Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

duplicity-talk mailing list

Hi,

 

I’m trying to back up my files and directories to an s3 bucket (in the us-east-1 region) which has server-side encryption enabled and uses a custom KMS Key.

 

So I run the command below, but get the error : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

# duplicity /notebooks s3://s3.amazonaws.com/my-own-backups --log-file /var/log/duplicity.log --no-encryption

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup left a partial set, restarting.

Last full backup date: Thu Jan  3 18:52:13 2019

RESTART: The first volume failed to upload before termination.

         Restart is impossible...starting backup from beginning.

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup date: none

No signatures found, switching to full backup.

Attempt 1 failed. S3ResponseError: S3ResponseError: 400 Bad Request

<?xml version="1.0" encoding="UTF-8"?>

<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>13C499F10532F0B0</RequestId><HostId>H28IOyN2uWiFSwlRFic9+hy7CPPFFJAp2o1Yi+SiydgKwM0GmPvKQRnMYOiGAeRC2TOeBQunFZY=</HostId></Error>

 

I tried adding the --s3-use-server-side-encryption , but that made the uploaded objects use the default KMS key, which is not what I want since the custom KMS key I used restricts who can do decryption.

 

Is there an option I’m missing ?

 

Regards,

Danny

 


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

duplicity-talk mailing list

Forgot to mention we’re using duplicity 0.7.18.2 on an AWS EC2 instance with this Linux flavor :

 

Linux version 4.14.42-52.37.amzn1.x86_64 (mockbuild@gobi-build-64011) (gcc version 7.2.1 20170915 (Red Hat 7.2.1-2) (GCC)) #1 SMP Tue May 22 00:41:10 UTC 2018

 

And boto-2.49.0 .

 

From: Duplicity-talk <duplicity-talk-bounces+dsinang=[hidden email]> On Behalf Of Sinang, Danny via Duplicity-talk
Sent: Thursday, January 3, 2019 2:31 PM
To: [hidden email]
Cc: Sinang, Danny <[hidden email]>
Subject: [Ext] [Duplicity-talk] Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

[Warning: This email originated from an outside source.]

Hi,

 

I’m trying to back up my files and directories to an s3 bucket (in the us-east-1 region) which has server-side encryption enabled and uses a custom KMS Key.

 

So I run the command below, but get the error : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

# duplicity /notebooks s3://s3.amazonaws.com/my-own-backups --log-file /var/log/duplicity.log --no-encryption

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup left a partial set, restarting.

Last full backup date: Thu Jan  3 18:52:13 2019

RESTART: The first volume failed to upload before termination.

         Restart is impossible...starting backup from beginning.

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup date: none

No signatures found, switching to full backup.

Attempt 1 failed. S3ResponseError: S3ResponseError: 400 Bad Request

<?xml version="1.0" encoding="UTF-8"?>

<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>13C499F10532F0B0</RequestId><HostId>H28IOyN2uWiFSwlRFic9+hy7CPPFFJAp2o1Yi+SiydgKwM0GmPvKQRnMYOiGAeRC2TOeBQunFZY=</HostId></Error>

 

I tried adding the --s3-use-server-side-encryption , but that made the uploaded objects use the default KMS key, which is not what I want since the custom KMS key I used restricts who can do decryption.

 

Is there an option I’m missing ?

 

Regards,

Danny

 


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk
Reply | Threaded
Open this post in threaded view
|

Re: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

duplicity-talk mailing list
In reply to this post by duplicity-talk mailing list

I was able to work around the AWS Signature Version 4 problem by creating /etc/boto.cfg and adding these lines to it :

 

[s3]

use-sigv4 = True

host=s3.us-east-1.amazonaws.com

 

However, the error I get now is :

 

Attempt 1 failed. S3DataError: BotoClientError: ETag from S3 did not match computed MD5. "648ff6d0c349b9bc6557f161db3d36d9" vs. 688fea95f151e26c15722eb2863d8eea

 

From: Sinang, Danny
Sent: Thursday, January 3, 2019 2:45 PM
To: 'Discussion about duplicity backup' <[hidden email]>
Subject: RE: [Ext] [Duplicity-talk] Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

Forgot to mention we’re using duplicity 0.7.18.2 on an AWS EC2 instance with this Linux flavor :

 

Linux version 4.14.42-52.37.amzn1.x86_64 (mockbuild@gobi-build-64011) (gcc version 7.2.1 20170915 (Red Hat 7.2.1-2) (GCC)) #1 SMP Tue May 22 00:41:10 UTC 2018

 

And boto-2.49.0 .

 

From: Duplicity-talk <[hidden email]> On Behalf Of Sinang, Danny via Duplicity-talk
Sent: Thursday, January 3, 2019 2:31 PM
To: [hidden email]
Cc: Sinang, Danny <[hidden email]>
Subject: [Ext] [Duplicity-talk] Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

[Warning: This email originated from an outside source.]

Hi,

 

I’m trying to back up my files and directories to an s3 bucket (in the us-east-1 region) which has server-side encryption enabled and uses a custom KMS Key.

 

So I run the command below, but get the error : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

 

# duplicity /notebooks s3://s3.amazonaws.com/my-own-backups --log-file /var/log/duplicity.log --no-encryption

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup left a partial set, restarting.

Last full backup date: Thu Jan  3 18:52:13 2019

RESTART: The first volume failed to upload before termination.

         Restart is impossible...starting backup from beginning.

 

Local and Remote metadata are synchronized, no sync needed.

Last full backup date: none

No signatures found, switching to full backup.

Attempt 1 failed. S3ResponseError: S3ResponseError: 400 Bad Request

<?xml version="1.0" encoding="UTF-8"?>

<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>13C499F10532F0B0</RequestId><HostId>H28IOyN2uWiFSwlRFic9+hy7CPPFFJAp2o1Yi+SiydgKwM0GmPvKQRnMYOiGAeRC2TOeBQunFZY=</HostId></Error>

 

I tried adding the --s3-use-server-side-encryption , but that made the uploaded objects use the default KMS key, which is not what I want since the custom KMS key I used restricts who can do decryption.

 

Is there an option I’m missing ?

 

Regards,

Danny

 


_______________________________________________
Duplicity-talk mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/duplicity-talk