Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

grantSendMessages of encrypted SQS to Lambda function not generating kms:Decrypt permission

See original GitHub issue

General Issue

We deployed a SQS queue to Account-A that is encrypted with a CMK that resides in Account-B. Permissions of CMK are set to grant allow kms:* to AccountPrincipal(‘Account-A’). Then we instantiate ourLambda function that is granted write permissions to ourQueue using ourQueue.grantSendMessages(ourLambda).

const sqsKey = Key.fromKeyArn('arn:aws:kms:eu-central-1:0987654321:key/ourKeyId');

const ourQueue = new Queue(this, 'OurQueue', {
    encryption: QueueEncryption.KMS,
    encryptionMasterKey: sqsKey
});

const ourLambda = new Function(this, 'OurLambda', {...});

ourQueue.grantSendMessages(ourLambda);

This results in

"Action": [
    kms:Encrypt",
    kms:ReEncrypt*",
    kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:eu-central-1:0987654321:key/ourKeyId",
"Effect": "Allow"

being added to ourLambdaExecutionRoleDefaultPolicy.

Lambda function execution failed with KMS AccessDeniedException when sending a message to ourQueue.

After adding

sqsKey.grantDecrypt(ourLambda);

the lambda function executes successfully.

The Question

Is kms:Decrypt strictly necessary to execute sendMessage to an SSE enabled SQS queue? Is this due to the CMK residing in a seperate AWS account? If so, should kms:Decrypt be added to the Lambda execution role policy when Queue.grantSendMessage(Lambda) is used?

Environment

CDK CLI Version: 1.27.0 (build a98c0b3)
Module Version: 1.27.0
OS: Windows 10
Language: TypeScript

Other information

Thanks for the good work!

Issue Analytics

State:
Created 4 years ago
Reactions:2
Comments:7 (3 by maintainers)

Top GitHub Comments

4reactions

csbszbcommented, Sep 3, 2020

I have the same issue when I create a FIFO queue with an EventBus target and set the following encryption value: encryption: sqs.QueueEncryption.KMS_MANAGED

I followed the instruction in this article but this also didn’t fix the problem.

When I change the encryption back to unencrypted, the messages are delivered to the queue.

1reaction

ishassancommented, Apr 22, 2020

In my case, everything is in the same account, yet a decrypt permission is still required to send messages.

Top Results From Across the Web

Managing access to your encrypted Amazon SQS queue ...

Grant Amazon SNS KMS permissions to Amazon SNS to publish messages to the queue. Allow consumers to decrypt messages from the queue. Grant...

Send message to encrypted SQS queue from Lambda

I have a AWS Lambda function that needs to send messages to an encrypted SQS queue. At one point I got it working...

Building serverless applications with the AWS CDK

We create an API Gateway endpoint that invokes a Lambda function. ... SQS also needs to the permissions the invoke the second Lambda ......

Send message to encrypted SQS queue from AWS accounts ...

The publisher must have permission for kms:Decrypt to send a message; The SQS resource policy works with aws:PrincipalOrgId the policy condition, but not...

Configuring a queue to trigger an Amazon Lambda function ...

sqs :ReceiveMessage. If you associate an encrypted queue with a Lambda function, add the kms:Decrypt permission to the Lambda execution role ...