Aws-cli: Access denied when uploading multipart that requires --sse-kms-key-id

Created on 19 Jun 2019 · 3Comments · Source: aws/aws-cli

we need to do a cross-account backup. let's say account 1 need to push files to account 2's S3 bucket. a new KMS key was created in account 2 and configured for encrypting and decrypting account 2's S3 bucket. Key policy and bucket policy were configured for account 1 to push files to that S3 bucket.

it was successful to upload small files but failed to upload big files. it said:
An error occurred (AccessDenied) when calling the UploadPart operation: Access Denied

the command is
aws s3 cp 12MB.file s3://account2S3bucket/ --sse aws:kms --sse-kms-key-id arn:aws:kms:xxxxxxxxx:key/12345678-1234-1234-1234-123456789012 --region ap-southeast-2 --acl bucket-owner-full-control

I compared the response of that command with that of uploading a small file when I enabled debug via --debug option.
---the below is the out put of uploading a 12MB file.
PUT
/12MB.file
partNumber=1&uploadId=abcd...
content-md5:abcd...
host:xxxxx.amazonaws.com
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20190619T041121Z
x-amz-security-token:abcdefg...
content-md5;host;x-amz-content-sha256;x-amz-date;x-amz-security-token
UNSIGNED-PAYLOAD

--the below is the output of uploading a small file.
PUT
/1MB.file
content-md5:eZvVEKOpB0GmRG2KHCQd/g==
content-type:text/plain
host:xxxxx.amazonaws.com
x-amz-acl:bucket-owner-full-control
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:20190619T043739Z
x-amz-security-token:abcd...
x-amz-server-side-encryption:aws:kms
x-amz-server-side-encryption-aws-kms-key-id:arn:aws:kms:xxxx:key/xxxx

it seems x-amz-server-side-encryption and x-amz-server-side-encryption-aws-kms-key-id headers were not passed for the UploadPart api

it looked similar to one previous issue - #1674
but I'm using the latest aws-cli (aws-cli/1.16.181 Python/2.7.5 Linux/3.10.0-957.12.2.el7.x86_64 botocore/1.12.171).

is it the same bug?

duplicate guidance s3

Source

ChangdongLi

Most helpful comment

FYI, this has been solved, I raised this in our AWS account and got an answer. it's related to KMS policy configuration and S3 policy configuration. in short, the backup account need those permissions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey","kms:DescribeKey" in KMS key policy, and GetObject, PutObject, ListBucket permission in S3 bucket policy

ChangdongLi on 16 Jul 2019

👍3

All 3 comments

@ChangdongLi - Thank you for reporting this issue and providing all the details including the link to #1674. Based on the information provided, I agree this issue is the same as #1674 and which is controlled by the Service not the CLI. I suggest following the recommendation posted by KyleKnap.

I also suggest reaching out to the service team via their forums or submit a case with AWS Premium Support. If you can post the forum ID here I can escalate your specific issue to the service team but follow up with the service team would need to be done on the forums. (which is why #1674 was closed).

Related To: #4035 and #635.

justnance on 16 Jul 2019

ChangdongLi on 16 Jul 2019

👍3

FYI, this has been solved, I raised this in our AWS account and got an answer. it's related to KMS policy configuration and S3 policy configuration. in short, the backup account need those permissions: "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt", "kms:GenerateDataKey","kms:DescribeKey" in KMS key policy, and GetObject, PutObject, ListBucket permission in S3 bucket policy

Thank you so much @ChangdongLi. I was about to pull the last hair from my head!! :sweat_smile: