Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error downloading files from S3: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. #9528

Closed
cyberduck opened this issue May 10, 2016 · 7 comments
Closed

Error downloading files from S3: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. #9528

cyberduck opened this issue May 10, 2016 · 7 comments
Assignees
@dkocher
Labels
bug fixed s3 AWS S3 Protocol Implementation
Milestone
5.0

Comments

@cyberduck
Copy link
Collaborator

e2c2efe created the issue

Several of our buckets are configured to automatically encrypt uploaded files using Server Side Encryption and a KMS key. When attempting to download these files using Cyberduck, we consistently get the above error:

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. Please contact your web hosting service provider for assistance.

We are making sure to connect to the S3 endpoint that matches the region for the bucket (in this case, s3-us-west-2.amazonaws.com).
@cyberduck
Copy link
Collaborator Author

@dkocher commented

Please update to the latest snapshot build available. Version 5.0 now defaults to use AWS4 signatures for authentication.

@cyberduck
Copy link
Collaborator Author

e2c2efe commented

I have updated to version 5.0 (19941), and this issue still exists.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Please post the transcript from the log drawer of the Transfers window. Choose ⌘-L on Mac or right-click the toolbar from the Transfers window and choose Log on Windows.

@cyberduck
Copy link
Collaborator Author

e2c2efe commented

Here is the log transcript with the credentials removed, I hope it is still useful.

GET /usermind-staging-data/?max-keys=1000&prefix=integration%2Fconnection%2F6434%2Fnormalized%2F1462895730088%2F&delimiter=%2F HTTP/1.1
Date: Tue, 10 May 2016 18:57:46 GMT
x-amz-request-payer: requester
Authorization: AWS [removed]
Host: s3-us-west-2.amazonaws.com:443
Connection: Keep-Alive
User-Agent: Cyberduck/5.0.19954 (Mac OS X/10.11.4) (x86_64)
HTTP/1.1 200 OK
x-amz-id-2: BcHuR2yObXZ2ve/JK+9XBApq+g/8bebv92vDwLDwK4M7Drs4o9hY3k673OnhyH573HSZ0uhL1c0=
x-amz-request-id: D076F89D3AF8656E
Date: Tue, 10 May 2016 18:57:47 GMT
x-amz-bucket-region: us-west-2
Content-Type: application/xml
Transfer-Encoding: chunked
Server: AmazonS3
GET /usermind-staging-data/integration/connection/6434/normalized/1462895730088/1462895730088-1-webhook-event.0.gz HTTP/1.1
Date: Tue, 10 May 2016 18:57:46 GMT
x-amz-request-payer: requester
Authorization: AWS [removed]
Host: s3-us-west-2.amazonaws.com:443
Connection: Keep-Alive
User-Agent: Cyberduck/5.0.19954 (Mac OS X/10.11.4) (x86_64)
HTTP/1.1 400 Bad Request
x-amz-request-id: 6806E8DD8697FD28
x-amz-id-2: e2M2v0j0r+LhzBIimM1aeROIO1Rrbz4SjxDtV+hvr9whIGzYsN0earZez5QBWkdMmfA5KFDdD2Y=
x-amz-region: us-west-2
Content-Type: application/xml
Transfer-Encoding: chunked
Date: Tue, 10 May 2016 18:57:45 GMT
Connection: close
Server: AmazonS3

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Can you confirm the the Authorization header sent starts with AWS4-HMAC-SHA256?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

I suppose I see the issue. We default to signature version AWS4HMACSHA256 only when connected to AWS which is determined if the hostname ends with s3.amazonaws.com. Please leave the hostname with the default value for your S3 bookmark. It will adjust to use the proper hostname depending on the location of the bucket for requests.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In 0999dba.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dkocher dkocher

Labels
bug fixed s3 AWS S3 Protocol Implementation
Projects
None yet
Milestone
5.0
Development

No branches or pull requests
2 participants
@dkocher @cyberduck