Context

When enabling LangSmith blob storage with S3, you may encounter access denied errors if your S3 bucket has a resource-based policy that requires KMS encryption headers. The error typically appears as:

AccessDenied: User: arn:aws:sts::account:assumed-role/langsmith-platform-backend-blob-storage-v2-environment/session is not authorized to perform: s3:PutObject on resource with an explicit deny in a resource-based policy

This occurs when your bucket policy includes a DenyIncorrectEncryptionHeader statement that blocks PutObject requests without proper KMS encryption headers.

Answer

LangSmith now supports KMS encryption for S3 blob storage. To resolve this issue, configure KMS encryption in your LangSmith deployment:

1. Add the KMS encryption configuration to your LangSmith config:

   config:
     blobStorage:
       enabled: true
       engine: "S3"
       chSearchEnabled: false
       bucketName: "your-bucket-name"
       apiURL: "https://s3.your-region.amazonaws.com"
       kmsEncryptionEnabled: true
       kmsKeyArn: "arn:aws:kms:your-region:account-id:key/your-kms-key-id"

2. Ensure your IAM roles have the necessary KMS permissions in addition to S3 permissions:

   • kms:Encrypt

   • kms:GenerateDataKey

   • kms:Decrypt

3. Update your service account annotations with the appropriate IAM role ARNs for backend, platformBackend, and queue components.

4. Deploy the updated configuration and verify that objects are being created in your S3 bucket with KMS encryption.

With KMS encryption enabled, LangSmith will include the required encryption headers in S3 requests, satisfying bucket policies that enforce encryption requirements. You should see objects appearing in your S3 bucket once the configuration is properly applied.