This is an important step where we grant greeter-service-executor-role , which is the IAM role that we created for the execution of the Greeter lambda function. This includes the permissions to use for KMS decryption
This allows the resource that assumes the greeter-service-executor-role role to access the cryptographic metadata to attempt to decrypt the masked key: