Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add X-Amz-Server-Side-Encryption-Context header to required signed headers allowlist #2228

Merged
merged 4 commits into from
Aug 17, 2023
Merged

Add X-Amz-Server-Side-Encryption-Context header to required signed headers allowlist #2228

merged 4 commits into from
Aug 17, 2023

Conversation

fenak
Copy link
Contributor

@fenak fenak commented Aug 11, 2023

Summary

Adds the X-Amz-Server-Side-Encryption-Context header to required signed headers allowlist

This PR is to keep parity with aws/aws-sdk-go#4949

Problem description

When presigning a PutObjectRequest which includes SSEKMSEncryptionContext in its s3.PutObjectInput parameter, the X-Amz-Server-Side-Encryption-Context gets added to the URL as a query parameter, not as a signed header.

When using the presigned URL to put an object in a bucket, you can't send the encryption context as a header as it wasn't on the list of signed headers, and the parameter sent via URL doesn't work (the object is uploaded and encrypted without adding the encryption context to it).

As mentioned in the Specifying server-side encryption with AWS KMS (SSE-KMS) documentation, at section "Using the REST API":

When you create an object—that is, when you upload a new object or copy an existing object—you can specify the use of server-side encryption with AWS KMS keys (SSE-KMS) to encrypt your data. To do this, add the x-amz-server-side-encryption header to the request. Set the value of the header to the encryption algorithm aws:kms. Amazon S3 confirms that your object is stored using SSE-KMS by returning the response header x-amz-server-side-encryption.

If you specify the x-amz-server-side-encryption header with a value of aws:kms, you can also use the following request headers:

x-amz-server-side-encryption-aws-kms-key-id

x-amz-server-side-encryption-context

x-amz-server-side-encryption-bucket-key-enabled

I could verify that using my fork the request is the encryption context sent via headers, and then it works as expected.

This fix seems to be aligned to the behaviour mentioned in the aws/aws-sdk-js-v3 repo:

@fenak fenak requested a review from a team as a code owner August 11, 2023 03:32
@lucix-aws lucix-aws merged commit 18635b8 into aws:main Aug 17, 2023
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@isaiahvita isaiahvita isaiahvita approved these changes

@lucix-aws lucix-aws lucix-aws approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fenak @isaiahvita @lucix-aws