如何使用别名获取 KMS KeyId?

How to get KMS KeyId using alias?

我正在使用 awssdk v2:https://sdk.amazonaws.com/java/api/latest/

我想使用客户管理的 KMS 密钥将对象放入 S3 进行静态加密,我正在使用 sse-c 来实现此目的。但是,它似乎总是默认为 AWS 托管密钥,而不是客户管理的密钥。

以下是我的代码:

PutObjectRequest putObjectRequest =
    PutObjectRequest.builder()
        .bucket(bucket)
        .key(key)
        .serverSideEncryption(ServerSideEncryption.AWS_KMS)
        .ssekmsKeyId(this.s3KmsKeyId) // my key alias
        .build();

s3Client.putObject(putObjectRequest, RequestBody.fromString(data)); // data = some string value

我正在使用 PutObjectRequest to configure my request and S3Client 将其发送到 S3。

由于键设置为旋转,我不能使用 arn 或 keyId 本身。我似乎也找不到一个例子来说明如何使用这个 sdk 来实现这一点。

要能够从 KMS 检索 KMS 密钥 ID,您需要使用 KmsClientsseKmsKeyId 不会接受别名,因为它无法使用别名计算出密钥 ID。

您可以执行以下操作:

KmsClient kmsClient = KmsClient.builder().build();
DescribeKeyRequest req = DescribeKeyRequest.builder().keyId("alias/your_kms_alias").build();
DescribeKeyResponse res = kmsClient.describeKey(req);

// See https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html
// For the response you will get back from DescribeKey

// Then create the request to S3

PutObjectRequest putObjectRequest =
    PutObjectRequest.builder()
        .bucket(bucket)
        .key(key)
        .serverSideEncryption(ServerSideEncryption.AWS_KMS)
        .ssekmsKeyId(res.keyMetadata().keyId()) // the actual keyId from KMS CMK
        .build();

s3Client.putObject(putObjectRequest, RequestBody.fromString(data));

另请参阅:https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/kms/model/DescribeKeyRequest.html#keyId--

If you specify a predefined AWS alias (an AWS alias with no key ID), KMS associates the alias with an AWS managed CMK and returns its KeyId and Arn in the response.

希望对您有所帮助。

使用 s3 put 的别名可以实现。能够用 cmk 做到这一点。 使用了 aws sdk

的 v1 版本 
PutObjectRequest putObjectRequest =
    PutObjectRequest.builder()
        .bucket(bucket)
        .key(key)
        .serverSideEncryption(ServerSideEncryption.AWS_KMS)
        .ssekmsKeyId("alias/kms-key-id-alias-name") // use this format and it uploads
        .build();