Terraform-provider-aws: Lambda was unable to configure access to your environment variables because the KMS key is invalid for CreateGrant
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v0.11.7
+ provider.aws v1.17.0
Affected Resource(s)
- aws_lambda_function
Expected Behavior
Creating a Lambda that uses a role should work.
Actual Behavior
Instead we are getting the following error sometimes:
Error creating Lambda function: InvalidParameterValueException: Lambda was unable to configure access to your environment
variables because the KMS key is invalid for CreateGrant. Please check your KMS key settings. KMS Exception: InvalidArnException
KMS Message: ARN does not refer to a valid principal:
arn:aws:sts::[account #]:assumed-role/[build]_[build try #]_[role name]/[build]_[build try #]_[lambda name]
Steps to Reproduce
terraform apply- Luck and a lot of lambdas
Important Factoids
It is most likely because of this section of code: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_lambda_function.go#L367
It appears to be treating the error as a NonRetryableError which does not seem to line up with what actually happens.
Trying to rerun the Terraform eventually works, even though everything is recreated each time.
kylelaverty
All 7 comments
The problem is also reproduced on provider "aws" (1.23.0)
dshmelev
on 21 Jun 2018
Just have had the same issue
emmekappa
on 26 Jun 2018
Hi!
Is there any information when it is going to be fixed?
Thanks.
denishonig
on 12 Jul 2018
Just ran into this as well, when applying the plan again it does work, so it's probably a dependency/waiting/retrying issues. Can't really reproduce it though, so not sure how to make this report more specific.
simonvanderveldt
on 16 Jul 2018
A potential fix for this has been merged into master and will release with version 1.36.0 of the AWS provider, likely later today. (I say potential fix because as with many eventual consistency issues, they are hard to consistently reproduce. 😄 )
bflad
on 12 Sep 2018
This has been released in version 1.36.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
bflad
on 13 Sep 2018
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 3 Apr 2020
Related issues
hashibot
·
3Comments
EmmN
·
3Comments
carmas
·
3Comments
hashibot
·
3Comments
blaltarriba
·
3Comments
Most helpful comment
A potential fix for this has been merged into master and will release with version 1.36.0 of the AWS provider, likely later today. (I say potential fix because as with many eventual consistency issues, they are hard to consistently reproduce. 😄 )