2

When i use presigned post to generate the url and other attributes, when i try to upload my image with server side encryption that is customer managed keys, this keys is created by me. In my case, I can upload with {"x-amz-server-side-encryption": "aws:kms"}. How can i upload customer managed key? If, i want to upload image with Customer managed key, am i using the x-amz-server-side​-encryption​-customer-key and x-amz-server-side​-encryption​-customer-key-MD5?

here is my sample code:

import logging
import boto3
from botocore.exceptions import ClientError

s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))

try:

    bucket_name = "s3-bucket"

    fields = {
        "x-amz-server-side-encryption": "aws:kms",
        # "x-amz-server-side​-encryption​-customer-algorithm": "AES256",
        # "x-amz-server-side​-encryption​-customer-key": "<customer-managed-key>",
        # "x-amz-server-side​-encryption​-customer-key-MD5": "<customer-managed-key>"
    }

                
    conditions = [
        # 1Byte - 25MB
        ["content-length-range", 1, 26214400],
        {"x-amz-server-side-encryption": "aws:kms"},
        # {"x-amz-server-side​-encryption​-customer-algorithm": "AES256"},
        # {"x-amz-server-side​-encryption​-customer-key": "<customer-managed-key>"},
        # {"x-amz-server-side​-encryption​-customer-key-MD5": "<customer-managed-key>"}
    ]

    file_name = "test.png"
    response = s3_client.generate_presigned_post(bucket_name,
                                                Key=file_name,
                                                Fields=fields,
                                                Conditions=conditions,
                                                ExpiresIn=3000)
    
    print(response)

except ClientError as e:
    print(logging.error(e))

after i use "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>", I got access d9

This is new sample code:

import logging
import boto3
from botocore.exceptions import ClientError

s3_client = boto3.client("s3", config=Config(signature_version="s3v4"))

try:

    bucket_name = "s3-bucket"

    fields = {
        "x-amz-server-side-encryption": "aws:kms",
        "x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"
    }

                
    conditions = [
        # 1Byte - 25MB
        ["content-length-range", 1, 26214400],
        {"x-amz-server-side-encryption": "aws:kms"},
        {"x-amz-server-side-encryption-aws-kms-key-id": "<KEY ID>"}
    ]

    file_name = "test.png"
    response = s3_client.generate_presigned_post(bucket_name,
                                                Key=file_name,
                                                Fields=fields,
                                                Conditions=conditions,
                                                ExpiresIn=300)
    
    print(response)

except ClientError as e:
    print(logging.error(e))


{
    "code": 2000,
    "messages": [],
    "payload": {
        "url": "https://s3-bucket.s3.amazonaws.com/",
        "fields": {
            "Content-Type": "image/png",
            "x-amz-server-side-encryption": "aws:kms",
            "x-amz-server-side-encryption-aws-kms-key-id": "12345678-01s1-abba-abcd-fb9f6e5bf13d",
            "key": "kms005.png",
            "x-amz-algorithm": "AWS4-HMAC-SHA256",
            "x-amz-credential": "AKIAXHC4C5L2YWPYEWHO/20210223/us-east-1/s3/aws4_request",
            "x-amz-date": "20210223T073640Z",
            "policy": "eyJleHBpcmF0aW9uIjogIjIwMjEtMDItMjNUMDc6NDE6NDBaIiwgImNvbmRpdGlvbnMiOiBbWyJjb250ZW50LWxlbmd0aC1yYW5nZSIsIDEsIDI2MjE0NDAwXSwgeyJ4LWFtei1zZXJ2ZXItc2lkZS1lbmNyeXB0aW9uIjogImF3czprbXMifSwgeyJidWNrZXQiOiAiczMtYWRyaWFuLXRlc3QtYnVja2V0In0sIHsia2V5IjogImttczAwNS5wbmcifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQVhIQzRDNUwyWVdQWUVXSE8vMjAyMTAyMjMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAyMTAyMjNUMDczNjQwWiJ9XX0=",
            "x-amz-signature": "e0c40e744d1989578517168341fa17a21c297ffa0e1be6c84e448dea373b7d16"
        }
    },
    "request_id": "1234567890"
}"

Errors msg

Adrian
  • 23
  • 4

2 Answers2

0

Customer managed key, am i using the x-amz-server-side​-encryption​-customer-key and x-amz-server-side​-encryption​-customer-key-MD5?

There is no such header as x-amz-server-side​-encryption​-customer-key for SSE-KMS (its for SSE-C, see below). Instead, if you are going to use "x-amz-server-side-encryption": "aws:kms" and what to use your own CMK (not AWS Managed CMK) then you have to use:

  • x-amz-server-side-encryption-aws-kms-key-id - to specify the ID of the customer managed CMK used to protect the data

Header x-amz-server-side​-encryption​-customer-key-MD5 is for SSE-C (customer-provided keys), not for SSE-KMS.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Hi, Marcin thank for reply I just need to add this field `"x-amz-server-side-encryption-aws-kms-key-id": ""`, the image will stick with customer managed key, am i correct?, Thank you – Adrian Feb 23 '21 at 06:59
  • @Adrian Yes. Please try, and if you have more difficuties, please let me know or update question with new error details. Alternatively, you can make new question. – Marcin Feb 23 '21 at 07:00
  • After i try add `"x-amz-server-side-encryption-aws-kms-key-id": ""`, when i try to upload image, i got access d9. I need to add extra fields??? Thank you – Adrian Feb 23 '21 at 07:10
  • @Adrian Your question does not reflect the new code, nor the new issue. When and how do you get access deny? What is the full error message? – Marcin Feb 23 '21 at 07:45
  • I update the question all screenshot and image, all the sample code and presigned post response, and final output – Adrian Feb 23 '21 at 08:06
  • @Adrian Sorry, not sure how to address the new issue. But also your code will not work. `conditions` is missing comma after second element, so its difficult to speculate whether your code in question is fully representative of your actual code, or not. – Marcin Feb 23 '21 at 08:53
  • I paste that line forgot to add comma, in my code got comma and run i got access d9, if i forgot to comma, when i run this scripts it will display the errors msg, I not sure I m missing some code or need to do some settings in my bucket?? – Adrian Feb 23 '21 at 09:09
0

In kms key policy must have a kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, kms:GenerateDataKey* and kms:DescribeKey. After add the action into kms key policy it will upload successfully.

"Statement": [
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
Adrian
  • 23
  • 4