By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to read S3 object from encrypted S3 bucket using ebextensions files?

0

Hi,

I am trying to create a file from an encrypted s3 bucket in my EB instance using the "files" key in an ebextensions configuration file.
It's failing with a 400 error and the message: "Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4."

Here are some details:

  • The bucket is encrypted with a custom KMS key
  • I'm using the "AWS::CloudFormation::Authentication" resource with role-based authentication
    eg:
    Resources:
    AWSEBAutoScalingGroup:
    Metadata:
    AWS::CloudFormation::Authentication:
    S3Auth:
    type: "s3"
    buckets:
    - "Fn::GetOptionSetting":
    Namespace: "aws:elasticbeanstalk:application:environment"
    OptionName: "ConfigBucketName"
    roleName:
    "Fn::GetOptionSetting":
    Namespace: "aws:autoscaling:launchconfiguration"
    OptionName: "IamInstanceProfile"

The role is set up with the correct policy to ListBucket and GetObject on the s3 bucket and the role is added as a Key User in KMS.
Any pointers on how to get this to work?

Thanks,
Kwan

Topics
Storage
Tags
Amazon Simple Storage Service
Language
English
klim-edjuster
asked 3 years ago374 views
1 Answer
0

Finally figured it out. The problem was the path didn't include the region so it couldn't use the V4 signature format and fell back to using an older one. Resolved the issue by adding the region into the s3 path.

klim-edjuster
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content