From 18635b8d0644a641334d0b8cec6b6e1da2c8217c Mon Sep 17 00:00:00 2001
From: Felipe Nakandakari <76239+fenak@users.noreply.github.com>
Date: Thu, 17 Aug 2023 15:51:40 +0000
Subject: [PATCH] Add X-Amz-Server-Side-Encryption-Context header to required
 signed headers allowlist  (#2228)

---
 .changelog/81f52efa843043448ea62016b7471af7.json | 8 ++++++++
 aws/signer/internal/v4/headers.go                | 1 +
 2 files changed, 9 insertions(+)
 create mode 100644 .changelog/81f52efa843043448ea62016b7471af7.json

diff --git a/.changelog/81f52efa843043448ea62016b7471af7.json b/.changelog/81f52efa843043448ea62016b7471af7.json
new file mode 100644
index 00000000000..e771a0966d9
--- /dev/null
+++ b/.changelog/81f52efa843043448ea62016b7471af7.json
@@ -0,0 +1,8 @@
+{
+    "id": "81f52efa-8430-4344-8ea6-2016b7471af7",
+    "type": "bugfix",
+    "description": "Sign `X-Amz-Server-Side-Encryption-Context` header to fix signing for PutObject requests that set `SSEKMSEncryptionContext`.",
+    "modules": [
+        "."
+    ]
+}
\ No newline at end of file
diff --git a/aws/signer/internal/v4/headers.go b/aws/signer/internal/v4/headers.go
index 64c4c4845ee..71b1a352171 100644
--- a/aws/signer/internal/v4/headers.go
+++ b/aws/signer/internal/v4/headers.go
@@ -48,6 +48,7 @@ var RequiredSignedHeaders = Rules{
 			"X-Amz-Request-Payer":                                         struct{}{},
 			"X-Amz-Server-Side-Encryption":                                struct{}{},
 			"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id":                 struct{}{},
+			"X-Amz-Server-Side-Encryption-Context":                        struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Algorithm":             struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Key":                   struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Key-Md5":               struct{}{},