how to upload files to s3 from aws cli with kms encryption

I want to upload a file from local machine to s3 with kms encryption . I have been using the following command:

    aws s3 cp /filepath s3://mybucket/filename --sse-kms-key-id <key id>

it shows the following error " error occured:when calling the PutObject operation: Server Side Encryption with AWS KMS managed key requires HTTP header x-amz -server-side-encryption : aws:kms" What could possibly be causing this error?

it is showing "aws:kms" as unknown option. I've already viewed the cp command documentation and there is no clear explanation for what i'm looking. is there any other way?

What do you get for aws -v?

it shows as unknown option. i don't think there is an " aws -v "command at all. look at the below link. docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.h‌​tml in this document it has been mentioned as u cant get or put an object that has kms encryption and can only be done by sigv4 or ssl. u have any idea of how to use sigv4 in the cli. it would be helpful. Thank you

Sorry, my mistake, aws --version?

aws-cli/1.11.132 Python/2.7.12 Linux/4.9.51-10.52.amzn1.x86_64 botocore/1.5.95 it shows this one

Bizaar, this functionality was merged in back in 2015 (github.com/aws/aws-cli/pull/1623)

when I added "aws:kms" the second part of the error in my question has gone. the first part alone stands (PUTobject error). I've already looked at the link you have mentioned and I have also enabled signature v4 by the command they have mentioned but still I'am unable to upload or download. is there any other mistake on my part? Thanks for your time.

Oh, so now we're down just to the error occured:when calling the PutObject part? Alright, so now it's time to make sure that whatever user you're using has access to both s3:PutObject on the arn:aws:s3:::<bucket_name>/* and also kms:Decrypt and kms:DescribeKey for the KMS Key you're using.

bro Thanks a lot !!!!!!! you're a genius. finally uploaded it. I had the default aws kms full access policy attached to my instance but it was missing "kms:Decrypt" once I added it, it got uploaded.Thank a lot bro!!!!

Haha, ok, I think I had a typo in there, I meant to do kms:Encrypt, but if it's working, don't mess with a good thing. If it solves you problem, mind accepting the answer?

did it bro. I added "kms:* " in the policy so it must have included all the actions

@JamieStarke is this suppose to do client side encryption? Because I uploaded the file using the snippet you provided, and then I just fetched it using aws s3 cp, and the content was unencrypted ...

If you're using KMS encryption (which my example includes) encryption and decryption are handled by S3. If you have permission to decrypt, it will be done on your behalf. If you don't, you won't be able to download either.

question was specifically about KMS, not sse