问题描述
当我使用预签名帖子生成 url 和其他属性时,当我尝试使用服务器端加密(即客户管理的密钥)上传我的图像时,此密钥是由我创建的。就我而言,我可以使用 {"x-amz-server-side-encryption": "aws:kms"}
上传。如何上传客户管理的密钥?
如果我想使用客户管理的密钥上传图片,我是否使用 x-amz-server-side-encryption-customer-key
和 x-amz-server-side-encryption-customer-key-MD5
?
这是我的示例代码:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3",config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",# "x-amz-server-side-encryption-customer-algorithm": "AES256",# "x-amz-server-side-encryption-customer-key": "<customer-managed-key>",# "x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"
}
conditions = [
# 1Byte - 25MB
["content-length-range",1,26214400],{"x-amz-server-side-encryption": "aws:kms"},# {"x-amz-server-side-encryption-customer-algorithm": "AES256"},# {"x-amz-server-side-encryption-customer-key": "<customer-managed-key>"},# {"x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,Key=file_name,Fields=fields,Conditions=conditions,ExpiresIn=3000)
print(response)
except ClientError as e:
print(logging.error(e))
在我使用 "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
后,我获得了访问 d9
这是新的示例代码:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3","x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
}
conditions = [
# 1Byte - 25MB
["content-length-range",{"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,ExpiresIn=300)
print(response)
except ClientError as e:
print(logging.error(e))
{
"code": 2000,"messages": [],"payload": {
"url": "https://s3-bucket.s3.amazonaws.com/","fields": {
"Content-Type": "image/png","x-amz-server-side-encryption": "aws:kms","x-amz-server-side-encryption-aws-kms-key-id": "12345678-01s1-abba-abcd-fb9f6e5bf13d","key": "kms005.png","x-amz-algorithm": "AWS4-HMAC-SHA256","x-amz-credential": "AKIAXHC4C5L2YWPYEWHO/20210223/us-east-1/s3/aws4_request","x-amz-date": "20210223T073640Z","policy": "eyJleHBpcmF0aW9uIjogIjIwMjEtMDItMjNUMDc6NDE6NDBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDI2MjE0NDAwXSwgeyJ4LWFtei1zZXJ2ZXItc2lkZS1lbmNyeXB0aW9uIjogImF3czprbXMifSwgeyJidWNrZXQiOiAiczMtYWRyaWFuLXRlc3QtYnVja2V0In0sIHsia2V5IjogImttczAwNS5wbmcifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQVhIQzRDNUwyWVdQWUVXSE8vMjAyMTAyMjMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAyMTAyMjNUMDczNjQwWiJ9XX0=","x-amz-signature": "e0c40e744d1989578517168341fa17a21c297ffa0e1be6c84e448dea373b7d16"
}
},"request_id": "1234567890"
}"
解决方法
客户管理的密钥,我使用的是 x-amz-server-side -encryption -customer-key 和 x-amz-server-side -encryption -customer-key-MD5吗?
没有像 x-amz-server-side-encryption-customer-key
这样的标头用于 SSE-KMS(它用于 SSE-C,见下文)。相反,如果您打算使用 "x-amz-server-side-encryption": "aws:kms"
以及如何使用您的自己的 CMK(而不是 AWS 托管 CMK),那么您have to use:
-
x-amz-server-side-encryption-aws-kms-key-id
- 指定用于保护数据的客户托管 CMK 的 ID
标头 x-amz-server-side-encryption-customer-key-MD5
用于 SSE-C(客户提供的密钥),而不用于 SSE-KMS。
在 kms 密钥策略中必须有 kms:Encrypt、kms:Decrypt、kms:ReEncrypt*、kms:GenerateDataKey* 和 kms:DescribeKey。将动作添加到 kms 密钥策略后,它将成功上传。
"Statement": [
"Action": [
"kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey*","kms:DescribeKey"
],"Resource": "*"
}
]