kmstool icon indicating copy to clipboard operation
kmstool copied to clipboard
verified publisher icon dejonghe

Unable to upload object with server side encryption set to CMK

Open MukeshSingh28 opened this issue 7 years ago • 3 comments

Hi , First of all it is amazing script, which came to my rescue, for a quick deliverable. It will be great if we had the functionality to use CMK for server side encryption of s3 bucket. Currently I get an error as below boto3.exceptions.S3UploadFailedError: Failed to upload /var/tmp/kmstool_temp/979cbe50-0148-4af6-9029-aa7d789c014e/temp_output to <s3-bucket name>/test.file.new.3: An error occurred (InvalidArgument) when calling the CreateMultipartUpload operation: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

MukeshSingh28 avatar Apr 10 '18 10:04 MukeshSingh28

Great to hear!

Good catch. I had never tried this. I'll work on reproducing and get an estimate of time investment on a fix. Could you send me the exact kmstool command flags you were using and some info about how your bucket is set up? This would help me reproduce and fix faster. Please do as you did for your error here and scrub the bucket name or any account identifiers from what ever you post.

dejonghe avatar Apr 10 '18 13:04 dejonghe

I took a look into this. Is it that your bucket has a policy that requires SSE and you would like kmstool to be able to support S3 uploads with an SSE KMS/Customer Provided AES256 key?

dejonghe avatar Apr 13 '18 04:04 dejonghe

Hi @dejonghe , Absolutely, you are right, I have setup bucket policy to allow upload only encrypted object , using KMS provided key. Also the default encryption set for the s3 bucket is AWS-KMS with the same key-id which I am using for encryption and upload.

Below is the bucket policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::xyz-bucket-name/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } }, { "Sid": " DenyUnEncryptedInflightOperations", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::xyz-bucket-name/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

Argument used is as below

kmstool -e --file ~/Downloads/batman.csv --output s3://s3-bucket-name/test.1 --key_id <<key-id>>

MukeshSingh28 avatar Apr 16 '18 00:04 MukeshSingh28