Home > Blockchain >  Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4

Time:11-08

I am getting an error when I am trying to open a presigned url for an encrypted file. Here's my line to create the URL:

client.generate_presigned_url('get_object', Params={'Bucket': 'bucket1', 'Key': a})

Here's the error I am getting:

<Error>
<Code>InvalidArgument</Code>
<Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>F6VK4TD1S0G4K6YR</RequestId>
<HostId>HOTh/YUsnxC4sSBYVsK5psX5vBz21q1M/qx pVmKa6s7Np4EbRUbBV4toRJ52OAtqpHIejY03Zk=</HostId>
</Error>

Note, I am using the defaults in boto3 so it should be using signature 4 out of the box. My bucket is encrypted using default encryption and I am using S3 bucket keys, and KMS key auto-generated by AWS.

What am I missing here?

CodePudding user response:

Solved it, it was because of the signature version in boto3. Apparently boto doesn't set signature version 4 by default (I think I read in the docs somewhere it should). Here are the changes I had to make:

from botocore.config import Config

config = Config(signature_version='s3v4')
s3 = boto3.client('s3', config=config)
response = s3.get_object(
    Bucket=os.getenv('S3_BUCKET'),
    Key=f'path/abc.json'
)
  • Related