Cyberduck Mountain Duck CLI

#9528 closed defect (fixed)

Error downloading files from S3: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

Reported by: umcodemonkey Owned by: dkocher
Priority: normal Milestone: 5.0
Component: s3 Version: Nightly Build
Severity: normal Keywords:
Cc: Architecture:
Platform:

Description

Several of our buckets are configured to automatically encrypt uploaded files using Server Side Encryption and a KMS key. When attempting to download these files using Cyberduck, we consistently get the above error:

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. Please contact your web hosting service provider for assistance.

We are making sure to connect to the S3 endpoint that matches the region for the bucket (in this case, s3-us-west-2.amazonaws.com).

Change History (8)

comment:1 Changed on May 10, 2016 at 6:14:22 PM by dkocher

  • Component changed from core to s3
  • Milestone set to 5.0
  • Resolution set to fixed
  • Status changed from new to closed

Please update to the latest snapshot build available. Version 5.0 now defaults to use AWS4 signatures for authentication.

comment:2 Changed on May 10, 2016 at 6:29:27 PM by umcodemonkey

  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Version changed from 4.9.1 to Nightly Build

I have updated to version 5.0 (19941), and this issue still exists.

comment:3 Changed on May 10, 2016 at 6:48:45 PM by dkocher

  • Owner set to dkocher
  • Status changed from reopened to new

comment:4 Changed on May 10, 2016 at 6:49:39 PM by dkocher

Please post the transcript from the log drawer of the Transfers window. Choose ⌘-L on Mac or right-click the toolbar from the Transfers window and choose Log on Windows.

comment:5 Changed on May 10, 2016 at 7:02:30 PM by umcodemonkey

Here is the log transcript with the credentials removed, I hope it is still useful.

GET /usermind-staging-data/?max-keys=1000&prefix=integration%2Fconnection%2F6434%2Fnormalized%2F1462895730088%2F&delimiter=%2F HTTP/1.1
Date: Tue, 10 May 2016 18:57:46 GMT
x-amz-request-payer: requester
Authorization: AWS [removed]
Host: s3-us-west-2.amazonaws.com:443
Connection: Keep-Alive
User-Agent: Cyberduck/5.0.19954 (Mac OS X/10.11.4) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: BcHuR2yObXZ2ve/JK+9XBApq+g/8bebv92vDwLDwK4M7Drs4o9hY3k673OnhyH573HSZ0uhL1c0=
x-amz-request-id: D076F89D3AF8656E
Date: Tue, 10 May 2016 18:57:47 GMT
x-amz-bucket-region: us-west-2
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /usermind-staging-data/integration/connection/6434/normalized/1462895730088/1462895730088-1-webhook-event.0.gz HTTP/1.1
Date: Tue, 10 May 2016 18:57:46 GMT
x-amz-request-payer: requester
Authorization: AWS [removed]
Host: s3-us-west-2.amazonaws.com:443
Connection: Keep-Alive
User-Agent: Cyberduck/5.0.19954 (Mac OS X/10.11.4) (x86_64)
HTTP/1.1 400 Bad Request
x-amz-request-id: 6806E8DD8697FD28
x-amz-id-2: e2M2v0j0r+LhzBIimM1aeROIO1Rrbz4SjxDtV+hvr9whIGzYsN0earZez5QBWkdMmfA5KFDdD2Y=
x-amz-region: us-west-2
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 10 May 2016 18:57:45 GMT
Connection: close
Server: AmazonS3

comment:6 Changed on May 11, 2016 at 7:59:45 AM by dkocher

Can you confirm the the Authorization header sent starts with AWS4-HMAC-SHA256?

comment:7 Changed on May 11, 2016 at 8:04:43 AM by dkocher

I suppose I see the issue. We default to signature version AWS4HMACSHA256 only when connected to AWS which is determined if the hostname ends with s3.amazonaws.com. Please leave the hostname with the default value for your S3 bookmark. It will adjust to use the proper hostname depending on the location of the bucket for requests.

comment:8 Changed on May 11, 2016 at 8:07:34 AM by dkocher

  • Resolution set to fixed
  • Status changed from new to closed

In r20388.

Note: See TracTickets for help on using tickets.