Problem:
I am testing with encryption client version 4.0.1 and S3 SDK version 2.43.0.
Receiving Must use either different key or iv for GCM encryption error when trying to store in a different region than the bucket's region with the help of crossRegionAccessEnabled(true) setting.
The following code is enough to trigger the issue. Assuming some-bucket is stored in eu-west-1, when AWS_REGION set to us-east-1 the mentioned error occurs. OTOH, if the region is set to the region of the bucket, i.e. eu-west-1 in this case, no error occurs.
import software.amazon.awssdk.core.sync.RequestBody;
import software.amazon.awssdk.services.s3.model.PutObjectRequest;
import software.amazon.encryption.s3.S3EncryptionClient;
import software.amazon.encryption.s3.materials.AesKeyring;
import javax.crypto.spec.SecretKeySpec;
public class Main {
public static void main(String[] args) {
var aesKey = new SecretKeySpec(new byte[32], "AES");
var keyRing = AesKeyring.builder().wrappingKey(aesKey).build();
try (var s3 = S3EncryptionClient.builderV4().crossRegionAccessEnabled(true).keyring(keyRing).build()) {
final var request = PutObjectRequest.builder().bucket("some-bucket").key("some-key").build();
s3.putObject(request, RequestBody.fromBytes("test".getBytes()));
}
}
}Here is the full stack trace from my experiments:
software.amazon.encryption.s3.S3EncryptionClientException: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Encountered fatal error in publisher (SDK Attempt Count: 1)
at software.amazon.encryption.s3.S3EncryptionClient.putObject (S3EncryptionClient.java:417)
at acme.demo.use.s3.Main.main (Main.java:17)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:279)
at java.lang.Thread.run (Thread.java:1583)
Caused by: software.amazon.awssdk.core.exception.SdkClientException: Unable to execute HTTP request: Encountered fatal error in publisher (SDK Attempt Count: 1)
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build (SdkClientException.java:130)
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build (SdkClientException.java:95)
at software.amazon.awssdk.core.internal.http.pipeline.stages.utils.RetryableStageHelper.retryPolicyDisallowedRetryException (RetryableStageHelper.java:180)
at software.amazon.awssdk.core.internal.http.pipeline.stages.AsyncRetryableStage$RetryingExecutor.maybeAttemptExecute (AsyncRetryableStage.java:149)
at software.amazon.awssdk.core.internal.http.pipeline.stages.AsyncRetryableStage$RetryingExecutor.maybeRetryExecute (AsyncRetryableStage.java:175)
at software.amazon.awssdk.core.internal.http.pipeline.stages.AsyncRetryableStage$RetryingExecutor.lambda$attemptExecute$1 (AsyncRetryableStage.java:123)
at java.util.concurrent.CompletableFuture.uniWhenComplete (CompletableFuture.java:863)
at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire (CompletableFuture.java:841)
at java.util.concurrent.CompletableFuture.postComplete (CompletableFuture.java:510)
at java.util.concurrent.CompletableFuture.completeExceptionally (CompletableFuture.java:2194)
at software.amazon.awssdk.utils.CompletableFutureUtils.lambda$forwardExceptionTo$0 (CompletableFutureUtils.java:78)
at java.util.concurrent.CompletableFuture.uniWhenComplete (CompletableFuture.java:863)
at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire (CompletableFuture.java:841)
at java.util.concurrent.CompletableFuture.postComplete (CompletableFuture.java:510)
at java.util.concurrent.CompletableFuture.completeExceptionally (CompletableFuture.java:2194)
at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeAsyncHttpRequestStage.lambda$execute$0 (MakeAsyncHttpRequestStage.java:111)
at java.util.concurrent.CompletableFuture.uniWhenComplete (CompletableFuture.java:863)
at java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire (CompletableFuture.java:841)
at java.util.concurrent.CompletableFuture.postComplete (CompletableFuture.java:510)
at java.util.concurrent.CompletableFuture.completeExceptionally (CompletableFuture.java:2194)
at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeAsyncHttpRequestStage.completeResponseFuture (MakeAsyncHttpRequestStage.java:266)
at software.amazon.awssdk.core.internal.http.pipeline.stages.MakeAsyncHttpRequestStage.lambda$executeHttpRequest$3 (MakeAsyncHttpRequestStage.java:171)
at java.util.concurrent.CompletableFuture.uniHandle (CompletableFuture.java:934)
at java.util.concurrent.CompletableFuture$UniHandle.tryFire (CompletableFuture.java:911)
at java.util.concurrent.CompletableFuture$Completion.run (CompletableFuture.java:482)
at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1144)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:642)
at java.lang.Thread.run (Thread.java:1583)
Caused by: java.lang.IllegalStateException: Encountered fatal error in publisher
at software.amazon.awssdk.utils.async.SimplePublisher.panicAndDie (SimplePublisher.java:339)
at software.amazon.awssdk.utils.async.SimplePublisher.processEventQueue (SimplePublisher.java:228)
at software.amazon.awssdk.utils.async.SimplePublisher.access$1300 (SimplePublisher.java:58)
at software.amazon.awssdk.utils.async.SimplePublisher$SubscriptionImpl.request (SimplePublisher.java:379)
at software.amazon.awssdk.utils.async.AddingTrailingDataSubscriber$1.request (AddingTrailingDataSubscriber.java:95)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter.ensureUpstreamDemandExists (BaseSubscriberAdapter.java:301)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter.handleUpstreamDemandState (BaseSubscriberAdapter.java:230)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter.handleStateUpdate (BaseSubscriberAdapter.java:180)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter$1.request (BaseSubscriberAdapter.java:109)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.maybeRequestMore (HandlerSubscriber.java:303)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.maybeStart (HandlerSubscriber.java:238)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.provideSubscription (HandlerSubscriber.java:225)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.access$000 (HandlerSubscriber.java:41)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber$1.run (HandlerSubscriber.java:213)
at io.netty.util.concurrent.AbstractEventExecutor.runTask (AbstractEventExecutor.java:173)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute (AbstractEventExecutor.java:166)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks (SingleThreadEventExecutor.java:472)
at io.netty.channel.nio.NioEventLoop.run (NioEventLoop.java:569)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run (SingleThreadEventExecutor.java:998)
at io.netty.util.internal.ThreadExecutorMap$2.run (ThreadExecutorMap.java:74)
at java.lang.Thread.run (Thread.java:1583)
Caused by: java.lang.IllegalStateException: Must use either different key or iv for GCM encryption
at com.sun.crypto.provider.GaloisCounterMode.checkReInit (GaloisCounterMode.java:340)
at com.sun.crypto.provider.GaloisCounterMode$GCMEncrypt.doUpdate (GaloisCounterMode.java:1117)
at com.sun.crypto.provider.GaloisCounterMode.engineUpdate (GaloisCounterMode.java:349)
at javax.crypto.Cipher.update (Cipher.java:1908)
at software.amazon.encryption.s3.internal.CipherSubscriber.onNext (CipherSubscriber.java:56)
at software.amazon.encryption.s3.internal.CipherSubscriber.onNext (CipherSubscriber.java:19)
at software.amazon.awssdk.utils.async.SimplePublisher.doProcessQueue (SimplePublisher.java:269)
at software.amazon.awssdk.utils.async.SimplePublisher.processEventQueue (SimplePublisher.java:226)
at software.amazon.awssdk.utils.async.SimplePublisher.access$1300 (SimplePublisher.java:58)
at software.amazon.awssdk.utils.async.SimplePublisher$SubscriptionImpl.request (SimplePublisher.java:379)
at software.amazon.awssdk.utils.async.AddingTrailingDataSubscriber$1.request (AddingTrailingDataSubscriber.java:95)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter.ensureUpstreamDemandExists (BaseSubscriberAdapter.java:301)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter.handleUpstreamDemandState (BaseSubscriberAdapter.java:230)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter.handleStateUpdate (BaseSubscriberAdapter.java:180)
at software.amazon.awssdk.utils.async.BaseSubscriberAdapter$1.request (BaseSubscriberAdapter.java:109)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.maybeRequestMore (HandlerSubscriber.java:303)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.maybeStart (HandlerSubscriber.java:238)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.provideSubscription (HandlerSubscriber.java:225)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber.access$000 (HandlerSubscriber.java:41)
at software.amazon.awssdk.http.nio.netty.internal.nrs.HandlerSubscriber$1.run (HandlerSubscriber.java:213)
at io.netty.util.concurrent.AbstractEventExecutor.runTask (AbstractEventExecutor.java:173)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute (AbstractEventExecutor.java:166)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks (SingleThreadEventExecutor.java:472)
at io.netty.channel.nio.NioEventLoop.run (NioEventLoop.java:569)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run (SingleThreadEventExecutor.java:998)
at io.netty.util.internal.ThreadExecutorMap$2.run (ThreadExecutorMap.java:74)
at java.lang.Thread.run (Thread.java:1583)
Problem:
I am testing with encryption client version
4.0.1and S3 SDK version2.43.0.Receiving
Must use either different key or iv for GCM encryptionerror when trying to store in a different region than the bucket's region with the help ofcrossRegionAccessEnabled(true)setting.The following code is enough to trigger the issue. Assuming
some-bucketis stored ineu-west-1, whenAWS_REGIONset tous-east-1the mentioned error occurs. OTOH, if the region is set to the region of the bucket, i.e.eu-west-1in this case, no error occurs.Here is the full stack trace from my experiments: