fix: allow terminate Lambda to access kms key #1253

kayman-mk · 2025-02-27T08:31:54Z

Description

Just noticed that the termination Lambdas do no longer start. Error message is

Calling the invoke API action failed with this message: Lambda was unable to decrypt the environment variables
because KMS access was denied. Please check the function's KMS key settings. KMS Exception:
AccessDeniedExceptionKMS Message: User: <arn here> is not authorized to perform: kms:Decrypt on resource:
<arn here> because no identity-based policy allows the kms:Decrypt action (Service: Kms, Status Code: 400,
Request ID: <request id here>)

This PR adds the kms:Decrypt action to the Lambda role allowing the Lambda function to decode the environment variables.

github-actions · 2025-02-27T08:32:05Z

Hey @kayman-mk! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

the problem being solved
the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

/help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

github-actions · 2025-02-27T08:35:00Z

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ COPYPASTE	jscpd	yes		no	1.45s
✅ REPOSITORY	checkov	yes		no	18.01s
✅ REPOSITORY	dustilock	yes		no	0.37s
✅ REPOSITORY	gitleaks	yes		no	0.99s
✅ REPOSITORY	git_diff	yes		no	0.01s
✅ REPOSITORY	grype	yes		no	8.92s
✅ REPOSITORY	secretlint	yes		no	0.67s
✅ REPOSITORY	syft	yes		no	1.18s
✅ REPOSITORY	trivy-sbom	yes		no	0.07s
✅ REPOSITORY	trufflehog	yes		no	2.94s
✅ SPELL	cspell	2		0	2.07s
✅ TERRAFORM	terraform-fmt	1	0	0	0.04s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

🤖 I have created a release *beep* *boop* --- ## [9.1.0](9.0.2...9.1.0) (2025-02-27) ### Features * allow instrumentation of Termination lambda ([#1255](#1255)) ([55af1d1](55af1d1)) ### Bug Fixes * allow terminate Lambda to access kms key ([#1253](#1253)) ([48c5a37](48c5a37)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: cattle-ops-releaser-2[bot] <134548870+cattle-ops-releaser-2[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

allow kms key access

14e4273

kayman-mk requested a review from npalm as a code owner February 27, 2025 08:31

kayman-mk merged commit 48c5a37 into main Feb 27, 2025
21 checks passed

kayman-mk deleted the kayma/fix-lambda-kms branch February 27, 2025 08:35

cattle-ops-releaser-2 bot mentioned this pull request Feb 27, 2025

chore(main): release 9.1.0 #1254

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: allow terminate Lambda to access kms key #1253

fix: allow terminate Lambda to access kms key #1253

kayman-mk commented Feb 27, 2025 •

edited

Loading

github-actions bot commented Feb 27, 2025

github-actions bot commented Feb 27, 2025

fix: allow terminate Lambda to access kms key #1253

fix: allow terminate Lambda to access kms key #1253

Conversation

kayman-mk commented Feb 27, 2025 • edited Loading

Description

github-actions bot commented Feb 27, 2025

github-actions bot commented Feb 27, 2025

🦙 MegaLinter status: ✅ SUCCESS

kayman-mk commented Feb 27, 2025 •

edited

Loading