0

I am using boto3 with my flask application to upload file in a s3 bucket with server side encryption customer provided key. I tried start_transcription_job from encrypted s3 file but i have an exception

s3_client.upload_file(filename, BUCKET, s3filename, ExtraArgs={'SSECustomerKey': KEY, 'SSECustomerAlgorithm': 'AES256' })

transcribe_obj.start_transcription_job(
     TranscriptionJobName=job_name,
     Media={'MediaFileUri': s3uri},
     MediaFormat=file_extension,
     LanguageCode='en-US'
)

Exception:

botocore.errorfactory.BadRequestException: An error occurred (BadRequestException) when calling the StartTranscriptionJob operation: The S3 URI that you provided can't be accessed. Make sure your URI is valid and try your request again.
Vino
  • 1
  • 2
  • Have you confirmed that the issue is due to using encryption? If you upload _without_ encryption, does it work? Does the user running the `start_transcription_job()` command have permission to use that KMS key? – John Rotenstein Aug 14 '20 at 07:50
  • I tried without encryption.It works to transcribe audio file and also I used kms key.It perfectly works.I need to transcribe s3 file using sse-customer provided keys – Vino Aug 14 '20 at 08:42
  • I have uploaded file to s3 bucket with sse-customer provided key. Can we transcribe(Media={'MediaFileUri': s3uri}) in the start_transcription_job() method? – Vino Aug 14 '20 at 12:09
  • Or Have another ways to transcribe s3 file using server side encryption-customer provided keys? – Vino Aug 14 '20 at 12:18

1 Answers1

0

From Protecting data using server-side encryption with customer-provided encryption keys (SSE-C) - Amazon Simple Storage Service:

You manage a mapping of which encryption key was used to encrypt which object. Amazon S3 does not store encryption keys. You are responsible for tracking which encryption key you provided for which object.

I think the problem is that the object is encrypted with a Key that AWS does not store. Therefore, when AWS Transcribe attempts to read the object, it is unable to decrypt the contents.

There does not appear to be a way to pass the key to start_transcription_job().

You will need to use an alternate encryption method where AWS is able to decrypt the object.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470