When an v2 S3 client using the UrlConnectionHttpClient makes a putObject request with kms:sse that fails due to the caller not having kms:GenerateDataKey on the kms key being used to encrypt the file, the response is 403. However, the error message is null, when it should be something like User: XYZ is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access.
I have verified that a v2 S3 client using the ApacheHttpClient or AwsCrtHttpClient, or the v1 S3 client results in a non null error message with the expected message.
Expected Behavior
When calling putObject using kms:sse and specifying a kms key in the request with a key policy that does not give the caller permission to kms:GenerateDataKey then the request should fail with the error message:
User: {REDACTED PRINCIPAL} is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: S3, Status Code: 403, Request ID: 1DB63EJ6C0XM1Z1M, Extended Request ID: UrS2WQqsumheP9K8KKLCWgVlsnnSklK0MM9Idz2zaR/HeOw6WeWIlnpdCm+AjBv0y0h0umH9P/94Y4i5R+LW9Q==)
Current Behavior
When calling putObject using kms:sse and specifying a kms key in the request with a key policy that does not give the caller permission to kms:GenerateDataKey then the request fails with the following error message:
Describe the bug
When an v2 S3 client using the
UrlConnectionHttpClient
makes aputObject
request withkms:sse
that fails due to the caller not havingkms:GenerateDataKey
on the kms key being used to encrypt the file, the response is 403. However, the error message isnull
, when it should be something likeUser: XYZ is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access
.I have verified that a v2 S3 client using the
ApacheHttpClient
orAwsCrtHttpClient
, or the v1 S3 client results in a non null error message with the expected message.Expected Behavior
When calling
putObject
usingkms:sse
and specifying a kms key in the request with a key policy that does not give the caller permission tokms:GenerateDataKey
then the request should fail with the error message:User: {REDACTED PRINCIPAL} is not authorized to perform: kms:GenerateDataKey on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access (Service: S3, Status Code: 403, Request ID: 1DB63EJ6C0XM1Z1M, Extended Request ID: UrS2WQqsumheP9K8KKLCWgVlsnnSklK0MM9Idz2zaR/HeOw6WeWIlnpdCm+AjBv0y0h0umH9P/94Y4i5R+LW9Q==)
Current Behavior
When calling
putObject
usingkms:sse
and specifying a kms key in the request with a key policy that does not give the caller permission tokms:GenerateDataKey
then the request fails with the following error message:null (Service: S3, Status Code: 403, Request ID: 1NHWS3N3B2Q8KHFG, Extended Request ID: qNCefm0Z1GuLMVTUr2ew8OiKQeMyToU/Z8nBGe+zjjORC7JPauIE3tOg7MdxWPTPPxAGUQrPvJidHH8EHu+uqQ==)
Reproduction Steps
Below is a main method from a mvn project that will run with three different http clients, and the v1 s3 client.
you will need the following dependencies:
Possible Solution
No response
Additional Information/Context
No response
AWS Java SDK version used
2.25.61
JDK version used
OpenJDK Runtime Environment Corretto-11.0.18.10.1 (build 11.0.18+10-LTS) OpenJDK 64-Bit Server VM Corretto-11.0.18.10.1 (build 11.0.18+10-LTS, mixed mode)
Operating System and version
Amazon Linux 2 x86_64, but I see this in multiple places