Bootstrap FreeKB - Amazon Web Services (AWS) - Resolve "The secret key was invalid for the specified algorithm"
Amazon Web Services (AWS) - Resolve "The secret key was invalid for the specified algorithm"
Updated:   |  Amazon Web Services (AWS) articles

Let's say something like this is being returned.

The secret key was invalid for the specified algorithm

 

I got this when attempting to upload a file to one of my S3 Buckets using the aws s3api put-object command with the --sse-customer-algorithm SHA256 and --sse-customer-key fileb://example.key option to use my own server side encryption customer (sse-c) SSL key (example.key in this example).

]$ aws s3api put-object --bucket my-bucket-abc123 --key foo.txt --body foo.txt --sse-customer-algorithm AES256 --sse-customer-key fileb://example.key

An error occurred (InvalidArgument) when calling the PutObject operation: The secret key was invalid for the specified algorithm.

 

I used this one-liner to create my example.key private key and example.cer public certificate using OpenSSL. Check out my article OpenSSL - Create self signed RSA public certificate.

~]$ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.cer -subj "/C=US/ST=California/L=Los Angeles/O=FreeKB/OU=IT/CN=example.com"

 

And I validated that the public certificate (example.cer) had SHA256.

~]$ openssl x509 -in example.cer -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            76:8f:c0:9a:51:02:27:f2:74:91:9d:c6:41:a3:3e:de:65:c4:4f:58
        Signature Algorithm: sha256WithRSAEncryption

 

I basically found there is a much different OpenSSL command that should be used. The openssl rand command can be used to create the key.

openssl rand 32 > my.key

 

Then cat the my.key file, pipe the output through base64 and store the stdout in a variable named key.

key=$(cat sse-c.key | base64)

 

The $key variable should contain a string, something like this.

~]$ echo $key
4s6iQXekYL6BxzCZX8Zn3Kr4djK42BSLgb1nP3C7qp0=

 

cat my.key again, this time pipe the output through openssl dgst -md5 -binary and then pipe through base64.

keymd5=$(cat my.key | openssl dgst -md5 -binary | base64)

 

The $keymd5 variable should contain the MD5 hash, something like this.

~]$ echo $keymd5
tAasKToBgkFA3Sy43tQjSA==

 

And I was then able to upload a file to my S3 bucket using sse-c.

~]$ aws s3api put-object --bucket my-bucket-abc123 --key foo.txt --body foo.txt --sse-customer-algorithm AES256 --sse-customer-key $key --sse-customer-key-md5 $keymd5
{
    "ETag": "\"f62d7764d48743f8b59e0652b5f35d81\"",
    "SSECustomerAlgorithm": "AES256",
    "SSECustomerKeyMD5": "tAasKToBgkFA3Sy43tQjSA=="
}

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 4bdcc2 in the box below so that we can be sure you are a human.