HADOOP-13075 added support for SSE-KMS and SSE-C in s3a filesystem, along with integration test ITestS3AEncryptionSSEC::testCreateFileAndReadWithDifferentEncryptionKey. For AccessDeniedException test case, it assumes the error message contains string Forbidden (Service: Amazon S3; Status Code: 403;, which is true in the current AWS java sdk and current S3AFileSystem code path.
When enabling S3Guard (see feature JIRA
HADOOP-13345), the code path that fails in S3AFileSystem changes for that test. Specifically, the request w/o S3Guard was calling getFileStatus() and fails with access denied exception containing Forbidden keyword; while the request w/ S3Guard is able to call getFileStatus() successfully and then fails later for read operations with access denied exception containing Access Denied keyword.
AWS sdk does not provide the exactly same error message for different AccessDeniedExceptions. In the meantime, the AWS sdk may evolve (as we have been upgrading the sdk version recently in a timely manner) and the error message may be different in the future. This is to relax exception message assertion in test.