParameter parameter when creating the stack? The snapshot that's causing this - is it encrypted? Is it a key that belongs to the same AWS account, or is it shared from another account?
The role defined in the CloudFormation template should give Lambda all the permissions it needs.

Answer 2 · 2018-12-04T20:06:51.000Z

Thanks for the quick response. Yes I set the KMSKeyParameter to the one in the Target region as specified in "Required/Optional: KMS Key in target region". The DB is encrypted and the key is in the same account but a different region. What is confusing in the error is it talks about the source snapshot key not being accessible, not the target.

Answer 3 · 2018-12-04T20:40:28.000Z

Yes, this is likely caused by something to do with the source key, not target one, but I had to ask about the KMSKeyParameter, since RDS will freak out if you try to make an unencrypted copy of an encrypted snapshot, and the errors that AWS API throws are sometimes... misleading, to say the least :)

I suspect that the problem is either due to the fact that the source key is in a different region (and Lambda may need some extra permissions, maybe) or the IAM policy on that key has heavy restrictions.
If you try to make such copy of that snapshot manually, from the console, does it work ok?
To try that, go into RDS console -> Snapshots -> select the snapshot and choose Actions menu, and then Copy Snapshot. The important options are: Destination Region and Enable Encryption - make sure they match the Lambda settings.

Also: how did you manage to create a database encrypted with a key from another region? It's not an Aurora replica, is it?

Answer 4 · 2018-12-04T20:51:12.000Z

No sorry the database is in the source region and so is the key it is encrypted with. The Key I put iin stack parameters is the target key which is in a different region. Anyway I think the problem is that the source key is tied down with heavy permissions. I am able to copy it with my own user but I can not assign IAM permissions for the IAM role. Will discuss with colleagues. I have a script that can copy a snapshot to another region as my user in the meantime. Thanks. I will close this.

Answer 5 · 2018-12-04T21:10:50.000Z

@mickengland You may need to add the Lambda's role to the KMS key policy as a "user" (to let it use it), if you have a restricted list of users who can use that key.
This is needed, because the copy operation has to change the encryption key (because the keys are region-specific) - so it has to decrypt the snapshot and re-encrypt with the new key (all that happens behind the scenes in AWS). But if the source key is very restricted, it may be preventing the decryption that's requested by the copy operation.

Feel free to reopen if you have more questions.