How can I upload to S3 with CLI using server side encryption with customer provided key

Question

I am unable to upload an S3 object into an S3 bucket. I have used the command below:

aws s3api put-object --bucket=opsops --key=Cloudformation_upload.csv --body=Cloudformation.csv --sse-customer-algorithm=AES256 --sse-customer-key=MTIzNDU2Nzg5MGFiY2Rl --customer-key-md5=NTgwMWMzMzJiNGU1YmE5YzBhMjk3ZDYwYmI1MWNjNzI="

But when I upload the object gives this error:

Note:Customer-key and customer-key-MD5 values are encoded with 64bits value.Please help me to resolve this.

A client error (InvalidArgument) occurred when calling the PutObject operation: The calculated MD5 hash of the key did not match the hash that was provided

Answer 1

Store your key as a binary file (not hex or base64 encoded) and use fileb:// on the command line. The CLI will automatically calculate the correct MD5.

In your example, you're using a base-64 encoded MD5 hash but MD5 produces only 16 bytes. For AES256 your key should be exactly 32 bytes in length. Hashing a passphrase with SHA256 will produce a key of the correct size.

Example:

echo -n 1234567890abcde | openssl dgst -sha256 -binary > sse.key
aws s3api put-object \
    --bucket=opsops \
    --key=Cloudformation_upload.csv \
    --body=Cloudformation.csv \
    --sse-customer-algorithm=AES256 \
    --sse-customer-key=fileb://sse.key