使用服务器端加密更新对象上的S3 KMS密钥

时间:2019-04-12 19:33:04

标签: ruby amazon-web-services amazon-s3

我正在开发一种功能,客户可以在我们的平台上更新其KMS密钥,以便他们使用其KMS密钥来加密数据,而不是由我们生成的密钥。它的工作方式是当客户注册时,我们为他们生成一个KMS密钥,并使用该密钥上载对象。如果客户要提供自己的密钥,我希望能够更新此密钥,而不必提取数据并重新上传新密钥。

def enc_client
  Aws::S3::Encryption::Client.new(
    kms_client: Aws::KMS::Client.new(region: 'us-east-1'),
    kms_key_id: ENV['MY_PRIVATE_KEY']
  )
end

def s3_client
  enc_client.client
end

bucket = "my_bucket_name"
key = "path/12345abcde/preview.html"
copy_source = "/#{key}"
server_side_encryption = "aws:kms"

# This returns the object with the key present. If I go in the AWS client and manually add or remove the key, it will update on this call.
resp = s3_client.get_object(bucket: bucket, key: key)

#<struct Aws::S3::Types::GetObjectOutput
 body=#<StringIO:0x000000000bb45108>,
 delete_marker=nil,
 accept_ranges="bytes",
 expiration=nil,
 restore=nil,
 last_modified=2019-04-12 15:40:09 +0000,
 content_length=19863445,
 etag="\"123123123123123123123123123123-1\"",
 missing_meta=nil,
 version_id=nil,
 cache_control=nil,
 content_disposition="inline; filename=\"preview.html\"",
 content_encoding=nil,
 content_language=nil,
 content_range=nil,
 content_type="text/html",
 expires=nil,
 expires_string=nil,
 website_redirect_location=nil,
 server_side_encryption="aws:kms",
 metadata={},
 sse_customer_algorithm=nil,
 sse_customer_key_md5=nil,
 ssekms_key_id="arn:aws:kms:us-east-1:123456789123:key/222b222b-bb22-2222-bb22-222bbb22bb2b",
 storage_class=nil,
 request_charged=nil,
 replication_status=nil,
 parts_count=nil,
 tag_count=nil>

new_ssekms_key_id = "arn:aws:kms:us-east-1:123456789123:key/111a111a-aa11-1111-aa11-111aaa11aa1a"


resp = s3_client.copy_object(bucket: bucket, key: key, copy_source: copy_source, ssekms_key_id: ssekms_key_id)
Aws::S3::Errors::InvalidArgument: Server Side Encryption with AWS KMS managed key requires HTTP header x-amz-server-side-encryption : aws:kms
from /usr/local/bundle/gems/aws-sdk-core-3.6.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'


resp = s3_client.copy_object(bucket: bucket, key: key, copy_source: copy_source, ssekms_key_id: ssekms_key_id, server_side_encryption: server_side_encryption)
Aws::S3::Errors::AccessDenied: Access Denied
from /usr/local/bundle/gems/aws-sdk-core-3.6.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'

我希望能够更新kms id在服务器端做一个新的

1 个答案:

答案 0 :(得分:0)

copy_source = "/#{key}"不正确。该值应为"/#{bucket}/#{key}"

该服务将键路径的第一个元素解释为存储桶的名称-可能是其他用户的存储桶。

相关问题
最新问题