如何使用带有 KMS(客户管理的密钥)的预签名 post Post 对象
How to Post object using presigned post with KMS(customer managed key)
当我使用预签名 post 生成 url 和其他属性时,当我尝试使用作为客户管理密钥的服务器端加密上传我的图像时,此密钥是由我创建的。就我而言,我可以使用 {"x-amz-server-side-encryption": "aws:kms"} 上传。如何上传客户管理的密钥?
如果我想使用客户管理的密钥上传图像,我是否使用 x-amz-server-side-encryption-customer-key 和 x-amz-server-side-encryption-customer-key-MD5?
这是我的示例代码:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",
# "x-amz-server-side-encryption-customer-algorithm": "AES256",
# "x-amz-server-side-encryption-customer-key": "<customer-managed-key>",
# "x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"
}
conditions = [
# 1Byte - 25MB
["content-length-range", 1, 26214400],
{"x-amz-server-side-encryption": "aws:kms"},
# {"x-amz-server-side-encryption-customer-algorithm": "AES256"},
# {"x-amz-server-side-encryption-customer-key": "<customer-managed-key>"},
# {"x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,
Key=file_name,
Fields=fields,
Conditions=conditions,
ExpiresIn=3000)
print(response)
except ClientError as e:
print(logging.error(e))
在我使用 "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>" 之后,我获得了访问权限 d9
这是新的示例代码:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
}
conditions = [
# 1Byte - 25MB
["content-length-range", 1, 26214400],
{"x-amz-server-side-encryption": "aws:kms"},
{"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,
Key=file_name,
Fields=fields,
Conditions=conditions,
ExpiresIn=300)
print(response)
except ClientError as e:
print(logging.error(e))
{
"code": 2000,
"messages": [],
"payload": {
"url": "https://s3-bucket.s3.amazonaws.com/",
"fields": {
"Content-Type": "image/png",
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "12345678-01s1-abba-abcd-fb9f6e5bf13d",
"key": "kms005.png",
"x-amz-algorithm": "AWS4-HMAC-SHA256",
"x-amz-credential": "AKIAXHC4C5L2YWPYEWHO/20210223/us-east-1/s3/aws4_request",
"x-amz-date": "20210223T073640Z",
"policy": "eyJleHBpcmF0aW9uIjogIjIwMjEtMDItMjNUMDc6NDE6NDBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDI2MjE0NDAwXSwgeyJ4LWFtei1zZXJ2ZXItc2lkZS1lbmNyeXB0aW9uIjogImF3czprbXMifSwgeyJidWNrZXQiOiAiczMtYWRyaWFuLXRlc3QtYnVja2V0In0sIHsia2V5IjogImttczAwNS5wbmcifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQVhIQzRDNUwyWVdQWUVXSE8vMjAyMTAyMjMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAyMTAyMjNUMDczNjQwWiJ9XX0=",
"x-amz-signature": "e0c40e744d1989578517168341fa17a21c297ffa0e1be6c84e448dea373b7d16"
}
},
"request_id": "1234567890"
}"
Errors msg
Customer managed key, am i using the x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5?
对于 SSE-KMS 没有 header 作为 x-amz-server-side-encryption-customer-key(对于 SSE-C,见下文)。相反,如果您要使用 "x-amz-server-side-encryption": "aws:kms" 以及使用您的 自己的 CMK(不是 AWS 托管 CMK),那么您 have to use:
x-amz-server-side-encryption-aws-kms-key-id - 指定用于保护数据的客户托管 CMK 的 ID
Header x-amz-server-side-encryption-customer-key-MD5 用于 SSE-C(customer-provided 键),不适用于 SSE-KMS.
在 kms 密钥策略中必须有 kms:Encrypt、kms:Decrypt、kms:ReEncrypt*、kms:GenerateDataKey* 和 kms:DescribeKey。将动作添加到kms key policy中后即可上传成功。
"Statement": [
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
当我使用预签名 post 生成 url 和其他属性时,当我尝试使用作为客户管理密钥的服务器端加密上传我的图像时,此密钥是由我创建的。就我而言,我可以使用 {"x-amz-server-side-encryption": "aws:kms"} 上传。如何上传客户管理的密钥?
如果我想使用客户管理的密钥上传图像,我是否使用 x-amz-server-side-encryption-customer-key 和 x-amz-server-side-encryption-customer-key-MD5?
这是我的示例代码:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",
# "x-amz-server-side-encryption-customer-algorithm": "AES256",
# "x-amz-server-side-encryption-customer-key": "<customer-managed-key>",
# "x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"
}
conditions = [
# 1Byte - 25MB
["content-length-range", 1, 26214400],
{"x-amz-server-side-encryption": "aws:kms"},
# {"x-amz-server-side-encryption-customer-algorithm": "AES256"},
# {"x-amz-server-side-encryption-customer-key": "<customer-managed-key>"},
# {"x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,
Key=file_name,
Fields=fields,
Conditions=conditions,
ExpiresIn=3000)
print(response)
except ClientError as e:
print(logging.error(e))
在我使用 "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>" 之后,我获得了访问权限 d9
这是新的示例代码:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
}
conditions = [
# 1Byte - 25MB
["content-length-range", 1, 26214400],
{"x-amz-server-side-encryption": "aws:kms"},
{"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,
Key=file_name,
Fields=fields,
Conditions=conditions,
ExpiresIn=300)
print(response)
except ClientError as e:
print(logging.error(e))
{
"code": 2000,
"messages": [],
"payload": {
"url": "https://s3-bucket.s3.amazonaws.com/",
"fields": {
"Content-Type": "image/png",
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "12345678-01s1-abba-abcd-fb9f6e5bf13d",
"key": "kms005.png",
"x-amz-algorithm": "AWS4-HMAC-SHA256",
"x-amz-credential": "AKIAXHC4C5L2YWPYEWHO/20210223/us-east-1/s3/aws4_request",
"x-amz-date": "20210223T073640Z",
"policy": "eyJleHBpcmF0aW9uIjogIjIwMjEtMDItMjNUMDc6NDE6NDBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDI2MjE0NDAwXSwgeyJ4LWFtei1zZXJ2ZXItc2lkZS1lbmNyeXB0aW9uIjogImF3czprbXMifSwgeyJidWNrZXQiOiAiczMtYWRyaWFuLXRlc3QtYnVja2V0In0sIHsia2V5IjogImttczAwNS5wbmcifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQVhIQzRDNUwyWVdQWUVXSE8vMjAyMTAyMjMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAyMTAyMjNUMDczNjQwWiJ9XX0=",
"x-amz-signature": "e0c40e744d1989578517168341fa17a21c297ffa0e1be6c84e448dea373b7d16"
}
},
"request_id": "1234567890"
}"
Errors msg
Customer managed key, am i using the x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5?
对于 SSE-KMS 没有 header 作为 x-amz-server-side-encryption-customer-key(对于 SSE-C,见下文)。相反,如果您要使用 "x-amz-server-side-encryption": "aws:kms" 以及使用您的 自己的 CMK(不是 AWS 托管 CMK),那么您 have to use:
x-amz-server-side-encryption-aws-kms-key-id- 指定用于保护数据的客户托管 CMK 的 ID
Header x-amz-server-side-encryption-customer-key-MD5 用于 SSE-C(customer-provided 键),不适用于 SSE-KMS.
在 kms 密钥策略中必须有 kms:Encrypt、kms:Decrypt、kms:ReEncrypt*、kms:GenerateDataKey* 和 kms:DescribeKey。将动作添加到kms key policy中后即可上传成功。
"Statement": [
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]