Skip to content

AWS S3 download fails when using KMS encrypted objects #21955

New issue
New issue
Open
#21956
Open
AWS S3 download fails when using KMS encrypted objects#21955
#21956
Labels
bug
@chris-smith-zocdoc

Description

@chris-smith-zocdoc
chris-smith-zocdoc
opened on Feb 14, 2025

Describe the bug

When using KMS encrypted objects, S3 requires the use of sigv4 credential signing

To reproduce, upload an object using a customer managed kms key

aws s3 cp foo.txt s3://bucket/foo.txt --sse aws:kms --sse-kms-key-id <key_id>

and try to download it using a file source

file(
    name="s3_file",
    source=http_source(
        url="s3://bucket/foo.txt",
        len=123,
        sha256="sha",
    )
)

run_shell_command(
    name="list_files",
    command="ls -lah {chroot}",
    execution_dependencies=[":s3_file"],
)

pants run :list_files

Produces an error like

IntrinsicError: Client error (400) downloading file foo.txt from https://bucket.s3.amazonaws.com/foo.txt

Pants version
2.24.1

OS
Both

Additional info
toml to enable the backend

[GLOBAL]
pants_version = "2.24.1"
backend_packages = [
    "pants.backend.shell",
    "pants.backend.url_handlers.s3",
]
plugins = [
    'botocore==1.34.135'
]

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions