Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How to read S3 object from encrypted S3 bucket using ebextensions files?

0

Hi,

I am trying to create a file from an encrypted s3 bucket in my EB instance using the "files" key in an ebextensions configuration file.
It's failing with a 400 error and the message: "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4."

Here are some details:

  • The bucket is encrypted with a custom KMS key
  • I'm using the "AWS::CloudFormation::Authentication" resource with role-based authentication
    eg:
    Resources:
    AWSEBAutoScalingGroup:
    Metadata:
    AWS::CloudFormation::Authentication:
    S3Auth:
    type: "s3"
    buckets:
    - "Fn::GetOptionSetting":
    Namespace: "aws:elasticbeanstalk:application:environment"
    OptionName: "ConfigBucketName"
    roleName:
    "Fn::GetOptionSetting":
    Namespace: "aws:autoscaling:launchconfiguration"
    OptionName: "IamInstanceProfile"

The role is set up with the correct policy to ListBucket and GetObject on the s3 bucket and the role is added as a Key User in KMS.
Any pointers on how to get this to work?

Thanks,
Kwan

Themen
Speicher
Tags
Amazon Simple Storage Service
Sprache
English
klim-edjuster
gefragt vor 3 Jahren375 Aufrufe
1 Antwort
0

Finally figured it out. The problem was the path didn't include the region so it couldn't use the V4 signature format and fell back to using an older one. Resolved the issue by adding the region into the s3 path.

klim-edjuster
beantwortet vor 3 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt