Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ETag from S3 did not match computed MD5 - when using KMS encryption for upload #3750

Open
ksivask opened this issue Aug 25, 2017 · 2 comments

Comments

@ksivask
Copy link

commented Aug 25, 2017

When using KMS encryption for S3 upload, BotoClient errors with "BotoClientError: ETag from S3 did not match computed MD5."

The issue stems from the fact that with either KMS or S3's AES256 based encryption, the Content-MD5 value will not match the ETag from S3.

The following set of lines also need to check for the presence of 'x-amz-server-side​-encryption' header and appropriately skip the etag check.

boto/boto/s3/key.py

Lines 989 to 991 in 6c5b988

server_side_encryption_customer_algorithm = response.getheader(
'x-amz-server-side-encryption-customer-algorithm', None)
if server_side_encryption_customer_algorithm is None:

Example:

hdrs = { 'x-amz-server-side-encryption': 'aws:kms'}
b = s3c.create_bucket('my-test-bucket-kms', location='us-west-2')
mp = b.initiate_multipart_upload('my-test-key-kms', headers=hdrs)
with open('/tmp/datafile', 'rb') as f:
    mp.upload_part_from_file(fp=f, part_num=1)
mp.complete_upload()
>>>    mp.upload_part_from_file(fp=f, part_num=1)
2017-08-25 04:56:59,114 boto [DEBUG]:path=/d2978240-8951-11e7-b188-005056b0dba3
2017-08-25 04:56:59,114 boto [DEBUG]:auth_path=/d2978240-8951-11e7-b188-005056b0dba3/d2978240-8951-11e7-b188-005056b0dba3
2017-08-25 04:56:59,114 boto [DEBUG]:path=/d2978240-8951-11e7-b188-005056b0dba3?uploadId=AIvaNU_p0pOSrX2x2KzGp.7HSxSlTr_ioo3YnIoKPxRSit1Tnp9qICaQsMKTo1P9EU4IB_ocW_RvK62RoJPLMu..HfWY0kqGmmSUBwDVGgthbWsEcEhqeg.UVKaz0h86&partNumber=1
2017-08-25 04:56:59,114 boto [DEBUG]:auth_path=/d2978240-8951-11e7-b188-005056b0dba3/d2978240-8951-11e7-b188-005056b0dba3?uploadId=AIvaNU_p0pOSrX2x2KzGp.7HSxSlTr_ioo3YnIoKPxRSit1Tnp9qICaQsMKTo1P9EU4IB_ocW_RvK62RoJPLMu..HfWY0kqGmmSUBwDVGgthbWsEcEhqeg.UVKaz0h86&partNumber=1
2017-08-25 04:56:59,115 boto [DEBUG]:Method: PUT
2017-08-25 04:56:59,115 boto [DEBUG]:Path: /d2978240-8951-11e7-b188-005056b0dba3?uploadId=AIvaNU_p0pOSrX2x2KzGp.7HSxSlTr_ioo3YnIoKPxRSit1Tnp9qICaQsMKTo1P9EU4IB_ocW_RvK62RoJPLMu..HfWY0kqGmmSUBwDVGgthbWsEcEhqeg.UVKaz0h86&partNumber=1
2017-08-25 04:56:59,115 boto [DEBUG]:Data: 
2017-08-25 04:56:59,115 boto [DEBUG]:Headers: {'_sha256': '47c51d8f3dcaaf36e0a60e8481b05da8d941c352bb7a728bb7f702d35360da30', 'Content-Length': '345992', 'Expect': '100-Continue', 'Content-MD5': u'KrKJE9IMDORzk3K8YjMB1Q==', 'Content-Type': 'application/octet-stream', 'User-Agent': 'Boto/2.48.0 Python/2.7.6 Linux/4.4.0-87-generic'}
2017-08-25 04:56:59,115 boto [DEBUG]:Host: d2978240-8951-11e7-b188-005056b0dba3.s3-us-west-2.amazonaws.com
2017-08-25 04:56:59,115 boto [DEBUG]:Port: 443
2017-08-25 04:56:59,115 boto [DEBUG]:Params: {}
2017-08-25 04:56:59,115 boto [DEBUG]:Token: None
2017-08-25 04:56:59,116 boto [DEBUG]:CanonicalRequest:
PUT
/d2978240-8951-11e7-b188-005056b0dba3
partNumber=1&uploadId=AIvaNU_p0pOSrX2x2KzGp.7HSxSlTr_ioo3YnIoKPxRSit1Tnp9qICaQsMKTo1P9EU4IB_ocW_RvK62RoJPLMu..HfWY0kqGmmSUBwDVGgthbWsEcEhqeg.UVKaz0h86
content-length:345992
content-md5:KrKJE9IMDORzk3K8YjMB1Q==
content-type:application/octet-stream
expect:100-Continue
host:d2978240-8951-11e7-b188-005056b0dba3.s3-us-west-2.amazonaws.com
user-agent:Boto/2.48.0 Python/2.7.6 Linux/4.4.0-87-generic
x-amz-content-sha256:47c51d8f3dcaaf36e0a60e8481b05da8d941c352bb7a728bb7f702d35360da30
x-amz-date:20170825T045659Z

content-length;content-md5;content-type;expect;host;user-agent;x-amz-content-sha256;x-amz-date
47c51d8f3dcaaf36e0a60e8481b05da8d941c352bb7a728bb7f702d35360da30
2017-08-25 04:56:59,116 boto [DEBUG]:StringToSign:
AWS4-HMAC-SHA256
20170825T045659Z
20170825/us-west-2/s3/aws4_request
73646b9eef0c431bdd796e4294b6072fcaa10338b512cb0b690ad5cbdcad7c66
2017-08-25 04:56:59,116 boto [DEBUG]:Signature:
be06a5d04562aae525e85837b6fdb73a13a20eef8dba58ce12c7dcb644262805
2017-08-25 04:56:59,116 boto [DEBUG]:Final headers: {'x-amz-content-sha256': '47c51d8f3dcaaf36e0a60e8481b05da8d941c352bb7a728bb7f702d35360da30', 'Content-Length': '345992', 'Expect': '100-Continue', 'X-Amz-Date': '20170825T045659Z', 'Content-MD5': 'KrKJE9IMDORzk3K8YjMB1Q==', 'Content-Type': 'application/octet-stream', 'Host': 'd2978240-8951-11e7-b188-005056b0dba3.s3-us-west-2.amazonaws.com', 'Authorization': 'AWS4-HMAC-SHA256 Credential=AKIAKIAKIAKIAKIAKIAK/20170825/us-west-2/s3/aws4_request,SignedHeaders=content-length;content-md5;content-type;expect;host;user-agent;x-amz-content-sha256;x-amz-date,Signature=be06a5d04562aae525e85837b6fdb73a13a20eef8dba58ce12c7dcb644262805', 'User-Agent': 'Boto/2.48.0 Python/2.7.6 Linux/4.4.0-87-generic'}
Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/multipart.py", line 260, in upload_part_from_file
    query_args=query_args, size=size)
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/key.py", line 1305, in set_contents_from_file
    chunked_transfer=chunked_transfer, size=size)
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/key.py", line 762, in send_file
    chunked_transfer=chunked_transfer, size=size)
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/key.py", line 963, in _send_file_internal
    query_args=query_args
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/connection.py", line 671, in make_request
    retry_handler=retry_handler
  File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 1071, in make_request
    retry_handler=retry_handler)
  File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line 940, in _mexe
    request.body, request.headers)
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/key.py", line 894, in sender
    if not self.should_retry(response, chunked_transfer):
  File "/usr/local/lib/python2.7/dist-packages/boto/s3/key.py", line 995, in should_retry
    '%s vs. %s' % (self.etag, self.md5))
boto.exception.S3DataError: BotoClientError: ETag from S3 did not match computed MD5. "f69eadeeb6ededf148e0f0387ed94c57" vs. 2ab28913d20c0ce4739372bc623301d5

@ksivask

This comment has been minimized.

Copy link
Author

commented Aug 25, 2017

Suggested patch:
3750-etag.patch.txt

@avihoo

This comment has been minimized.

Copy link

commented May 29, 2018

Any update on this matter? I'm having the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.