[JENKINS-76422] Fix useServerSideEncryption using SSE-C header instead of SSE-S3#366
Open
namekun wants to merge 1 commit intojenkinsci:masterfrom
Open
[JENKINS-76422] Fix useServerSideEncryption using SSE-C header instead of SSE-S3#366namekun wants to merge 1 commit intojenkinsci:masterfrom
namekun wants to merge 1 commit intojenkinsci:masterfrom
Conversation
Since the AWS SDK v2 migration (v505), the useServerSideEncryption option
incorrectly calls sseCustomerAlgorithm("AES256") which sets the SSE-C
header (x-amz-server-side-encryption-customer-algorithm). This causes
S3Exception because SSE-C requires a customer-provided encryption key
that the plugin never sends.
Replace with serverSideEncryption(ServerSideEncryption.AES256) which
correctly sets the SSE-S3 header (x-amz-server-side-encryption).
namekun
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi, thanks for maintaining this plugin!
I ran into an issue after upgrading to v505+ where enabling "Server side encryption" in job config causes the following error:
It looks like
S3BaseUploadCallable.buildMetadata()callssseCustomerAlgorithm("AES256"), which sets the SSE-C header (x-amz-server-side-encryption-customer-algorithm). SSE-C requires a customer-provided key, but the plugin doesn't send one.I believe this was an unintended change during the SDK v1 to v2 migration. The original intent was SSE-S3 (AWS-managed keys), not SSE-C (customer-provided keys).
This PR replaces:
This sets the correct
x-amz-server-side-encryption: AES256header for SSE-S3.Let me know if anything needs to be changed. Thanks!