Restic init to KMS encrypted S3 bucket

I’m trying to run the restic init command to an s3 bucket that has server side encryption using KMS (SSE:KMS) enabled. I’m getting a failed: client.PutObject: Access Denied error, however that is the same error I get when I try and run aws s3 cp without the --sse=aws:kms option.

I’m able to PUT an item on the s3 bucket using the aws cli as long as I include the --sse=aws:kms option so I know the permissions are set correctly.

My thought is that restic probably uses the AWS API to create the key (or directory if you want to call it that) before it inits the repo, however it doesn’t know the bucket needs the --sse=aws:kms option.

Here is my IAM policy to verify it’s not a permissions error:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "",
            "Effect": "Allow",
            "Action": [
            "Resource": [
                "arn:aws:s3:::<removed s3 bucket name>/*",
                "arn:aws:s3:::<removed s3 bucket name>"

To test further I removed the encryption from the bucket and I was able to init.

I opened to track this issue.

1 Like