I'm using Cloudfront with an S3 origin that is using KMS to encrypt objects. I'm getting the following error when sending a GET request for an object in the S3 bucket.
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
I assumed Cloudfront would be smart enough to use AWS Signature Version 4 when requesting the object, but perhaps not?
It looks like this has been an issue with new S3 regions. Amazon recently added support for these new regions but I don't think they have addressed the issue with KMS-encrypted objects.
Does anyone have experience with this and know if there is a way to get Cloudfront's origin access identify to use signature v4?
You need to configure your AWS Signature Version, e.g.
or for the specific profile:
Then re-try, e.g.
Source: aws/aws-cli/issues/1006 at GitHub.
If using
curl
/wget
command, you need to add extraAuthorization
header in your request, e.g.Syntax:
Authorization: AWS AWSAccessKeyId:Signature
.See: Signing and Authenticating REST Requests.