How to get Amazon s3 Encrypted object with signed URL?

Question

I have created a signed URL for my s3 object.

The object is stored using 'Server-Side Encryption with Customer-Provided Encryption Keys'.

Now, When my client browses to the signed URL he gets :

The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object

I need somehow make my client send the "x-amz-server-side-encryption-customer-algorithm" and "x-amz-server-side-encryption-customer-key" headers before reaching the URL.

Any idea how can I achieve that ?

Answer 1

"x-amz-server-side-encryption-customer-algorithm" and "x-amz-server-side-encryption-customer-key" should be used at server side when signing the URL and the client don't need to add any header to the requests.

I don't know the PHP syntax but in Java SDK it works like this:

 generatePresignedUrlRequest = new GeneratePresignedUrlRequest(BUCKET_NAME, TOKEN)
 .withSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm())
 .withKmsCmkId("YOUR_KMS_KEY_ID");

OR

 generatePresignedUrlRequest.addRequestParameter("x-amz-server-side-encryption", "aws:kms");
 generatePresignedUrlRequest.addRequestParameter("x-amz-server-side-encryption-aws-kms-key-id", "YOUR_KMS_KEY_ID");

When signing for GET method you shouldn't do anything spacial.

For more info you can look at this guide: Generating Amazon S3 Pre-signed URLs with SSE

Raz