Reputation: 35928
x-amz-server-side-encryption header is not supported for this operation
I am running my application in an AWS AMI. The AMI is launched via a cloud formation template that creates AWS::IAM::Role role with sts:AssumeRole. Once the EC2 instance is up, I create an S3 bucket from the Ec2 instance using boto3.create_bucket.
In my application I upload a file to the created bucket with encryption flag on. But while uploading I'm getting an error:
com.amazonaws.services.s3.model.AmazonS3Exception: x-amz-server-side-encryption header is not supported for this operation. (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: 04DD9259D04F92CA), S3 Extended Request ID: EVdqFn6jUNshxUejZFWa6VN/lHPXHyi0F+TG+UZ3K9Sh8Gy0MPABi1AnxZloIajypLb39/5UAVA=
This is the server side encryption part of my code:
ObjectMetadata meta = new ObjectMetadata();
meta.setContentLength(contentLength);
meta.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION)
What am I doing wrong? This works as expected when I run my code elsewhere and use an S3 bucket. Is this somehow tied to cloud formation or sts:AssumeRole?
Upvotes: 2
Views: 4614
Answers (1)
Reputation: 4491
The Put object function in boto3 has options for setting the object level encryption.
object = bucket.put_object(
ServerSideEncryption='AES256'|'aws:kms',
SSECustomerAlgorithm='string',
SSECustomerKey='string',
SSEKMSKeyId='string',
)
ServerSideEncryption (string) -- The Server-side encryption algorithm used when storing this object in S3 (e.g., AES256, aws:kms). StorageClass (string) -- The type of storage to use for the object. Defaults to 'STANDARD'.
SSECustomerAlgorithm (string) -- Specifies the algorithm to use to when encrypting the object (e.g., AES256).
SSECustomerKey (string) -- Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon does not store the encryption key. The key must be appropriate for use with the algorithm specified in the x-amz-server-side-encryption-customer-algorithm header.> -
SSECustomerKeyMD5 (string) -- Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error. Please note that this parameter is automatically populated if it is not provided. Including this parameter is not required
SSEKMSKeyId (string) -- Specifies the AWS KMS key ID to use for object encryption. All GET and PUT requests for an object protected by AWS KMS will fail if not made via SSL or using SigV4. Documentation on configuring any of the officially supported AWS SDKs and CLI can be found at http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version)
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
Upvotes: 1
Related Questions
- S3Exception with AWS SDK for Java version 2 - The request signature we calculated does not match the signature you provided
- Issue: aws-encryption-sdk-java version 2.3.3 issues with credentials
- AWS Exception "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4" even after set the v4 signature
- Server Side Encryption with s3Boto - Server Side Encryption with KMS managed key requires HTTP header x-amz-server-side-encryption : aws:kms
- boto3 Client Error: Server Side Encryption with Customer provided key is incompatible with the encryption method specified
- Unable to upload object to S3 with AES server side encryption
- aws s3 - object has no attribute 'server_side_encryption'
- awscli, the request signature we calculated does not match the signature you provided
- Error uploading S3 Object with Server Side Encryption using Amazon KMS
- how to resolve Exception in thread "main" com.amazonaws.AmazonClientException: Unable to build cipher: Illegal key size using aws s3