Localstack Update KMS key encryption for the S3 object

umut · March 21, 2024, 2:32pm

Hi Folks,
I am trying update the KMS key for one object and following this command with the Localstack but I am getting failure. This is my scenario
creating 2 kms keys
aws kms --endpoint-url=http://localhost:61000 create-key --description "My KMS Key” // dbc1c394-f063-428c-98c0-1edb99839429

aws kms --endpoint-url=http://localhost:61000 create-key --description "My New Key” // b9b6ad03-529d-4eea-80d8-4d69eae41d7a

and then uploading one file via first KMS key
aws s3api --endpoint-url=http://localhost:61000 put-object --bucket test --key v2/ekm/test1 \ --body snapshot.blob \ --server-side-encryption aws:kms \ --ssekms-key-id "dbc1c394-f063-428c-98c0-1edb99839429"

and then updating the kmskey with the new one
aws s3api --endpoint-url=http://localhost:61000 copy-object --bucket test --key v2/ekm/test1 --copy-source test/v2/ekm/test1 --metadata-directive REPLACE --server-side-encryption "aws:kms" --ssekms-key-id "b9b6ad03-529d-4eea-80d8-4d69eae41d7a"

however, once I replace the file I can not access the file anymore and getting following error while downloading it

aws s3api --endpoint-url=http://localhost:61000 get-object --bucket test --key v2/ekm/test1 asd
0 read, but total bytes expected is 13.

This looks to me bug but before opening issue on the github I would like to get your opinions. I am using latest version of the localstack (3.2.0)
Thanks

bentsku · March 21, 2024, 3:02pm

Hello @umut and thanks for the report.

This issue is a regression in S3, could you try pulling localstack/locastack:latest and see if that fixes the issue?

Please note that when using KMS Keys with S3, if you’d like LocalStack to validate that the key exists, you can see the following configuration flag: S3_SKIP_KMS_KEY_VALIDATION=0

Just to confirm this is indeed the issue I’m thinking about, are you using a versioned bucket?

See Configuration | Docs

Sorry again for the inconvenience.

umut · March 21, 2024, 3:38pm

hi @bentsku thank you for the quick respond. I just tried the latest version and it solved my problem :D.

Do you know when will be a new release for localstack?

bentsku · March 21, 2024, 6:33pm

Nice, I’m glad the issue is now fixed!

We are planning a new tagged release next week, I believe on the 27th.

Topic		Replies	Views
Does localstack support s3 with kms encryption? Platform	5	415	May 22, 2023
Put Object to S3 using https	4	490	May 23, 2023
S3 presigned post url problem Platform localstack , open-source	3	2076	February 7, 2023
How to push file in folder inside S3 bucket using local stack Platform localstack , docker-image	3	803	August 2, 2023
How to debug S3 presigned URL SignatureDoesNotMatch? Platform	1	714	June 29, 2023

Localstack Update KMS key encryption for the S3 object

Related Topics