4

I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?

It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.

Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?

DJ Tarazona
  • 191

1 Answers1

0

You need to configure your AWS Signature Version, e.g.

aws configure set default.s3.signature_version s3v4

or for the specific profile:

aws configure set profile.<profilename>.s3.signature_version s3v4

Then re-try, e.g.

aws s3 cp s3://rkbtest/check.png ./

Source: aws/aws-cli/issues/1006 at GitHub.

If using curl/wget command, you need to add extra Authorization header in your request, e.g.

GET /photos/puppy.jpg HTTP/1.1
Host: johnsmith.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000

Authorization: AWS AKIAIOSFODNN7EXAMPLE:
bWq2s1WEIj+Ydj0vQ697zp+IXMU=

Syntax: Authorization: AWS AWSAccessKeyId:Signature.

See: Signing and Authenticating REST Requests.

kenorb
  • 7,125