Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

S3 default SSE-KMS encryption is not used, upload fails. #11583

Open
cyberduck opened this issue Feb 9, 2021 · 3 comments
Open

S3 default SSE-KMS encryption is not used, upload fails. #11583

cyberduck opened this issue Feb 9, 2021 · 3 comments
Assignees
Labels
bug s3 AWS S3 Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

d14c5fe created the issue

I have encountered an issue where the new(ish) S3 default encryption (relevant doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html) which I have configured to use a specific SSE-KMS key is not being applied when Cyberduck> preferences > S3 > Encryption is set to "None". Uploads fail with the error message:

Upload <file> failed.
Access denied. Please contact your web hosting provider for assistance.
PUT /test HTTP/1.1
...
HTTP/1.1 403 Forbidden

Replication:

  1. Create a bucket and apply an SSE-KMS default encryption
  2. Using Cyberduck/Mountainduck attempt to upload a file
  3. Upload fails

Could the PUT be being sent with some version of "x-amz-server-side-encryption=null" when it should simply be omitted?

I did find a workaround, which is to manually choose the correct SSE-KMS key in preferences, but this negates one of the primary benefits of having a bucket default so that all team members have the exact same config.

@cyberduck
Copy link
Collaborator Author

d14c5fe commented

Just checking in to say that this is still a pain point. Is there anything I can do to help this? If you share how you would like this resolved, I may be able to submit a PR in the coming weeks.

Thanks!

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:2 jwilson8767]:

Just checking in to say that this is still a pain point. Is there anything I can do to help this? If you share how you would like this resolved, I may be able to submit a PR in the coming weeks.

Thanks!

A pull request would certainly be appreciated. From what I read in the documentation we would probably need another select option for Using Amazon S3 Bucket Keys with default encryption which would then cause the x-amz-server-side-encryption-bucket-key-enabled header to be set in the request.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Ticket retargeted after milestone closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug s3 AWS S3 Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants