-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Minor
-
Component/s: s3-plugin
-
None
-
Environment:- Jenkins S3 publisher plugin: v519 (any version since v505)
- AWS SDK v2
What happened:
After upgrading the S3 publisher plugin to v505+, I noticed that enabling the "Server side encryption" checkbox in the job configuration causes uploads to fail with the following
error:
software.amazon.awssdk.services.s3.model.S3Exception: Requests specifying Server Side Encryption with Customer provided keys must provide an appropriate secret key. (Service: S3, Status Code: 400)
Root Cause:
It looks like S3BaseUploadCallable.buildMetadata() sets encryption using:
if (useServerSideEncryption) { metadata.sseCustomerAlgorithm("AES256"); }
sseCustomerAlgorithm() sets the x-amz-server-side-encryption-customer-algorithm header, which is for SSE-C (customer-provided keys). SSE-C requires a customer-provided
encryption key, but the plugin doesn't send one.
I believe this was an unintended change during the AWS SDK v1 to v2 migration. The original intent seems to be SSE-S3 (AWS-managed keys), not SSE-C.
Suggested fix:
It should use serverSideEncryption(ServerSideEncryption.AES256) instead, which sets the correct x-amz-server-side-encryption: AES256 header for SSE-S3. I've submitted a PR with this fix.
Steps to reproduce:
1. Configure an S3 profile in Jenkins system settings
2. Create a job with S3 artifact upload
3. Enable "Server side encryption" checkbox
4. Run the job
5. Upload fails with S3Exception (Status Code 400)
Thank you for maintaining this plugin!
