From 70226cc65370d34b6f4b7cb58a96b3143e091880 Mon Sep 17 00:00:00 2001 From: Albin Parou Date: Thu, 17 Jul 2025 15:29:31 +0200 Subject: [PATCH] s3: fix multipart upload and server side copy when using bucket policy SSE-C When uploading or moving data within an s3-compatible bucket, the `SSECustomer*` headers should always be forwarded: on `CreateMultipartUpload`, `UploadPart`, `UploadCopyPart` and `CompleteMultipartUpload`. But currently rclone doesn't forward those headers to `CompleteMultipartUpload`. This is a requirement if you want to enforce `SSE-C` at the bucket level via a bucket policy. Cf: `This parameter is required only when the object was created using a checksum algorithm or if your bucket policy requires the use of SSE-C.` in https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html --- backend/s3/s3.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/backend/s3/s3.go b/backend/s3/s3.go index fefdd6e96..7ac4ac729 100644 --- a/backend/s3/s3.go +++ b/backend/s3/s3.go @@ -5061,8 +5061,11 @@ func (f *Fs) copyMultipart(ctx context.Context, copyReq *s3.CopyObjectInput, dst MultipartUpload: &types.CompletedMultipartUpload{ Parts: parts, }, - RequestPayer: req.RequestPayer, - UploadId: uid, + RequestPayer: req.RequestPayer, + SSECustomerAlgorithm: req.SSECustomerAlgorithm, + SSECustomerKey: req.SSECustomerKey, + SSECustomerKeyMD5: req.SSECustomerKeyMD5, + UploadId: uid, }) return f.shouldRetry(ctx, err) }) @@ -6446,8 +6449,11 @@ func (w *s3ChunkWriter) Close(ctx context.Context) (err error) { MultipartUpload: &types.CompletedMultipartUpload{ Parts: w.completedParts, }, - RequestPayer: w.multiPartUploadInput.RequestPayer, - UploadId: w.uploadID, + RequestPayer: w.multiPartUploadInput.RequestPayer, + SSECustomerAlgorithm: w.multiPartUploadInput.SSECustomerAlgorithm, + SSECustomerKey: w.multiPartUploadInput.SSECustomerKey, + SSECustomerKeyMD5: w.multiPartUploadInput.SSECustomerKeyMD5, + UploadId: w.uploadID, }) return w.f.shouldRetry(ctx, err) })