Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

How to read S3 object from encrypted S3 bucket using ebextensions files?

0

Hi,

I am trying to create a file from an encrypted s3 bucket in my EB instance using the "files" key in an ebextensions configuration file.
It's failing with a 400 error and the message: "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4."

Here are some details:

  • The bucket is encrypted with a custom KMS key
  • I'm using the "AWS::CloudFormation::Authentication" resource with role-based authentication
    eg:
    Resources:
    AWSEBAutoScalingGroup:
    Metadata:
    AWS::CloudFormation::Authentication:
    S3Auth:
    type: "s3"
    buckets:
    - "Fn::GetOptionSetting":
    Namespace: "aws:elasticbeanstalk:application:environment"
    OptionName: "ConfigBucketName"
    roleName:
    "Fn::GetOptionSetting":
    Namespace: "aws:autoscaling:launchconfiguration"
    OptionName: "IamInstanceProfile"

The role is set up with the correct policy to ListBucket and GetObject on the s3 bucket and the role is added as a Key User in KMS.
Any pointers on how to get this to work?

Thanks,
Kwan

Argomenti
Archiviazione
Tag
Servizio di archiviazione semplice di Amazon
Lingua
English
klim-edjuster
posta 3 anni fa375 visualizzazioni
1 Risposta
0

Finally figured it out. The problem was the path didn't include the region so it couldn't use the V4 signature format and fell back to using an older one. Resolved the issue by adding the region into the s3 path.

klim-edjuster
con risposta 3 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente