By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Not able to upload a file in encrypted s3 bucket.

0

Recently i tried to upload a file into my encrypted s3 bucket by using cli,but i am not able to do so.But when i tried the upload same file in unencrypted s3 bucket,it get uploaded.

  • Adeleke Adebowale J EXPERT
    17 days ago

    could you Verify that you are providing the correct encryption parameters when uploading the file to the encrypted S3 bucket. If server-side encryption is enabled on the bucket, you may need to specify the appropriate encryption option (--sse, --sse-c, --sse-kms, etc.) when uploading the file.

  • xanthic
    17 days ago

    Could you provide more details for a more structured answer, which encryption are you using? SSE-S3? SSE-KMS? Which CLI command are you giving? What's the error you got? Are you specifying the encryption key in the put-object request? Does your user/role have access to KMS?

  • AB
    17 days ago

    i am using this command. aws s3 cp test.txt s3://backup/

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM Policies
Language
English
AB
asked 17 days ago295 views
3 Answers
1

Hello.

What kind of error do you get when you try to upload specifically?
If your S3 is encrypted with a KMS key, you may find the troubleshooting methods in the documentation below useful.
In the case of an S3 bucket encrypted with KMS, you will need "kms:GenerateDataKey" and "kms:Decrypt" in the IAM policy of the IAM user.
https://repost.aws/knowledge-center/s3-access-denied-error-kms

profile picture
EXPERT
Riku_Kobayashi
answered 17 days ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 17 days ago
  • AB
    17 days ago

    upload failed: D:\test.txt to s3://backup/test2.txt An error occurred (AccessDenied) when calling the PutObject operation: User: arn:aws:iam:: is not authorized to perform: kms:GenerateDataKey on resource: arn:aws:kms:ap-south-1::key/ because no identity-based policy allows the kms:GenerateDataKey action

  • Riku_Kobayashi EXPERT
    17 days ago

    Thank you for sharing the error message. As stated in the error message, the "kms:GenerateDataKey" action is not allowed for IAM users, so please try attaching the following IAM policy to the IAM user.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "s3:PutObject"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "SamplePolicy"
        }
    ]
}
1

From the error you provided, your IAM user doesn't have rights to the kms:GenerateDataKey

You'll need to add rights to your IAM user to use KMS api and check key policy also, that you have rights to use that exact key.

xanthic
answered 17 days ago
profile pictureAWS
EXPERT
AWS-User-alantam
reviewed 17 days ago
0

Thank you so much.Issues has been resolved.

AB
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content