在 Amazon S3 中使用 KMS 密钥解密文件时出错
Error while decrypting file using KMS key in Amazon S3
我正在尝试使用 Amazon S3 作为加密文件系统。
我使用 KMS 加密密钥(服务器端加密)成功实现了在 AWS S3 服务器上上传文件。请找到以下工作代码:
对于加密:
private static final String AWS_KMS_KEY = "---KMS Key---"
private static final String BUCKET_NAME = "---bucket name---"
private static final String keyName = "---display key name---"
private static final String filePath = "---File Path---"
private static final String ACCESS_KEY_ID = "---aws accesskey---"
private static final String SECRET_ACCESS_KEY = "---aws secret key---"
AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY_ID, SECRET_ACCESS_KEY);
AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withRegion(Regions.US_WEST_2).withForceGlobalBucketAccessEnabled(true).build();
FileInputStream stream = new FileInputStream(filePath);
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm());
PutObjectRequest putObjectRequest = new PutObjectRequest(amazonFileUploadLocationOriginal, keyName, stream, objectMetadata);
putObjectRequest.withCannedAcl(CannedAccessControlList.PublicRead);
putObjectRequest.withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(AWS_KMS_KEY));
PutObjectResult result = s3Client.putObject(putObjectRequest);
我在使用服务器端解密检索文件时遇到问题。我想直接访问 aws url 以通过解密检索该文件。请找到以下不起作用的代码:
对象读取:
不使用 KMS 密钥读取对象:
GetObjectRequest request = new GetObjectRequest(existingBucketName, amazonFileUploadLocationOriginal);
s3Client.getUrl(BUCKET_NAME, keyName);
以上代码用于没有 kms 加密密钥的读取对象,显示以下错误。
Code : InvalidArgument
Message : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
使用 KMS 密钥读取对象:
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
.withSSEAlgorithm(SSEAlgorithm.KMS)
.withKmsCmkId(AWS_KMS_KEY);
URL puturl = s3Client.generatePresignedUrl(genreq);
以上代码是针对带有 kms 加密密钥前缀 URL 的读取对象,显示以下错误。
Code : SignatureDoesNotMatch
Message : The request signature we calculated does not match the signature you provided. Check your key and signing method.
这样做正确吗?有什么建议吗?请帮忙。
如果签名不匹配请使用以下代码手动添加
供参考
System.setProperty(SDKGlobalConfiguration.ENABLE_S3_SIGV4_SYSTEM_PROPERTY, "true");
我们可以使用下面的代码获得主持URL获得
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
.withExpiration(expiration);
URL puturl = s3Client.generatePresignedUrl(genreq);
此URL 将包含到期时间和签名,如下所示
输出
https://mybucket.s3.amazonaws.com/abc_count.png?AWSAccessKeyId=AKIAJXXXXXXXXXXXXXXX&Expires=1503602631&Signature=ibOGfAovnhIF13DALdAgsdtg2s%3D
希望有人帮助回答
我正在尝试使用 Amazon S3 作为加密文件系统。
我使用 KMS 加密密钥(服务器端加密)成功实现了在 AWS S3 服务器上上传文件。请找到以下工作代码:
对于加密:
private static final String AWS_KMS_KEY = "---KMS Key---"
private static final String BUCKET_NAME = "---bucket name---"
private static final String keyName = "---display key name---"
private static final String filePath = "---File Path---"
private static final String ACCESS_KEY_ID = "---aws accesskey---"
private static final String SECRET_ACCESS_KEY = "---aws secret key---"
AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY_ID, SECRET_ACCESS_KEY);
AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withRegion(Regions.US_WEST_2).withForceGlobalBucketAccessEnabled(true).build();
FileInputStream stream = new FileInputStream(filePath);
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm());
PutObjectRequest putObjectRequest = new PutObjectRequest(amazonFileUploadLocationOriginal, keyName, stream, objectMetadata);
putObjectRequest.withCannedAcl(CannedAccessControlList.PublicRead);
putObjectRequest.withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(AWS_KMS_KEY));
PutObjectResult result = s3Client.putObject(putObjectRequest);
我在使用服务器端解密检索文件时遇到问题。我想直接访问 aws url 以通过解密检索该文件。请找到以下不起作用的代码:
对象读取:
不使用 KMS 密钥读取对象:
GetObjectRequest request = new GetObjectRequest(existingBucketName, amazonFileUploadLocationOriginal);
s3Client.getUrl(BUCKET_NAME, keyName);
以上代码用于没有 kms 加密密钥的读取对象,显示以下错误。
Code : InvalidArgument
Message : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
使用 KMS 密钥读取对象:
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
.withSSEAlgorithm(SSEAlgorithm.KMS)
.withKmsCmkId(AWS_KMS_KEY);
URL puturl = s3Client.generatePresignedUrl(genreq);
以上代码是针对带有 kms 加密密钥前缀 URL 的读取对象,显示以下错误。
Code : SignatureDoesNotMatch
Message : The request signature we calculated does not match the signature you provided. Check your key and signing method.
这样做正确吗?有什么建议吗?请帮忙。
如果签名不匹配请使用以下代码手动添加
供参考
System.setProperty(SDKGlobalConfiguration.ENABLE_S3_SIGV4_SYSTEM_PROPERTY, "true");
我们可以使用下面的代码获得主持URL获得
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
.withExpiration(expiration);
URL puturl = s3Client.generatePresignedUrl(genreq);
此URL 将包含到期时间和签名,如下所示
输出
https://mybucket.s3.amazonaws.com/abc_count.png?AWSAccessKeyId=AKIAJXXXXXXXXXXXXXXX&Expires=1503602631&Signature=ibOGfAovnhIF13DALdAgsdtg2s%3D
希望有人帮助回答