When i use presigned post to generate the url and other attributes, when i try to upload my image with server side encryption that is customer managed keys, this keys is created by me. In my case, I can upload with {"x-amz-server-side-encryption": "aws:kms"}. How can i upload customer managed key?
If, i want to upload image with Customer managed key, am i using the x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5?
here is my sample code:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",
# "x-amz-server-side-encryption-customer-algorithm": "AES256",
# "x-amz-server-side-encryption-customer-key": "<customer-managed-key>",
# "x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"
}
conditions = [
# 1Byte - 25MB
["content-length-range", 1, 26214400],
{"x-amz-server-side-encryption": "aws:kms"},
# {"x-amz-server-side-encryption-customer-algorithm": "AES256"},
# {"x-amz-server-side-encryption-customer-key": "<customer-managed-key>"},
# {"x-amz-server-side-encryption-customer-key-MD5": "<customer-managed-key>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,
Key=file_name,
Fields=fields,
Conditions=conditions,
ExpiresIn=3000)
print(response)
except ClientError as e:
print(logging.error(e))
after i use "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>", I got access d9
This is new sample code:
import logging
import boto3
from botocore.exceptions import ClientError
s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))
try:
bucket_name = "s3-bucket"
fields = {
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
}
conditions = [
# 1Byte - 25MB
["content-length-range", 1, 26214400],
{"x-amz-server-side-encryption": "aws:kms"},
{"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"}
]
file_name = "test.png"
response = s3_client.generate_presigned_post(bucket_name,
Key=file_name,
Fields=fields,
Conditions=conditions,
ExpiresIn=300)
print(response)
except ClientError as e:
print(logging.error(e))
{
"code": 2000,
"messages": [],
"payload": {
"url": "https://s3-bucket.s3.amazonaws.com/",
"fields": {
"Content-Type": "image/png",
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": "12345678-01s1-abba-abcd-fb9f6e5bf13d",
"key": "kms005.png",
"x-amz-algorithm": "AWS4-HMAC-SHA256",
"x-amz-credential": "AKIAXHC4C5L2YWPYEWHO/20210223/us-east-1/s3/aws4_request",
"x-amz-date": "20210223T073640Z",
"policy": "eyJleHBpcmF0aW9uIjogIjIwMjEtMDItMjNUMDc6NDE6NDBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDI2MjE0NDAwXSwgeyJ4LWFtei1zZXJ2ZXItc2lkZS1lbmNyeXB0aW9uIjogImF3czprbXMifSwgeyJidWNrZXQiOiAiczMtYWRyaWFuLXRlc3QtYnVja2V0In0sIHsia2V5IjogImttczAwNS5wbmcifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQVhIQzRDNUwyWVdQWUVXSE8vMjAyMTAyMjMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAyMTAyMjNUMDczNjQwWiJ9XX0=",
"x-amz-signature": "e0c40e744d1989578517168341fa17a21c297ffa0e1be6c84e448dea373b7d16"
}
},
"request_id": "1234567890"
}"
Customer managed key, am i using the x-amz-server-side-encryption-customer-key and x-amz-server-side-encryption-customer-key-MD5?
There is no such header as x-amz-server-side-encryption-customer-key for SSE-KMS (its for SSE-C, see below). Instead, if you are going to use "x-amz-server-side-encryption": "aws:kms" and what to use your own CMK (not AWS Managed CMK) then you have to use:
x-amz-server-side-encryption-aws-kms-key-id - to specify the ID of the customer managed CMK used to protect the dataHeader x-amz-server-side-encryption-customer-key-MD5 is for SSE-C (customer-provided keys), not for SSE-KMS.