如何使用带有 ksm 加密的 aws s3 createPresignedPost
[英]How to use aws s3 createPresignedPost with ksm encryption
问题描述
I have found aws documentation for doing this with Java, and a couple of scattered references for javascript developers, but I have not been able to accomplish this without receiving access denied from aws.
我已经找到了与 Java 一起执行此操作的 aws 文档,以及一些针对 javascript 开发人员的零散参考,但如果没有收到 aws 拒绝的访问权限,我将无法完成此操作。 I've tried a lot of different variations.我尝试了很多不同的变体。
To make matters a little worse, my development environment is a proprietary framework that handles a lot of the role and credentialling in the background, but I have been able to identify that the ksm policy is the sticking point, and I have not found the solution.更糟糕的是,我的开发环境是一个专有框架,可以在后台处理很多角色和凭证,但我已经能够确定 ksm 策略是症结所在,但我还没有找到解决方案.
I've tried passing parameters to the signing process:我试过将参数传递给签名过程:
const params = {
Bucket: targetBucket,
ServerSideEncryption: 'aws:kms',
SSEKMSKeyId: keyId,
Conditions: [{ acl: 'private' }, { key: filepath } ]
};
return new Promise((res, rej) => {
clientS3.createPresignedPost(params, (err, data) => {
if (err) {
console.log(err.message);
rej(err);
} else {
console.log(data);
res({ data, filepath, encryption, bucket });
}
});
});
That didn't work.那没有用。 Access denied.拒绝访问。 (Yes, I included these values in the formdata, to ensure a correctly signed request.) (是的,我将这些值包含在表单数据中,以确保正确签署请求。)
I also tried adding headers to the post request itself, via:我还尝试通过以下方式将标头添加到发布请求本身:
return axios
.post(response.data.url, formData, {
headers: {
'Content-Type': 'multipart/form-data',
'x-amz-server-side-encryption-aws-kms-key-id': response.encryption,
'x-amz-server-side-encryption-context': bucketArn
},
....
Access Denied.拒绝访问。 I've tried mixing and matching approaches.我试过混合和匹配方法。 I can make things worse by breaking the signature, but I can't land the encrypted file or find documentation to accomplish this.我可以通过破坏签名使事情变得更糟,但我无法获取加密文件或找到文档来完成此操作。
UPDATE : I have verified that the access role has KMS permissions to Encrypt & GenerateDataKey, as per jarmod;更新:根据 jarmod,我已验证访问角色具有加密和生成数据密钥的 KMS 权限; AND I have verified that removing the encryption policies on the bucket allow the upload no problem.并且我已经验证删除存储桶上的加密策略允许上传没有问题。
The policy described is:所描述的政策是:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::[[ bucket name ]]/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "[[ kms arn ]]"
}
}
}
UPDATE更新
After adding the header x-amz-server-side-encryption: aws:kms I got no better result.添加 header x-amz-server-side-encryption: aws:kms后,我没有得到更好的结果。 The full request headers are:完整的请求标头是:
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 307546
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4B20k5OmUGzGhYoV
Host: s3.us-west-2.amazonaws.com
Origin: http://localhost:8888
Referer: http://localhost:8888/
sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
x-amz-server-side-encryption: aws:kms
x-amz-server-side-encryption-aws-kms-key-id: [[ full arn of kms key ]]
x-amz-server-side-encryption-context: arn:aws:s3:::[[ bucket name ]]/*
The response headers are:响应标头是:
Request URL: https://s3.us-west-2.amazonaws.com/[[ bucket name ]]
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 52.92.145.80:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: http://localhost:8888
Connection: close
Content-Type: application/xml
Date: Mon, 05 Dec 2022 02:07:11 GMT
Server: AmazonS3
Transfer-Encoding: chunked
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
x-amz-id-2: [[ ugly amz string ]]
x-amz-request-id: [[ shorter amz string ]]
The response payload is:响应负载是:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>.
<RequestId>[[ same as header request id ]]</RequestId>.
<HostId>[[ same as long amz id in headers ]] </HostId></Error>
Finally, the payload of the formdata is:最后,表单数据的有效载荷是:
acl: private
key: [[ filename ]]
bucket: [[ bucket ]]
X-Amz-Algorithm: AWS4-HMAC-SHA256
X-Amz-Credential: [[credential string ]]
X-Amz-Date: 20221205T020711Z
X-Amz-Security-Token: [[ token ]]
Policy: [[ policy string ]]
X-Amz-Signature: [[ signature string ]]
file: (binary)
1 个解决方案
解决方案1
0 2022-12-10 16:01:29
Here's a working example of a S3 Presigned URL upload with Customer-managed KMS key encryption.下面是使用客户管理的 KMS 密钥加密的 S3 预签名 URL 上传的工作示例。 I used the JS SDK v3 @aws-sdk/s3-request-presigner package for signing and Node18's native fetch.我使用 JS SDK v3 @aws-sdk/s3-request-presigner package 进行签名和 Node18 的本地获取。
I tested it with two Bucket Policy scenarios: (a) your bucket policy verbatim (b) the policy from this AWS Knowledge Center Q&A .我使用两个存储桶策略场景对其进行了测试:(a) 您的存储桶策略逐字记录 (b) 此AWS 知识中心问答中的策略。 The upload succeeds against both policies with the headers below.根据以下标头的两个策略,上传成功。 As expected, it fails with a 403 response if the required headers are removed.正如预期的那样,如果删除了所需的标头,它会失败并403响应。
const body = "Uploaded with a pre-signed URL and Customer-managed KMS key!";
const keyId = "arn:aws:kms:us-east-1:123456789012:key/231389a0-...";
const command = new PutObjectCommand({
Bucket: "my-bucket-123456789012-us-east-1",
Key: `myFile.txt`,
ServerSideEncryption: "aws:kms",
SSEKMSKeyId: keyId,
Body: body,
});
const url = await getSignedUrl(client, command, { expiresIn: 3600 });
const res = await fetch(url, {
method: "PUT",
headers: {
"x-amz-server-side-encryption": "aws:kms",
"x-amz-server-side-encryption-aws-kms-key-id": keyId,
},
body,
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.