Add X-Amz-Server-Side-Encryption-Context header to required signed headers allowlist #2228
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds the
X-Amz-Server-Side-Encryption-Context
header to required signed headers allowlistThis PR is to keep parity with aws/aws-sdk-go#4949
Problem description
When presigning a
PutObjectRequest
which includesSSEKMSEncryptionContext
in itss3.PutObjectInput
parameter, theX-Amz-Server-Side-Encryption-Context
gets added to the URL as a query parameter, not as a signed header.When using the presigned URL to put an object in a bucket, you can't send the encryption context as a header as it wasn't on the list of signed headers, and the parameter sent via URL doesn't work (the object is uploaded and encrypted without adding the encryption context to it).
As mentioned in the Specifying server-side encryption with AWS KMS (SSE-KMS) documentation, at section "Using the REST API":
I could verify that using my fork the request is the encryption context sent via headers, and then it works as expected.
This fix seems to be aligned to the behaviour mentioned in the aws/aws-sdk-js-v3 repo: