2

当我使用预签名的帖子生成 url 和其他属性时,当我尝试使用服务器端加密(即客户管理的密钥)上传我的图像时,这个密钥是由我创建的。就我而言,我可以使用{"x-amz-server-side-encryption": "aws:kms"}. 如何上传客户管理的密钥?如果,我想使用客户管理的密钥上传图像,我是否使用x-amz-server-side​-encryption​-customer-keyand x-amz-server-side​-encryption​-customer-key-MD5

这是我的示例代码:

import logging
import boto3
from botocore.exceptions import ClientError

s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))

try:

    bucket_name = "s3-bucket"

    fields = {
        "x-amz-server-side-encryption": "aws:kms",
        # "x-amz-server-side​-encryption​-customer-algorithm": "AES256",
        # "x-amz-server-side​-encryption​-customer-key": "<customer-managed-key>",
        # "x-amz-server-side​-encryption​-customer-key-MD5": "<customer-managed-key>"
    }

                
    conditions = [
        # 1Byte - 25MB
        ["content-length-range", 1, 26214400],
        {"x-amz-server-side-encryption": "aws:kms"},
        # {"x-amz-server-side​-encryption​-customer-algorithm": "AES256"},
        # {"x-amz-server-side​-encryption​-customer-key": "<customer-managed-key>"},
        # {"x-amz-server-side​-encryption​-customer-key-MD5": "<customer-managed-key>"}
    ]

    file_name = "test.png"
    response = s3_client.generate_presigned_post(bucket_name,
                                                Key=file_name,
                                                Fields=fields,
                                                Conditions=conditions,
                                                ExpiresIn=3000)
    
    print(response)

except ClientError as e:
    print(logging.error(e))

使用后"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>",我可以访问 d9

这是新的示例代码:

import logging
import boto3
from botocore.exceptions import ClientError

s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))

try:

    bucket_name = "s3-bucket"

    fields = {
        "x-amz-server-side-encryption": "aws:kms",
        "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
    }

                
    conditions = [
        # 1Byte - 25MB
        ["content-length-range", 1, 26214400],
        {"x-amz-server-side-encryption": "aws:kms"},
        {"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"}
    ]

    file_name = "test.png"
    response = s3_client.generate_presigned_post(bucket_name,
                                                Key=file_name,
                                                Fields=fields,
                                                Conditions=conditions,
                                                ExpiresIn=300)
    
    print(response)

except ClientError as e:
    print(logging.error(e))


{
    "code": 2000,
    "messages": [],
    "payload": {
        "url": "https://s3-bucket.s3.amazonaws.com/",
        "fields": {
            "Content-Type": "image/png",
            "x-amz-server-side-encryption": "aws:kms",
            "x-amz-server-side-encryption-aws-kms-key-id": "12345678-01s1-abba-abcd-fb9f6e5bf13d",
            "key": "kms005.png",
            "x-amz-algorithm": "AWS4-HMAC-SHA256",
            "x-amz-credential": "AKIAXHC4C5L2YWPYEWHO/20210223/us-east-1/s3/aws4_request",
            "x-amz-date": "20210223T073640Z",
            "policy": "eyJleHBpcmF0aW9uIjogIjIwMjEtMDItMjNUMDc6NDE6NDBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDI2MjE0NDAwXSwgeyJ4LWFtei1zZXJ2ZXItc2lkZS1lbmNyeXB0aW9uIjogImF3czprbXMifSwgeyJidWNrZXQiOiAiczMtYWRyaWFuLXRlc3QtYnVja2V0In0sIHsia2V5IjogImttczAwNS5wbmcifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQVhIQzRDNUwyWVdQWUVXSE8vMjAyMTAyMjMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAyMTAyMjNUMDczNjQwWiJ9XX0=",
            "x-amz-signature": "e0c40e744d1989578517168341fa17a21c297ffa0e1be6c84e448dea373b7d16"
        }
    },
    "request_id": "1234567890"
}"

错误消息

4

2 回答 2

0

客户管理的密钥,我使用的是 x-amz-server-side​-encryption​-customer-key 和 x-amz-server-side​-encryption​-customer-key-MD5 吗?

SSE-KMS没有这样的标头x-amz-server-side​-encryption​-customer-keySSE-C 的标头,见下文)。相反,如果您要使用"x-amz-server-side-encryption": "aws:kms"和使用您自己的 CMK(不是 AWS Managed CMK),那么您必须使用

  • x-amz-server-side-encryption-aws-kms-key-id- 指定用于保护数据的客户托管 CMK 的 ID

标头x-amz-server-side​-encryption​-customer-key-MD5适用于SSE-C(客户提供的密钥),而不适用于 SSE-KMS。

于 2021-02-23T06:48:22.040 回答
0

在 kms 中,密钥策略必须具有 kms:Encrypt、kms:Decrypt、kms:ReEncrypt*、kms:GenerateDataKey* 和 kms:DescribeKey。将操作添加到 kms 密钥策略后,它将成功上传。

"Statement": [
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
于 2021-02-23T11:31:32.117 回答