S3 error: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4

Archives Ansible Project
1

Hi All,

The template body has exceeded the maximum limit of 51200 bytes, so I wanted to upload the template to an encrypted s3 bucket. When I run the playbook it gives an error to explicitly mention s3v4. My config file has a line for s3 v4 but still, it shows the same error. I have tested using a non-encrypted bucket and works fine.

Could someone please help?

My config file below: I am having 2 profiles because I have to run a SAML authentication to assume a role in build account and the deployment runs from the build account. I tried to add the s3 line in those 2 profiles but ended up with same error.

[profile federated-login]
region = eu-west-1
output = json
[profile federated-build]
region = eu-west-1
output = json
s3 =
signature_version = s3v4

Thanks
Kishore

2

You need to provide the actual playbook and the actual error. Use a fixed-width font when posting the playbook.

3

Hi Karl,

Please find the playbook below:

  • name: create rxgt-ps-cross-account-iam-atlas-developer-roles changeset
    cloudformation:
    stack_name: “rxgt-ps-cross-account-iam-atlas-developer-roles”
    state: present
    region: “{{ account_config.1 }}”
    aws_access_key: “{{ account_config.0.sts_creds.access_key }}”
    aws_secret_key: “{{ account_config.0.sts_creds.secret_key }}”
    security_token: “{{ account_config.0.sts_creds.session_token }}”
    create_changeset: true
    changeset_name: “{{ cf_changeset_name }}”
    template_url: “https://s3-eu-west-1.amazonaws.com/xxxxxxxx/cloudformation/xxxxxx-developer-roles.yaml
    template_parameters: “{{ account_config.0.account_config.stacks[‘rxgt-ps-cross-account-iam-atlas-developer-roles’].params }}”
    termination_protection: no
    tags: “{{ global_tags | combine(account_config.0.account_config.stacks[‘rxgt-ps-cross-account-iam-atlas-developer-roles’].override_tags, recursive=True) }}”
    loop: “{{ assumed_roles_with_account_config.results|subelements(‘account_config.regions’, skip_missing=True) }}”
    loop_control:
    loop_var: account_config
    label: “{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}”
    tags:
    rxgt-ps-identity-stack-deploy

  • name: create rxgt-ps-cross-account-iam-atlas-developer-roles stack
    cloudformation:
    stack_name: “rxgt-ps-cross-account-iam-atlas-developer-roles”
    state: present
    region: “{{ account_config.1 }}”
    aws_access_key: “{{ account_config.0.sts_creds.access_key }}”
    aws_secret_key: “{{ account_config.0.sts_creds.secret_key }}”
    security_token: “{{ account_config.0.sts_creds.session_token }}”
    create_changeset: false
    changeset_name: “{{ cf_changeset_name }}”
    template_url: “https://s3-eu-west-1.amazonaws.com/xxxxxxxx/cloudformation/xxxxxx-developer-roles.yaml
    template_parameters: “{{ account_config.0.account_config.stacks[‘rxgt-ps-cross-account-iam-atlas-developer-roles’].params }}”
    termination_protection: no
    tags: “{{ global_tags | combine(account_config.0.account_config.stacks[‘rxgt-ps-cross-account-iam-atlas-developer-roles’].override_tags, recursive=True) }}”
    loop: “{{ assumed_roles_with_account_config.results|subelements(‘account_config.regions’, skip_missing=True) }}”
    loop_control:
    loop_var: account_config
    label: “{{ account_config.0.account_config.account_alias }}:{{ account_config.1 }}”
    when: with_stack_deploy
    tags:
    rxgt-ps-identity-stack-deploy

4

I haven’t done this myself, so everything I say may be wrong. The following is just from reading some doco and general experience.

Make sure you are running the latest and greatest versions of everything. In particular, the boto3 library. I don’t know how to check that, but someone else here will. v4 keys have been around for a couple of years, so if you installed Ansible recently you should probably have the required versions.

Make sure you explicitly specify v4 keys when creating objects.

I would be looking at (probably) the values you are passing in to template_parameters.

It might also we worth seeing if you can create the desired change set manually, either via the console or via the AWS CLI, just to check you really do have the parameters right.

Regards, K.

5

Thanks, Karl. I have moved forward by creating an un-encrypted bucket and mark this case as resolved.