S3 Encryption Client not using credentials of wrapped client

[ahmarsuhail]

Problem:

I have two AWS accounts, A and B. In my ~/.aws/credentials file, I have credentials for account B. While creating the wrapped clients to pass into S3EC, I am passing in credentials for account A. I am accessing a bucket in account A. Code:

  S3Client s3Client = S3Client.builder().region(Region.EU_WEST_1)
        .credentialsProvider(StaticCredentialsProvider.create(
            AwsBasicCredentials.create("xxxx", "xxxx")
        ))
        .build();

    S3AsyncClient s3AsyncClient = S3AsyncClient.builder().region(Region.EU_WEST_1)
        .credentialsProvider(StaticCredentialsProvider.create(
            AwsBasicCredentials.create("xxxx", "xxxx")
        ))
        .build();

    S3Client s3ECClient = S3EncryptionClient.builder()
             .kmsKeyId("xxxxx")
            .wrappedClient(s3Client)
            .wrappedAsyncClient(s3AsyncClient)
           .enableLegacyUnauthenticatedModes(true)
           .build();



    ResponseInputStream<GetObjectResponse> inputStream = s3ECClient.getObject(
        GetObjectRequest.builder()
        .bucket("xxxx")
        .key("xxxx").build());

This gives

software.amazon.encryption.s3.S3EncryptionClientException: User: arn:aws:iam::<ACCOUNT B USER> is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access

If I comment out the credentials in my ~/.aws/credentials, I get software.amazon.encryption.s3.S3EncryptionClientException: Unable to load credentials from any of the providers in the chain AwsCredentialsProviderChain

It works fine if put credentials of account A in my ~/.aws/credentials.

Solution:

Looks like S3EC is ignoring credentials passed in the wrapped clients and picking up credentials from the default credentials resolution chain. It should use credentials of the wrapped clients.

[kessplas]

Hello Ahmar,

Since the error is coming from KMS, this is happening because the KMS keyring instantiated by default simply uses the default credential provider chain (and any other associated client configuration). In order to configure the KMS client to use the explicitly configured credentials, you need to instantiate the KMS keyring separately and pass a configured KMS client to its builder. For example:

        KmsClient kmsClient = KmsClient.builder()
                /* KMS client configuration goes here */
                .build();

        KmsKeyring keyring = KmsKeyring.builder()
                .kmsClient(kmsClient)
                .wrappingKeyId(KMS_KEY_ID).build();

        S3AsyncClient v3Client = S3AsyncEncryptionClient.builder()
            .keyring(keyring)
            .build();

This should resolve your issue.

Other customers have ran into this issue, so I have opened a separate issue for a feature request to add a top-level configuration parameter to the S3EC which applies to all of its wrapped clients to avoid duplication of code and provide an experience similar to v1/v2 (#226). I will close this issue in favor of the feature request, but do not hesitate to re-open this issue if the above guidance does not fix your issue. Thank you!