Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to upload object with server side encryption set to CMK #10

Open
MukeshSingh28 opened this issue Apr 10, 2018 · 3 comments
Open

Unable to upload object with server side encryption set to CMK #10

MukeshSingh28 opened this issue Apr 10, 2018 · 3 comments
Assignees
@dejonghe
Labels
enhancement

Comments

@MukeshSingh28
Copy link

MukeshSingh28 commented Apr 10, 2018
edited
Loading

Hi ,
First of all it is amazing script, which came to my rescue, for a quick deliverable.
It will be great if we had the functionality to use CMK for server side encryption of s3 bucket.
Currently I get an error as below
boto3.exceptions.S3UploadFailedError: Failed to upload /var/tmp/kmstool_temp/979cbe50-0148-4af6-9029-aa7d789c014e/temp_output to <s3-bucket name>/test.file.new.3: An error occurred (InvalidArgument) when calling the CreateMultipartUpload operation: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
@dejonghe
Copy link
Owner

Great to hear!

Good catch. I had never tried this. I'll work on reproducing and get an estimate of time investment on a fix.
Could you send me the exact kmstool command flags you were using and some info about how your bucket is set up? This would help me reproduce and fix faster. Please do as you did for your error here and scrub the bucket name or any account identifiers from what ever you post.

@dejonghe dejonghe self-assigned this Apr 10, 2018
@dejonghe
Copy link
Owner

I took a look into this. Is it that your bucket has a policy that requires SSE and you would like kmstool to be able to support S3 uploads with an SSE KMS/Customer Provided AES256 key?

@MukeshSingh28
Copy link
Author

MukeshSingh28 commented Apr 16, 2018
edited
Loading

Hi @dejonghe ,
Absolutely, you are right, I have setup bucket policy to allow upload only encrypted object , using KMS provided key. Also the default encryption set for the s3 bucket is AWS-KMS with the same key-id which I am using for encryption and upload.

Below is the bucket policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::xyz-bucket-name/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" } } }, { "Sid": " DenyUnEncryptedInflightOperations", "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::xyz-bucket-name/*", "Condition": { "Bool": { "aws:SecureTransport": "false" } } } ] }

Argument used is as below

kmstool -e --file ~/Downloads/batman.csv --output s3://s3-bucket-name/test.1 --key_id <<key-id>>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dejonghe dejonghe

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dejonghe @MukeshSingh28