All geek questions in one place

Error decrypting file using KMS key in Amazon S3

I am trying to use Amazon S3as an encrypted file system.

I can successfully upload the file to the AWS S3 server using the KMSEncrypted Key (Server-Side Encryption). Below is the working code:

For encryption:

private static final String AWS_KMS_KEY = "---KMS Key---"
private static final String BUCKET_NAME = "---bucket name---"
private static final String keyName = "---display key name---"
private static final String filePath = "---File Path---"
private static final String ACCESS_KEY_ID = "---aws accesskey---"
private static final String SECRET_ACCESS_KEY = "---aws secret key---"

AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY_ID, SECRET_ACCESS_KEY);
AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
    .withRegion(Regions.US_WEST_2).withForceGlobalBucketAccessEnabled(true).build();

FileInputStream stream = new FileInputStream(filePath);

ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm());

PutObjectRequest putObjectRequest = new PutObjectRequest(amazonFileUploadLocationOriginal, keyName, stream, objectMetadata);
putObjectRequest.withCannedAcl(CannedAccessControlList.PublicRead);
putObjectRequest.withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(AWS_KMS_KEY));

PutObjectResult result = s3Client.putObject(putObjectRequest);

I am facing a problem while extracting a decrypted file on the server side. I want to access aws url directly to get this decrypted file. Below is the code that does not work:

To read an object:

KMS Keyless Read Object:

GetObjectRequest request = new GetObjectRequest(existingBucketName, amazonFileUploadLocationOriginal);
s3Client.getUrl(BUCKET_NAME, keyName);

The code above is for a reader with no kms encrypted key, which is displayed below.

Code: InvalidArgument

Message: Requests specifying server-side encryption with AWS KMS managed keys require AWS 4 subscription version.

KMS:

GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
            .withSSEAlgorithm(SSEAlgorithm.KMS)
            .withKmsCmkId(AWS_KMS_KEY);

URL puturl = s3Client.generatePresignedUrl(genreq);

URL- , .

: SignatureDoesNotMatch

: . .

? ? , .

+4
1

- S3 awscli aws-encryption-cli. , S3-url. , ?

0

Source: https://habr.com/ru/post/1680385/

More articles:


All Articles