how to upload files to s3 from aws cli with kms encryption
21,465
It looks like you're missing the --sse aws:kms
flag. You're likely looking for something like
aws s3 cp /filepath s3://mybucket/filename --sse aws:kms --sse-kms-key-id <key id>
Check out aws s3 cp options for more details.
Related videos on Youtube
Author by
vishal
Updated on July 09, 2022Comments
-
vishal almost 2 years
I want to upload a file from local machine to s3 with kms encryption . I have been using the following command:
aws s3 cp /filepath s3://mybucket/filename --sse-kms-key-id <key id>
it shows the following error " error occured:when calling the PutObject operation: Server Side Encryption with AWS KMS managed key requires HTTP header x-amz -server-side-encryption : aws:kms" What could possibly be causing this error?
-
vishal over 6 yearsit is showing "aws:kms" as unknown option. I've already viewed the cp command documentation and there is no clear explanation for what i'm looking. is there any other way?
-
Jamie Starke over 6 yearsWhat do you get for
aws -v
? -
vishal over 6 yearsit shows as unknown option. i don't think there is an " aws -v "command at all. look at the below link. docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html in this document it has been mentioned as u cant get or put an object that has kms encryption and can only be done by sigv4 or ssl. u have any idea of how to use sigv4 in the cli. it would be helpful. Thank you
-
Jamie Starke over 6 yearsSorry, my mistake,
aws --version
? -
vishal over 6 yearsaws-cli/1.11.132 Python/2.7.12 Linux/4.9.51-10.52.amzn1.x86_64 botocore/1.5.95 it shows this one
-
Jamie Starke over 6 yearsBizaar, this functionality was merged in back in 2015 (github.com/aws/aws-cli/pull/1623)
-
vishal over 6 yearswhen I added "aws:kms" the second part of the error in my question has gone. the first part alone stands (PUTobject error). I've already looked at the link you have mentioned and I have also enabled signature v4 by the command they have mentioned but still I'am unable to upload or download. is there any other mistake on my part? Thanks for your time.
-
Jamie Starke over 6 yearsOh, so now we're down just to the
error occured:when calling the PutObject
part? Alright, so now it's time to make sure that whatever user you're using has access to boths3:PutObject
on thearn:aws:s3:::<bucket_name>/*
and alsokms:Decrypt
andkms:DescribeKey
for the KMS Key you're using. -
vishal over 6 yearsbro Thanks a lot !!!!!!! you're a genius. finally uploaded it. I had the default aws kms full access policy attached to my instance but it was missing "kms:Decrypt" once I added it, it got uploaded.Thank a lot bro!!!!
-
Jamie Starke over 6 yearsHaha, ok, I think I had a typo in there, I meant to do
kms:Encrypt
, but if it's working, don't mess with a good thing. If it solves you problem, mind accepting the answer? -
vishal over 6 yearsdid it bro. I added "kms:* " in the policy so it must have included all the actions
-
Kousha about 6 years@JamieStarke is this suppose to do client side encryption? Because I uploaded the file using the snippet you provided, and then I just fetched it using
aws s3 cp
, and the content was unencrypted ... -
Jamie Starke about 6 yearsIf you're using KMS encryption (which my example includes) encryption and decryption are handled by S3. If you have permission to decrypt, it will be done on your behalf. If you don't, you won't be able to download either.
-
Tim about 5 yearsquestion was specifically about KMS, not sse