S3 error: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4

[Kishore Ponniah]

Hi All,

The template body has exceeded the maximum limit of 51200 bytes, so I wanted to upload the template to an encrypted s3 bucket. When I run the playbook it gives an error to explicitly mention s3v4. My config file has a line for s3 v4 but still, it shows the same error. I have tested using a non-encrypted bucket and works fine. 

Could someone please help?

My config file below: I am having 2 profiles because I have to run a SAML authentication to assume a role in build account and the deployment runs from the build account. I tried to add the s3 line in those 2 profiles but ended up with same error. 

[profile federated-login]

region = eu-west-1

output = json

[profile federated-build]

region = eu-west-1

output = json

s3 =

    signature_version = s3v4

Thanks

Kishore

[Karl Auer]

You need to provide the actual playbook and the actual error. Use a fixed-width font when posting the playbook.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/36c62048-0a24-422e-823e-ad7dbc1d2d8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Karl Auer

Email  : ka...@2pisoftware.com
Website: http://2pisoftware.com

GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816
Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA

[Kishore Ponniah]

Hi Karl,

Please find the playbook below:

    - name: create rxgt-ps-cross-account-iam-atlas-developer-roles changeset

      cloudformation:

        stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles"

        state: present

        region: "{{ account_config.1 }}"

        aws_access_key: "{{ account_config.0.sts_creds.access_key }}"

        aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}"

        security_token: "{{ account_config.0.sts_creds.session_token }}"

        create_changeset: true

        changeset_name: "{{ cf_changeset_name }}"

        template_url: "https://s3-eu-west-1.amazonaws.com/xxxxxxxx/cloudformation/xxxxxx-developer-roles.yaml"

        template_parameters: "{{ account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params }}"        

        termination_protection: no

        tags: "{{ global_tags | combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, recursive=True) }}"

      loop: "{{ assumed_roles_with_account_config.results|subelements('account_config.regions', skip_missing=True) }}"

      loop_control:

        loop_var: account_config

        label: "{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}"

      tags:

        rxgt-ps-identity-stack-deploy

    - name: create rxgt-ps-cross-account-iam-atlas-developer-roles stack

      cloudformation:

        stack_name: "rxgt-ps-cross-account-iam-atlas-developer-roles"

        state: present

        region: "{{ account_config.1 }}"

        aws_access_key: "{{ account_config.0.sts_creds.access_key }}"

        aws_secret_key: "{{ account_config.0.sts_creds.secret_key }}"

        security_token: "{{ account_config.0.sts_creds.session_token }}"

        create_changeset: false

        changeset_name: "{{ cf_changeset_name }}"

        template_url: "https://s3-eu-west-1.amazonaws.com/xxxxxxxx/cloudformation/xxxxxx-developer-roles.yaml"

        template_parameters: "{{ account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].params }}"        

        termination_protection: no

        tags: "{{ global_tags | combine(account_config.0.account_config.stacks['rxgt-ps-cross-account-iam-atlas-developer-roles'].override_tags, recursive=True) }}"

      loop: "{{ assumed_roles_with_account_config.results|subelements('account_config.regions', skip_missing=True) }}"

      loop_control:

        loop_var: account_config

        label: "{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}"

      when: with_stack_deploy

      tags:

        rxgt-ps-identity-stack-deploy

===============================================================

Error:

TASK [create rxgt-ps-cross-account-iam-atlas-developer-roles changeset] ****************************************************************************************************

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

"Failed to create change set: <class 'Exception'>: An error occurred (ValidationError) when calling the CreateChangeSet operation: S3 error: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.\nFor more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html"}

Thanks

Kishore

On Friday, January 11, 2019 at 9:45:17 PM UTC, Karl Auer wrote:

You need to provide the actual playbook and the actual error. Use a fixed-width font when posting the playbook.

On Sat, Jan 12, 2019 at 2:48 AM Kishore Ponniah <kki...@gmail.com> wrote:

Hi All,

The template body has exceeded the maximum limit of 51200 bytes, so I wanted to upload the template to an encrypted s3 bucket. When I run the playbook it gives an error to explicitly mention s3v4. My config file has a line for s3 v4 but still, it shows the same error. I have tested using a non-encrypted bucket and works fine. 

Could someone please help?

My config file below: I am having 2 profiles because I have to run a SAML authentication to assume a role in build account and the deployment runs from the build account. I tried to add the s3 line in those 2 profiles but ended up with same error. 

[profile federated-login]

region = eu-west-1

output = json

[profile federated-build]

region = eu-west-1

output = json

s3 =

    signature_version = s3v4

Thanks

Kishore

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/36c62048-0a24-422e-823e-ad7dbc1d2d8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Karl Auer]

I haven't done this myself, so everything I say may be wrong. The following is just from reading some doco and general experience.

Make sure you are running the latest and greatest versions of everything. In particular, the boto3 library. I don't know how to check that, but someone else here will. v4 keys have been around for a couple of years, so if you installed Ansible recently you should probably have the required versions.

Make sure you explicitly specify v4 keys when creating objects.

I would be looking at (probably) the values you are passing in to template_parameters.

It might also we worth seeing if you can create the desired change set manually, either via the console or via the AWS CLI, just to check you really do have the parameters right.

Regards, K.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/36c62048-0a24-422e-823e-ad7dbc1d2d8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Karl Auer

Email  : ka...@2pisoftware.com
Website: http://2pisoftware.com

GPG/PGP : 958A 2647 6C44 D376 3D63 86A5 FFB2 20BC 0257 5816
Previous: F0AB 6C70 A49D 1927 6E05 81E7 AD95 268F 2AB6 40EA

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/01ca4d9f-3d5f-4173-8e97-33f7eccdf025%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Kishore Ponniah]

Thanks, Karl. I have moved forward by creating an un-encrypted bucket and mark this case as resolved.