0

This code below works when the file is not encrypted (plain text) server side. I'm trying to download another file from the same bucket, but this file is encrypted via KMS.

I've tried SSECustomerKey and added .withSSECustomerKey(myKey), but no luck.. Any ideas on how to modify this code, or could point me in the right direction? 

AmazonS3 s3bucket = AmazonS3ClientBuilder.standard().withRegion("us-east-2").build();
    S3Object download = s3bucket.getObject("mybucket-bucket", "secretfile2.txt");

    try 
    {
        download = IOUtils.toString(download.getObjectContent());
    } 
    catch (IOException e1) 
    {
        e1.printStackTrace();
    }
Baked Inhalf
  • 3,375
  • 1
  • 31
  • 45

2 Answers2

1

You first create a key object:

SSECustomerKey sseKey = new SSECustomerKey(secretKey);

Then you create a request with that key:

GetObjectRequest getObjectRequest = new GetObjectRequest(bucketName, keyName).withSSECustomerKey(sseKey);

Then you retrieve the object:

s3client = new AmazonS3Client(...);
S3Object s3Object = s3client.getObject(getObjectRequest);
Sergey Kovalev
  • 9,110
  • 2
  • 28
  • 32
  • That explains why my logic fails. So **keyName** = Alias of key? and **secretKey** is what reads in the line after **ARN** (after key) in IAM Management Console? – Baked Inhalf Sep 26 '17 at 08:28
  • No, the secret key is not displayed anywhere. Especially for customer managed secret keys. That's why it's called a secret key. Amazon just doesn't have those keys, they are stored on your side, in some file/database/storage etc. – Sergey Kovalev Sep 26 '17 at 08:33
  • I get "{"errorMessage":"The encryption parameters are not applicable to this object. (Service: Amazon S3; Status Code: 400; Error Code: InvalidRequest" – Baked Inhalf Sep 26 '17 at 08:47
  • The file is AWS-KMS encrypted, I can see that in S3. But still I get "The encryption parameters are not applicable to this object" – Baked Inhalf Sep 26 '17 at 09:39
  • There is no need to call KMS somehow? – Baked Inhalf Sep 26 '17 at 11:07
  • 2
    If the key is managed by KMS you shouldn't use customer's key in the first place. Those two a mutually exclusive. How did you encrypt those files when you uploaded them? On the server side or on the client side? You should really read the docs to understand the differences between all S3 encryption options: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html – Sergey Kovalev Sep 26 '17 at 15:12
  • It's SSE-KMS I'm trying to use. The files are encrypted server side, when I added them to my bucket. Any ideas on how to code this? – Baked Inhalf Sep 27 '17 at 06:41
1

If it is still an issue... I've encountered the same issue and figured out that you shouldn't pass any keys when you download a file, i.e. 

GetObjectRequest getObjectRequest = new GetObjectRequest(bucketName, keyName)    
s3client.getObject(getObjectRequest)

Due to you used server-side encryption AWS will automatically decrypt a file before sending.

Andrey Beletsky
  • 97
  • 1
  • 2
  • 7