amazon-s3-encryption-client-java icon indicating copy to clipboard operation
amazon-s3-encryption-client-java copied to clipboard

Published 20 hours ago verified publisher icon aws

Issue setting credentials provider and region with the new high level configuration

Open NathanEckert opened this issue 1 year ago • 2 comments

Problem:

Latest version 3.2.1 of the encryption client.

With the new high level configuration (see https://github.com/aws/amazon-s3-encryption-client-java/blob/main/src/examples/java/software/amazon/encryption/s3/examples/ClientConfigurationExample.java),

I was expecting to be able to create my client like this:

    return S3EncryptionClient.builder()
        .credentialsProvider(credentialsProvider)
        .region(region)
        .kmsKeyId(keyId)
        .enableLegacyUnauthenticatedModes(true)
        .enableLegacyWrappingAlgorithms(true)
        .build();

However, when reading a KMS enrcypted file, this does not work software.amazon.encryption.s3.S3EncryptionClientException: Missing Authentication Token (Service: Kms, Status Code: 400, Request ID: ***************)

I tried the following variations:

    return S3EncryptionClient.builder()
        .credentialsProvider(credentialsProvider)
        .region(region)
        .kmsKeyId(keyId)
        .enableLegacyUnauthenticatedModes(true)
        .enableLegacyWrappingAlgorithms(true)
        .wrappedClient(S3Client.builder().credentialsProvider(credentialsProvider).region(region).build())
        .wrappedAsyncClient(S3AsyncClient.builder().credentialsProvider(credentialsProvider).region(region).build())
        .build();

This raised the same exception

Finally, the one I got working is the one were I remove the high level provider:

    return S3EncryptionClient.builder()
        .region(region)
        .kmsKeyId(keyId)
        .enableLegacyUnauthenticatedModes(true)
        .enableLegacyWrappingAlgorithms(true)
        .wrappedClient(S3Client.builder().credentialsProvider(credentialsProvider).region(region).build())
        .wrappedAsyncClient(S3AsyncClient.builder().credentialsProvider(credentialsProvider).region(region).build())
        .build();

Also, I was surprised to see the following failing:

    return S3EncryptionClient.builder()
        .kmsKeyId(keyId)
        .enableLegacyUnauthenticatedModes(true)
        .enableLegacyWrappingAlgorithms(true)
        .wrappedClient(S3Client.builder().credentialsProvider(credentialsProvider).region(region).build())
        .wrappedAsyncClient(S3AsyncClient.builder().credentialsProvider(credentialsProvider).region(region).build())
        .build();

With this time a different error: software.amazon.awssdk.core.exception.SdkClientException: Unable to load region from any of the providers in the chain software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain

Shouldn't all of those work ?

NathanEckert avatar Aug 30 '24 15:08 NathanEckert