How to get KMS KeyId using alias?

Question

I'm using the awssdk v2: https://sdk.amazonaws.com/java/api/latest/

I want to put objects in S3 using a customer-managed KMS key for encryption at rest, I'm using sse-c to achieve this. However, it seems to always default to the AWS managed key as opposed to the customer managed one.

Following is my code:

PutObjectRequest putObjectRequest =
    PutObjectRequest.builder()
        .bucket(bucket)
        .key(key)
        .serverSideEncryption(ServerSideEncryption.AWS_KMS)
        .ssekmsKeyId(this.s3KmsKeyId) // my key alias
        .build();

s3Client.putObject(putObjectRequest, RequestBody.fromString(data)); // data = some string value

I am using PutObjectRequest to configure my request and S3Client to send it off to S3.

Since the keys are set to rotate, I cannot use an arn or the keyId itself. I also can't seem to find an example of how this can be achieved using this sdk.

from my experience, the arn stays same even with key rotation. Only the cryptographic materia changes — capa_matrix, Jan 25 '23 at 17:22

score 5 · Accepted Answer · answered Dec 03 '19 at 16:43

To be able to retrieve a KMS Key Id from KMS you need to make use of the KmsClient. sseKmsKeyId will not accept an alias, because it is not able to figure out the Key ID using the alias.

You can do something like the following:

KmsClient kmsClient = KmsClient.builder().build();
DescribeKeyRequest req = DescribeKeyRequest.builder().keyId("alias/your_kms_alias").build();
DescribeKeyResponse res = kmsClient.describeKey(req);

// See https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html
// For the response you will get back from DescribeKey

// Then create the request to S3

PutObjectRequest putObjectRequest =
    PutObjectRequest.builder()
        .bucket(bucket)
        .key(key)
        .serverSideEncryption(ServerSideEncryption.AWS_KMS)
        .ssekmsKeyId(res.keyMetadata().keyId()) // the actual keyId from KMS CMK
        .build();

s3Client.putObject(putObjectRequest, RequestBody.fromString(data));

See also: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/kms/model/DescribeKeyRequest.html#keyId--

If you specify a predefined AWS alias (an AWS alias with no key ID), KMS associates the alias with an AWS managed CMK and returns its KeyId and Arn in the response.

Hope that helps.

vishnu g · Answer 2 · 2020-02-11T21:52:58.650

3

using an alias with s3 put can be achieved. was able to do it with cmk. used the v1 version of aws sdk

PutObjectRequest putObjectRequest =
    PutObjectRequest.builder()
        .bucket(bucket)
        .key(key)
        .serverSideEncryption(ServerSideEncryption.AWS_KMS)
        .ssekmsKeyId("alias/kms-key-id-alias-name") // use this format and it uploads
        .build();

edited Feb 11 '20 at 21:52

answered Feb 11 '20 at 21:32

vishnu g

99
4

How to get KMS KeyId using alias?

2 Answers2