On decrypting file using KMS key in Amazon S3 i get an error

+1 vote

Using Amazon S3 as a file system with encryption.

I am successfully able to achieve uploading file on AWS S3 server using KMS Encrypted key (Server side Encryption). Please find below working code :

For Encrypt:

private static final String AWS_KMS_KEY = "---KMS Key---"
private static final String BUCKET_NAME = "---bucket name---"
private static final String keyName = "---display key name---"
private static final String filePath = "---File Path---"
private static final String ACCESS_KEY_ID = "---aws accesskey---"
private static final String SECRET_ACCESS_KEY = "---aws secret key---"

AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY_ID, SECRET_ACCESS_KEY);
AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
    .withRegion(Regions.US_WEST_2).withForceGlobalBucketAccessEnabled(true).build();

FileInputStream stream = new FileInputStream(filePath);

ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm());

PutObjectRequest putObjectRequest = new PutObjectRequest(amazonFileUploadLocationOriginal, keyName, stream, objectMetadata);
putObjectRequest.withCannedAcl(CannedAccessControlList.PublicRead);
putObjectRequest.withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(AWS_KMS_KEY));

PutObjectResult result = s3Client.putObject(putObjectRequest);

I am facing issue while retriving file with server side decryption.

I want to access directly aws url to retrieve that file with decryption. Please find below code which is not working :

For object read :

Object Read without KMS key :

GetObjectRequest request = new GetObjectRequest(existingBucketName, amazonFileUploadLocationOriginal);
s3Client.getUrl(BUCKET_NAME, keyName);

Above Code is for read object without kms encrypted key which shows below error.

Code : InvalidArgument

Message : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

Object Read with KMS key :

GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
            .withSSEAlgorithm(SSEAlgorithm.KMS)
            .withKmsCmkId(AWS_KMS_KEY);

URL puturl = s3Client.generatePresignedUrl(genreq);

Above Code is for read object with kms encrypted key presign URL, which shows below error.

Code : SignatureDoesNotMatch

Message : The request signature we calculated does not match the signature you provided. Check your key and signing method.

Is it right way to do? Is there any suggestions? Please help.

Oct 26, 2018 in AWS by findingbugs
 • 3,260 points 5,493 views

2 answers to this question.

+1 vote

Try figuring out your error with the documentation on how  to force Signature Version 4... I suggest that you don't use with the SSEAlgorithm(SSEAlgorithm.KMS) when generating a GET URL. This probably causes the SDK to make an incorrect assumption about the contents of the actual request you'll be making, with the signed URL.

Hope this will work

answered Oct 26, 2018 by Priyaj
 • 58,020 points
0 votes
from the message it seems that Sigv4 is not being used which is leading to an error since the error signifies that Get Object api call for a KMS encrypted object should be done over sigv4.

would highly recommend you to update the sdk version and try again.
answered Dec 31, 2018 by jza80

Related Questions In AWS

0 votes
0 answers

I want to get file name from key in S3 bucket wanted to read single file from list of file present in bucket

1 <class 'boto.s3.key.Key'> <Key: numbers-email, staging/Procured_Numbers_Status/procured_numbers_status_2019-05-15:06:09:04.csv> I ...READ MORE

May 15, 2019 in AWS by anonymous
 6,960 views
0 votes
2 answers

Using an api key in amazon api gateway

Try with this X-Api-Key READ MORE

answered Apr 17, 2019 in AWS by sampath
 2,701 views
+1 vote
2 answers

How to read a csv file stored in Amazon S3 using csv.DictReader

The code would be something like this: import ...READ MORE

answered Oct 25, 2018 in AWS by Archana
 • 5,640 points 54,416 views
0 votes
0 answers

"UNPROTECTED PRIVATE KEY FILE!" Error using SSH into Amazon EC2 Instance (AWS)

I've created a new Linux instance on ...READ MORE

Apr 25, 2022 in AWS by Aditya
 • 7,680 points 766 views
–1 vote
1 answer

How to decrypt the encrypted S3 file using aws-encryption-cli --decrypt

Use command : aws s3 presign s3://mybucket/abc_count.png you get ...READ MORE

answered Oct 22, 2018 in AWS by Priyaj
 • 58,020 points 5,204 views
0 votes
1 answer

AWS S3 uploading hidden files by default

versioning is enabled in your bucket. docs.aws.amazon.com/AmazonS3/latest/user-guide/….... the ...READ MORE

answered Oct 4, 2018 in AWS by Priyaj
 • 58,020 points 5,958 views
0 votes
1 answer

Import my AWS credentials using python script

Using AWS Cli  Configure your IAM user then ...READ MORE

answered Nov 16, 2018 in AWS by Jino
 • 5,820 points 2,868 views
0 votes
2 answers

Invalid bucket name "s3:\\testdm": Bucket name must match the regex "^[a-zA-Z0-9.\-_]{1,255}$"

Instead of backslashes, use forward slashes C:\Users\jino>aws s3 ...READ MORE

answered Apr 24, 2019 in AWS by anonymous
 24,053 views
0 votes
1 answer

Run a JAR file on Amazon EMR which I created using Hadoop 2.7.5

I suggest you recompile the code or ...READ MORE

answered Oct 15, 2018 in AWS by Priyaj
 • 58,020 points 1,366 views
0 votes
1 answer

I am trying to launch an ec2 instance using aws-cli and i want to copy my code from a s3 bucket.

It might be throwing an error on ...READ MORE

answered Aug 7, 2018 in AWS by Priyaj
 • 58,020 points 2,936 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.