Publish from lambda function in KMS encrypted SNS

Question

I am trying to publish from a Python 3.8 Lambda function into a KMS encrypted SNS topic. The code of my lambda is:

import os
import boto3

sns = boto3.client('sns')


def handler(event, context):
    message = 'Hello world'

    response = sns.publish(
        TopicArn='<My topic ARN>',
        Message=message,
    )

If the SNS is not encrypted the code works perfectly...

... but when I encrypt the SNS topic through the following option:

I get the following error when the lambda is executed:

{ "errorMessage": "An error occurred (KMSNotFound) when calling the Publish operation: Invalid keyId aws/sns (Service: AWSKMS; Status Code: 400; Error Code: NotFoundException; Request ID: d81234100-9cb4-4af2-0032-c4a568a955f4)", "errorType": "KMSNotFoundException", "stackTrace": [ " File \"/var/task/lambda.py\", line 10, in handler\n boto3.client('sns').publish(\n", " File \"/var/runtime/botocore/client.py\", line 316, in _api_call\n return self._make_api_call(operation_name, kwargs)\n", " File \"/var/runtime/botocore/client.py\", line 626, in _make_api_call\n raise error_class(parsed_response, operation_name)\n" ] }

What I am missing in my code?

Arcones Arcones · Accepted Answer · 2020-04-12T12:08:54

AWS support kindly pointed my out that I was missing KMS permissions in my lambda execution role.

Lambda function execution role must have the following to be able to publish in the SNS encrypted topic:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:GenerateDataKey",
      "kms:Decrypt"
    ],
    "Resource": "<the-key-with-which-the-topic-is-encrypted>"
  }
}

Publish from lambda function in KMS encrypted SNS

1 Answers