KMS: KMSAccessDeniedException SNS encryption from lambda

[ellisium]

Describe the bug

Hello,

I'm blocked on this error message for few days, thx for support or guidelines to resolve it.

CheckupSNS producer error: KMSAccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 11e6d3bc-dcab-4eb7-906f-290af35a4f1d; Proxy: null)

Lambda can't encrypt SNS message.

Expected Behavior

Lambda can access KMS key to encrypt SNS message

Current Behavior

KMSAccessDeniedException error message

Reproduction Steps

`
const checkupSNSHandler= new NodejsFunction(scope, id, {
memorySize: config.stage === 'production' ? 1024 : 512,
runtime: Runtime.NODEJS_18_X,
bundling: {
sourceMap: true,
sourcesContent: false,
},
environment: {
NODE_OPTIONS: '--enable-source-maps',
RELEASE: config.release,
STACK: config.subDomainName,
},
});

const checkupSNSKey = new Key(this, 'checkupKey', {
enableKeyRotation: true,
description: 'KMS key for encrypting the objects in SNS Topic',
});

checkupSNSHandler.role?.addToPrincipalPolicy(
  new PolicyStatement({
    resources: [checkupSNSKey.keyArn],
    actions: [
      'kms:CreateGrant',
      'kms:DescribeKey',
      'kms:Encrypt',
      'kms:GenerateDataKey*',
      'kms:ReEncrypt*',
      'kms:Get*',
      'kms:List*',
    ],
  }),
);

checkupSNSKey.grantEncrypt(checkupSNSHandler);
`

code in checkupSNSHandler
`
import type { PublishCommandInput } from '@aws-sdk/client-sns';
import { SNSClient } from '@aws-sdk/client-sns';
import type { APIGatewayEvent, APIGatewayProxyResult } from 'aws-lambda';

import { handleLambdaEvent, PublishCommand } from '@seyna/identity';

const client = new SNSClient({});

type TopicList = Record<string, string>;
let topicList: TopicList = {};

try {
topicList = JSON.parse(process.env.TOPICS_ARN as string);
} catch (e) {
throw new Error(CheckupSNS topic list issue: ${e});
}

type SNSTopic = {
topicName: string;
PublishCommandInput: PublishCommandInput;
};

export const handler = handleLambdaEvent(
async (event: APIGatewayEvent): Promise => {
try {
const eventMsg: SNSTopic = event.body ? JSON.parse(event.body) : null;
if (eventMsg.topicName) {
const topicARN =
topicList[eventMsg.topicName as keyof typeof topicList];
eventMsg.PublishCommandInput.TargetArn = topicARN;
eventMsg.PublishCommandInput.Message = JSON.stringify(
eventMsg.PublishCommandInput.Message,
);
const command = new PublishCommand(eventMsg.PublishCommandInput);
await client.send(command);
} else {
throw new Error(
CheckupSNS event type issue: ${JSON.stringify(event)},
);
}
} catch (e) {
throw new Error(CheckupSNS producer error: ${e});
}
return {
statusCode: 200,
body: JSON.stringify({
message: 'fire&forget',
}),
};
},
);

`

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.61.1

Framework Version

No response

Node.js Version

18

OS

lambda

Language

Typescript

Language Version

No response

Other information

No response

[pahud]

Hi

Can you share a minimized quoted code snippets for reproduction? You can quote your code snippets with "```" to quote your code for better reading.

[pahud]

As this seems to be a general guidance request I am converting it to discussion for now.