AWS Kinesis Access to the KMS key used for encryption is denied.

The IAM role lacks the necessary permissions to access the KMS key.

Understanding AWS Kinesis

AWS Kinesis is a platform on AWS to collect, process, and analyze real-time, streaming data. It allows developers to build applications that can continuously ingest and process large streams of data records in real time. Kinesis is commonly used for real-time analytics, log and event data collection, and more.

Identifying the Symptom

When working with AWS Kinesis, you might encounter the KMSAccessDeniedException. This error typically manifests when your application attempts to access a Kinesis stream that is encrypted with a KMS key, but lacks the necessary permissions.

Common Error Message

The error message might look like this:

KMSAccessDeniedException: User: arn:aws:iam::123456789012:user/ExampleUser is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/abcd1234-a123-456a-a12b-a123b4cd56ef

Understanding the Issue

The KMSAccessDeniedException indicates that the IAM role or user trying to access the Kinesis stream does not have the required permissions to use the KMS key for decryption. This is crucial because Kinesis streams can be configured to encrypt data at rest using AWS KMS keys, ensuring data security.

Root Cause

The root cause of this issue is typically insufficient permissions in the IAM policy attached to the user or role accessing the Kinesis stream. Without the correct permissions, AWS KMS will deny access to the key, resulting in the exception.

Steps to Fix the Issue

To resolve the KMSAccessDeniedException, follow these steps:

Step 1: Verify IAM Permissions

Ensure that the IAM role or user has the necessary permissions to access the KMS key. You need to add permissions for the kms:Decrypt action. Here is an example policy snippet:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-a123-456a-a12b-a123b4cd56ef"
}
]
}

Step 2: Update the IAM Policy

Attach the updated policy to the IAM role or user that is accessing the Kinesis stream. You can do this via the AWS Management Console or using the AWS CLI:

aws iam put-role-policy --role-name ExampleRole --policy-name KMSAccessPolicy --policy-document file://policy.json

Step 3: Test the Configuration

After updating the permissions, test the configuration by attempting to access the Kinesis stream again. If the permissions are correctly set, the error should no longer occur.

Additional Resources

For more information on AWS KMS and IAM policies, consider visiting the following resources:

Never debug

AWS Kinesis

manually again

Let Dr. Droid create custom investigation plans for your infrastructure.

Book Demo
Automate Debugging for
AWS Kinesis
See how Dr. Droid creates investigation plans for your infrastructure.
Book Demo

MORE ISSUES

AWS Kinesis RequestLimitExceeded
The request limit for the service has been exceeded.
AWS Kinesis MissingParameter error encountered when making a request to AWS Kinesis.
A required parameter is missing from the request.
AWS Kinesis Access to the KMS key used for encryption is denied.
The IAM role lacks the necessary permissions to access the KMS key.
AWS Kinesis OptInRequired error when accessing AWS Kinesis.
The AWS account is not opted in to use the requested service.
AWS Kinesis MissingParameter error when making a request to AWS Kinesis.
A required parameter is missing from the request.
AWS Kinesis MissingAuthenticationToken
The request is missing an authentication token.
AWS Kinesis MissingAction error encountered when making a request to AWS Kinesis.
The request is missing an action parameter, which is required to specify the operation to perform.
AWS Kinesis InvalidParameterValue error encountered when making a request to AWS Kinesis.
A parameter value in the request is invalid.
AWS Kinesis InvalidAction error when using AWS Kinesis.
The requested action is not valid for the service.
AWS Kinesis InvalidClientTokenId error encountered when using AWS Kinesis.
The provided AWS access key ID does not exist.
AWS Kinesis RequestLimitExceeded error when using AWS Kinesis.
The request limit for the service has been exceeded.
AWS Kinesis OptInRequired error encountered when attempting to use AWS Kinesis.
The AWS account is not opted in to use the requested service.
AWS Kinesis MissingAuthenticationToken
The request is missing an authentication token.
AWS Kinesis MissingAction error encountered when making a request to AWS Kinesis.
The request is missing an action parameter.
AWS Kinesis InvalidParameterValue error encountered when making a request to AWS Kinesis.
A parameter value in the request is invalid.
AWS Kinesis InvalidClientTokenId error encountered when using AWS Kinesis.
The provided AWS access key ID does not exist.
AWS Kinesis RequestLimitExceeded error when using AWS Kinesis
The request limit for the service has been exceeded.
AWS Kinesis OptInRequired error encountered when using AWS Kinesis.
The AWS account is not opted in to use the requested service.
AWS Kinesis InvalidAction error when using AWS Kinesis.
The requested action is not valid for the service.
AWS Kinesis MissingParameter error encountered when making a request to AWS Kinesis.
A required parameter is missing from the request.
AWS Kinesis MissingAuthenticationToken
The request is missing an authentication token.
AWS Kinesis MissingAction error encountered when making a request to AWS Kinesis.
The request is missing an action parameter.
AWS Kinesis InvalidParameterValue error encountered when making a request to AWS Kinesis.
A parameter value in the request is invalid.
AWS Kinesis InvalidClientTokenId error encountered when accessing AWS Kinesis.
The provided AWS access key ID does not exist.
AWS Kinesis RequestLimitExceeded
The request limit for the service has been exceeded.
AWS Kinesis InvalidAction error encountered when using AWS Kinesis.
The requested action is not valid for the service.
AWS Kinesis MissingParameter error when making a request to AWS Kinesis.
A required parameter is missing from the request.
AWS Kinesis OptInRequired error when attempting to use AWS Kinesis.
The AWS account is not opted in to use the requested service.
AWS Kinesis MissingAuthenticationTokenException
The request is missing an authentication token.
AWS Kinesis MalformedQueryString
The query string in the request is malformed.
AWS Kinesis InvalidQueryParameter error encountered when making a request to AWS Kinesis.
A query parameter in the request is invalid.
AWS Kinesis InvalidParameterCombination error encountered when making a request to AWS Kinesis.
The parameters provided in the request are not valid together.
AWS Kinesis SlowDown error encountered when making requests to AWS Kinesis.
The request rate is too high.
AWS Kinesis RequestExpired error encountered when making requests to AWS Kinesis.
The request timestamp is too old, possibly due to unsynchronized system clock.
AWS Kinesis InvalidClientTokenId error encountered when attempting to access AWS Kinesis.
The provided AWS access key ID does not exist.
AWS Kinesis The request signature is incomplete.
The signing process is incorrect or missing required headers.
AWS Kinesis InvalidSignatureException
The request signature is incorrect.
AWS Kinesis ThrottlingException encountered when making requests to AWS Kinesis.
The request was throttled due to exceeding the allowed request rate.
AWS Kinesis AccessDeniedException encountered when attempting to perform an operation on AWS Kinesis.
The user does not have permission to perform the requested operation.
AWS Kinesis ServiceUnavailable error when using AWS Kinesis.
The Kinesis service is temporarily unavailable.
AWS Kinesis KMSInvalidStateException
The KMS key is in an invalid state for the requested operation.
AWS Kinesis LimitExceededException
The request exceeds the service limits.
AWS Kinesis InternalFailure error encountered when using AWS Kinesis.
An internal error occurred within the Kinesis service.
AWS Kinesis KMSOptInRequired error encountered when using AWS Kinesis.
The AWS account is not opted in to use the KMS service.
AWS Kinesis KMSNotFoundException
The specified KMS key does not exist.
AWS Kinesis InvalidArgumentException encountered when making an API call to AWS Kinesis.
An invalid parameter was provided in the request.
AWS Kinesis KMSThrottlingException
The request was throttled by AWS KMS.
AWS Kinesis KMSDisabledException
The KMS key used for encryption is disabled.
AWS Kinesis ResourceNotFoundException
The specified stream does not exist.
AWS Kinesis ExpiredIteratorException
The shard iterator has expired.
AWS Kinesis ProvisionedThroughputExceededException
The requested throughput exceeds the shard limit for the stream.

Backed by

Platform

AI OpsAlert Grouping & De-DuplicationPlayBooksKubernetes Bot

Resources

DocumentationFun For DevsBlog

Contact

Contact UsAbout UsCareersTerms and ConditionsPrivacy PolicyShipping & and Delivery PolicyCancellation & Refund Policy

Connect

Slack CommunityGithubLinkedInX (Twitter)
Made with ❤️ in Bangalore & San Francisco 🏢

Doctor Droid