1

I am trying to download a file from an S3 bucket, but am seeing the following error:

 api error InvalidArgument: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

However, when creating my S3 Client for the downloader, I am setting this to s3v4. Here is my code:

var getFileContent = func(ctx context.Context, s3Details S3Details, key string) (*manager.WriteAtBuffer, error) {
    client := getS3Client(s3Details)

    head, headerr := client.HeadObject(ctx, &s3.HeadObjectInput{Bucket: &s3Details.Bucket, Key: &key})
    if headerr != nil {
        return nil, headerr
    }

    buff := manager.NewWriteAtBuffer(make([]byte, 0, head.ContentLength))

    _, err := manager.NewDownloader(client).Download(ctx, buff, &s3.GetObjectInput{
        Bucket: aws.String(s3Details.Bucket),
        Key:    aws.String(key),
    })

    return buff, err
}

func getS3Client(s3Details S3Details) *s3.Client {
    endpointResolver := aws.EndpointResolverWithOptionsFunc(func(service, region string, options ...interface{}) (aws.Endpoint, error) {
        endpoint := aws.Endpoint{
            PartitionID:   "aws",
            SigningRegion: s3Details.Region,
            SigningMethod: s3Details.SignatureVersion,
        }

        if s3Details.EndpointUrl != "" {
            endpoint.URL = s3Details.EndpointUrl
            return endpoint, nil
        } else {
            return endpoint, &aws.EndpointNotFoundError{}
        }
    })

    cfg, _ := config.LoadDefaultConfig(context.TODO(),
        config.WithEndpointDiscovery(aws.EndpointDiscoveryEnabled),
        config.WithEndpointResolverWithOptions(endpointResolver))

    return s3.NewFromConfig(cfg, func(o *s3.Options) {
        o.Region = s3Details.Region
        o.Credentials = aws.AnonymousCredentials{}
        o.UsePathStyle = true
    })
}

Verified that s3Details.SignatureVersion is definitely set to s3v4. Is there something I'm missing here?

Using aws-sdk-go-v2

MeanwhileInHell
  • 6,780
  • 17
  • 57
  • 106
  • If you're using the `aws-sdk-go` or `aws-sdk-go-v2` there is no need to sign the request. It's explained in this doc https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html – ossan Nov 25 '22 at 15:35
  • Hi @IvanPesenti, I'm not sure I entirely follow. If I don't need to sign the request, why am I getting an error that says I still do? – MeanwhileInHell Nov 30 '22 at 09:59
  • You're getting this error because you're not using the SDK that automatically signs the requests for you. If you're going to build the AWS request from scratch you've also to take car of the signing part. – ossan Nov 30 '22 at 10:32
  • @IvanPesenti I thought I had with the line `SigningMethod: s3Details.SignatureVersion,`. Would you be able to provide (or point to) an example of using the SDK that automatically signs the requests please? – MeanwhileInHell Nov 30 '22 at 16:29
  • In this response I gave you onto another question, you can see how to use the AWS SDK to interact with the AWS s3 service. Through this way, you don't have to manually sign your requests. – ossan Nov 30 '22 at 17:30
  • Hi @MeanwhileInHell, do you have any news? – ossan Dec 20 '22 at 08:28

0 Answers0