By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using aws s3api put-object --sse-customer-key-md5 fails with CLI

0

I'm trying to use aws s3api put-object/get-object with server side encryption with customer keys.

I'm using Powershell, but I don't believe that is the source of my issue.

On the surface, sse-customer-key-md5 appears to be a pretty simple input:
https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html
Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.

put-object works when I don't use --sse-customer-key-md5:

aws s3api put-object --bucket abc
--sse-customer-algorithm AES256 --sse-customer-key "testaes256testaes256testaes25612"
--region us-east-1 --key test.pdf
--body C:\test.pdf

{
"SSECustomerKeyMD5": "ezatpv/Yg0KkjX+5ZcsxdQ==",
"SSECustomerAlgorithm": "AES256",
"ETag": ""0d44c3df058c4e190bd7b2e6d227be73""
}

I agree with the SSECustomerKeyMD5 result:

$key = "testaes256testaes256testaes25612"
$md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider
$utf8 = new-object -TypeName System.Text.UTF8Encoding
$hash = $md5.ComputeHash($utf8.GetBytes($key))
$EncodedString =[Convert]::ToBase64String($hash)
Write-Host "Base64 Encoded String: " $EncodedString
Base64 Encoded String: ezatpv/Yg0KkjX+5ZcsxdQ==

Now I resubmit my put request with the --sse-customer-key-md5 option. Before anyone jumps on the base64 encoding, I've tried submitting the MD5 hash in Base64, Hexidecimal (With and without delimiters), JSON of the MD5 hash result, and upper case and lower case versions of the aforementioned. None work. Has anyone gotten this to work and, if so, format did you use?

aws s3api put-object --bucket abc
--sse-customer-algorithm AES256 --sse-customer-key "testaes256testaes256testaes25612"
--sse-customer-key-md5 "ezatpv/Yg0KkjX+5ZcsxdQ==" --region us-east-1
--key test.pdf `
--body C:\test.pdf

aws :   

 At line:1 char:1  

 + aws s3api put-object `  
 + ~~~~~~~~~~~~~~~~~~~~~~  
     + CategoryInfo          : NotSpecified: (:String) [], RemoteException  
     + FullyQualifiedErrorId : NativeCommandError  
 
 An error occurred (InvalidArgument) when calling the PutObject operation: The calculated MD5 hash of the key did not match the hash that was provided.

Thanks

Topics
Management & GovernanceStorage
Tags
AWS Command Line InterfaceManagement & GovernanceStorageEncryption
Language
English
keebs
asked 2 years ago920 views
2 Answers
0

I did notice what seems like an extraneous character in your command after "--key test.pdf" there is a "`" character.

aws s3api put-object --bucket abc
--sse-customer-algorithm AES256 --sse-customer-key "testaes256testaes256testaes25612"
--sse-customer-key-md5 "ezatpv/Yg0KkjX+5ZcsxdQ==" --region us-east-1
--key test.pdf `
--body C:\test.pdf

The error you got back specifically highlights this character as well.

+ aws s3api put-object `
Kevin
answered 2 years ago
0

Thanks for the reply. You wouldn't have known this, but I'm using powershell.... the "`" being a new line seperation in the input. I've since tried another S3 compatible system with the same failed result. Also fails in windows and linux.

keebs
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content