[Cyberduck-trac] [Cyberduck] #11583: S3 default SSE-KMS encryption is not used, upload fails.
Cyberduck
trac at cyberduck.io
Thu Sep 30 20:20:30 UTC 2021
#11583: S3 default SSE-KMS encryption is not used, upload fails.
-------------------------+-------------------------
Reporter: jwilson8767 | Owner: dkocher
Type: defect | Status: assigned
Priority: normal | Milestone: 8.0
Component: s3 | Version: 7.8.2
Severity: normal | Resolution:
Keywords: | Architecture: Intel
Platform: Windows 10 |
-------------------------+-------------------------
Description changed by dkocher:
Old description:
> I have encountered an issue where the new(ish) S3 default encryption
> (relevant doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide
> /bucket-encryption.html) which I have configured to use a specific SSE-
> KMS key is not being applied when `Cyberduck> preferences > S3 >
> Encryption` is set to "None". Uploads fail with the error message:
> ```
> Upload <file> failed.
> Access denied. Please contact your web hosting provider for assistance.
> PUT /test HTTP/1.1
> ...
> HTTP/1.1 403 Forbidden
> ```
>
> Replication:
> 1. Create a bucket and apply an SSE-KMS default encryption
> 2. Using Cyberduck/Mountainduck attempt to upload a file
> 3. Upload fails
>
> Could the PUT be being sent with some version of "x-amz-server-side-
> encryption=null" when it should simply be omitted?
>
> I did find a workaround, which is to manually choose the correct SSE-KMS
> key in preferences, but this negates one of the primary benefits of
> having a bucket default so that all team members have the exact same
> config.
New description:
I have encountered an issue where the new(ish) S3 default encryption
(relevant doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide
/bucket-encryption.html) which I have configured to use a specific SSE-KMS
key is not being applied when `Cyberduck> preferences > S3 > Encryption`
is set to "None". Uploads fail with the error message:
{{{
Upload <file> failed.
Access denied. Please contact your web hosting provider for assistance.
PUT /test HTTP/1.1
...
HTTP/1.1 403 Forbidden
}}}
Replication:
1. Create a bucket and apply an SSE-KMS default encryption
2. Using Cyberduck/Mountainduck attempt to upload a file
3. Upload fails
Could the PUT be being sent with some version of "x-amz-server-side-
encryption=null" when it should simply be omitted?
I did find a workaround, which is to manually choose the correct SSE-KMS
key in preferences, but this negates one of the primary benefits of having
a bucket default so that all team members have the exact same config.
--
--
Ticket URL: <https://trac.cyberduck.io/ticket/11583#comment:4>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list