[Cyberduck-trac] [Cyberduck] #11583: S3 default SSE-KMS encryption is not used, upload fails.

Cyberduck trac at cyberduck.io
Thu Sep 30 20:20:30 UTC 2021 

#11583: S3 default SSE-KMS encryption is not used, upload fails.
-------------------------+-------------------------
 Reporter:  jwilson8767  |         Owner:  dkocher
     Type:  defect       |        Status:  assigned
 Priority:  normal       |     Milestone:  8.0
Component:  s3           |       Version:  7.8.2
 Severity:  normal       |    Resolution:
 Keywords:               |  Architecture:  Intel
 Platform:  Windows 10   |
-------------------------+-------------------------
Description changed by dkocher:

Old description:

> I have encountered an issue where the new(ish) S3 default encryption
> (relevant doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide
> /bucket-encryption.html) which I have configured to use a specific SSE-
> KMS key is not being applied when `Cyberduck> preferences > S3 >
> Encryption` is set to "None". Uploads fail with the error message:
> ```
> Upload <file> failed.
> Access denied. Please contact your web hosting provider for assistance.
> PUT /test HTTP/1.1
> ...
> HTTP/1.1 403 Forbidden
> ```
>
> Replication:
> 1. Create a bucket and apply an SSE-KMS default encryption
> 2. Using Cyberduck/Mountainduck attempt to upload a file
> 3. Upload fails
>
> Could the PUT be being sent with some version of "x-amz-server-side-
> encryption=null" when it should simply be omitted?
>
> I did find a workaround, which is to manually choose the correct SSE-KMS
> key in preferences, but this negates one of the primary benefits of
> having a bucket default so that all team members have the exact same
> config.

New description:

 I have encountered an issue where the new(ish) S3 default encryption
 (relevant doc: https://docs.aws.amazon.com/AmazonS3/latest/userguide
 /bucket-encryption.html) which I have configured to use a specific SSE-KMS
 key is not being applied when `Cyberduck> preferences > S3 > Encryption`
 is set to "None". Uploads fail with the error message:


 {{{
 Upload <file> failed.
 Access denied. Please contact your web hosting provider for assistance.
 PUT /test HTTP/1.1
 ...
 HTTP/1.1 403 Forbidden

 }}}

 Replication:
 1. Create a bucket and apply an SSE-KMS default encryption
 2. Using Cyberduck/Mountainduck attempt to upload a file
 3. Upload fails

 Could the PUT be being sent with some version of "x-amz-server-side-
 encryption=null" when it should simply be omitted?

 I did find a workaround, which is to manually choose the correct SSE-KMS
 key in preferences, but this negates one of the primary benefits of having
 a bucket default so that all team members have the exact same config.

--

--
Ticket URL: <https://trac.cyberduck.io/ticket/11583#comment:4>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list