Can't decrypt noncurrent versions of files using EncryptionV2 with kms #2865
-
I'm writing an encrypted file to an s3 versioned bucket using the same key name each time like so: client = Aws::S3::EncryptionV2::Client.new(
kms_key_id: ENV.fetch('KMS_KEY_ID'),
key_wrap_schema: :kms_context,
content_encryption_schema: :aes_gcm_no_padding,
security_profile: :v2
)
client.put_object(
bucket: ENV.fetch('S3_BUCKET_NAME'),
key: 'foo',
body: 'bar'
) Then I'm trying to decrypt the file like so: client = Aws::S3::EncryptionV2::Client.new(
kms_key_id: ENV.fetch('KMS_KEY_ID'),
key_wrap_schema: :kms_context,
content_encryption_schema: :aes_gcm_no_padding,
security_profile: :v2
)
obj = client.get_object(
bucket: ENV.fetch('S3_BUCKET_NAME'),
key: 'foo',
version_id: version_id
)
p obj.body.read I'm able to successfully see the decrypted file contents when I use the current/latest Any help would be appreciated, thank you! /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb:31:in `final': OpenSSL::Cipher::CipherError
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/io_decrypter.rb:31:in `finalize'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/io_auth_decrypter.rb:34:in `finalize'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb:77:in `block in attach_http_event_listeners'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/http/response.rb:146:in `block in on_success'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/http/response.rb:173:in `block in listener'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/http/response.rb:182:in `block in emit'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/http/response.rb:182:in `each'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/http/response.rb:182:in `emit'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/http/response.rb:112:in `signal_done'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:120:in `verify_bytes_received'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:107:in `complete_response'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:89:in `block (2 levels) in transmit'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/3.2.0/net/http.rb:1873:in `block in transport_request'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/3.2.0/net/http/response.rb:301:in `reading_body'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/3.2.0/net/http.rb:1872:in `transport_request'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/3.2.0/net/http.rb:1826:in `request'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/connection_pool.rb:348:in `request'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:79:in `block in transmit'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:133:in `block in session'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/connection_pool.rb:104:in `session_for'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:128:in `session'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:76:in `transmit'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/net_http/handler.rb:50:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/plugins/content_length.rb:24:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/plugins/request_callback.rb:87:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/streaming_retry.rb:71:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/s3_signer.rb:73:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/s3_host_id.rb:17:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/xml/error_handler.rb:10:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/sign.rb:49:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/transfer_encoding.rb:26:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/helpful_socket_errors.rb:12:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/s3_signer.rb:48:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/redirects.rb:20:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/retry_errors.rb:360:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/user_agent.rb:37:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/http_checksum.rb:19:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/endpoint_pattern.rb:30:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/checksum_algorithm.rb:136:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb:60:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/expect_100_continue.rb:23:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/bucket_name_restrictions.rb:21:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/rest/handler.rb:10:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/recursion_detection.rb:18:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/endpoints.rb:41:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/endpoint_discovery.rb:84:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/plugins/endpoint.rb:47:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/param_validator.rb:26:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/plugins/raise_response_errors.rb:16:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/skip_whole_multipart_get_checksums.rb:18:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/sse_cpk.rb:24:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/dualstack.rb:21:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/plugins/accelerate.rb:43:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/checksum_algorithm.rb:111:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:16:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/idempotency_token.rb:19:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/param_converter.rb:26:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/plugins/request_callback.rb:71:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/response_paging.rb:12:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/plugins/response_target.rb:24:in `call'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/seahorse/client/request.rb:72:in `send_request'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/client.rb:420:in `block in get_object'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-core-3.174.0/lib/aws-sdk-core/plugins/user_agent.rb:28:in `feature'
from /Users/cswilliams/.rbenv/versions/3.2.2/lib/ruby/gems/3.2.0/gems/aws-sdk-s3-1.123.1/lib/aws-sdk-s3/encryptionV2/client.rb:419:in `get_object'
from ../bin/restore:58:in `<main>' |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 1 reply
-
I was able to reproduce this and I do believe it may be a bug - I'm going to create an issue on the repo and track the investigation/fix there. Edit, heres the issue: #2866 |
Beta Was this translation helpful? Give feedback.
-
Awesome, thank you so much Alex! I just tested out the new version and everything is working perfectly now! |
Beta Was this translation helpful? Give feedback.
-
Hello! Reopening this discussion to make it searchable. |
Beta Was this translation helpful? Give feedback.
Fix: #2867