2

我正在尝试使用具有 KMS 的默认服务器端加密的 AWS RDS AuroraSELECT * INTO OUTFILE S3 :some_bucket/object_key功能some_bucket

我收到此错误,这是有道理的:

InternalError: (InternalError) (1871, u'S3 API returned error: Unknown:Unable to parse ExceptionName: KMS.NotFoundException Message: Invalid keyId')

我怎样才能完成这项工作,让 Aurora 拥有 KMS 密钥,以便它可以将文件上传到 S3?

4

2 回答 2

0

Aurora MySQL 当前支持此功能。按照上述官方文档将 IAM 角色添加到您的 RDS 集群,并确保该角色具有授予 S3 读/写和 KMS 加密/解密的策略,例如

        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:ListMultipartUploadParts",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kms:ReEncrypt*",
                "kms:Encrypt",
                "kms:DescribeKey",
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "arn:aws:kms:<region>:<account>:key/<key id>"
        }
于 2020-08-24T00:53:13.867 回答
0

根据文档

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.SaveIntoS3.html#AuroraMySQL.Integrating.SaveIntoS3.Statement

不支持压缩或加密文件。

但是您可以为具有特定后缀的“NotResource”策略的存储桶创建异常策略并选择其中,从那里您可以触发 lambda 以将文件移动到具有加密的实际路径。

于 2019-05-20T14:04:35.177 回答