kafka-connect-storage-cloud
kafka-connect-storage-cloud copied to clipboard
Published
20 hours ago •
confluentinc
confluentinc
Error while using SSE-C on AWS
Version: 5.5.3
While configuring SSE-C I faced the following error com.amazonaws.services.s3.model.AmazonS3Exception: Server Side Encryption with Customer provided key is incompatible with the encryption method specified.
After some investigation, it appears to reproduce the error described by mcsio in this post (5th message).
Here are some DEBUG logs I got:
Jan 26 17:55:04 db1 connect-standalone.sh[27930]: [2021-01-26 17:55:04,563] DEBUG http-outgoing-12 >> "x-amz-server-side-encryption: AES256[\r][\n]" (org.apache.http.wire:73)
Jan 26 17:55:04 db1 connect-standalone.sh[27930]: [2021-01-26 17:55:04,563] DEBUG http-outgoing-12 >> "x-amz-server-side-encryption-customer-algorithm: AES256[\r][\n]" (org.apache.http.wire:73)
Jan 26 17:55:04 db1 connect-standalone.sh[27930]: [2021-01-26 17:55:04,563] DEBUG http-outgoing-12 >> "x-amz-server-side-encryption-customer-key: ****************=[\r][\n]" (org.apache.http.wire:73)
Jan 26 17:55:04 db1 connect-standalone.sh[27930]: [2021-01-26 17:55:04,563] DEBUG http-outgoing-12 >> "x-amz-server-side-encryption-customer-key-MD5: x/F0oeLbYckXF8ksG+dksA==[\r][\n]" (org.apache.http.wire:73)
Followed by
Jan 26 17:55:04 db1 connect-standalone.sh[27930]: [2021-01-26 17:55:04,592] DEBUG http-outgoing-12 << "<Error><Code>InvalidArgument</Code><Message>Server Side Encryption with Customer provided key is incompatible with the encryption method specified</Message><ArgumentName>x-amz-server-side-encryption</ArgumentName><ArgumentValue>AES256</ArgumentValue><RequestId>505A846706B4FE0E</RequestId><HostId>Es+YRbHxnKS6L1jZ2S0k3g3+O79lNq1bPbIgk0totJQlt3mlWaFZgRq1xhaIBpd27b5FNPdke38=</HostId></Error>[\r][\n]" (org.apache.http.wire:73)
So I understand that x-amz-server-side-encryption and x-amz-server-side-encryption-customer-algorithm cannot be set together on an AWS S3. I assume from https://github.com/confluentinc/kafka-connect-storage-cloud/pull/173#issuecomment-396417041 that Minio may have a different handling.
