在 Amazon S3 中使用 KMS 密钥解密文件时出错 [英] Error while decrypting file using KMS key in Amazon S3
问题描述
我正在尝试使用 Amazon S3 作为加密的文件系统.
I am trying to use Amazon S3 as a file system with encryption.
我使用 KMS 加密密钥(服务器端加密)成功地在 AWS S3 服务器上实现上传文件.请找到以下工作代码:
I am successfully able to achieve uploading file on AWS S3 server using KMS Encrypted key (Server side Encryption). Please find below working code :
对于加密:
private static final String AWS_KMS_KEY = "---KMS Key---"
private static final String BUCKET_NAME = "---bucket name---"
private static final String keyName = "---display key name---"
private static final String filePath = "---File Path---"
private static final String ACCESS_KEY_ID = "---aws accesskey---"
private static final String SECRET_ACCESS_KEY = "---aws secret key---"
AWSCredentials awsCredentials = new BasicAWSCredentials(ACCESS_KEY_ID, SECRET_ACCESS_KEY);
AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withRegion(Regions.US_WEST_2).withForceGlobalBucketAccessEnabled(true).build();
FileInputStream stream = new FileInputStream(filePath);
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm(SSEAlgorithm.KMS.getAlgorithm());
PutObjectRequest putObjectRequest = new PutObjectRequest(amazonFileUploadLocationOriginal, keyName, stream, objectMetadata);
putObjectRequest.withCannedAcl(CannedAccessControlList.PublicRead);
putObjectRequest.withSSEAwsKeyManagementParams(new SSEAwsKeyManagementParams(AWS_KMS_KEY));
PutObjectResult result = s3Client.putObject(putObjectRequest);
我在使用服务器端解密检索文件时遇到问题.我想直接访问 aws url 以通过解密检索该文件.请找到以下不起作用的代码:
I am facing issue while retriving file with server side decryption. I want to access directly aws url to retrieve that file with decryption. Please find below code which is not working :
对于对象读取:
没有 KMS 密钥的对象读取:
Object Read without KMS key :
GetObjectRequest request = new GetObjectRequest(existingBucketName, amazonFileUploadLocationOriginal);
s3Client.getUrl(BUCKET_NAME, keyName);
以上代码用于没有kms加密密钥的读取对象,显示以下错误.
Above Code is for read object without kms encrypted key which shows below error.
代码:无效参数
消息:使用 AWS KMS 托管密钥指定服务器端加密的请求需要 AWS 签名版本 4.
Message : Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
使用 KMS 密钥读取对象:
Object Read with KMS key :
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
.withSSEAlgorithm(SSEAlgorithm.KMS)
.withKmsCmkId(AWS_KMS_KEY);
URL puturl = s3Client.generatePresignedUrl(genreq);
以上代码用于读取对象,使用 kms 加密密钥预签名 URL,显示以下错误.
Above Code is for read object with kms encrypted key presign URL, which shows below error.
代码:SignatureDoesNotMatch
Code : SignatureDoesNotMatch
消息:我们计算的请求签名与您提供的签名不匹配.检查您的密钥和签名方法.
Message : The request signature we calculated does not match the signature you provided. Check your key and signing method.
这是正确的做法吗?有什么建议吗?请帮忙.
Is it right way to do? Is there any suggestions? Please help.
推荐答案
如果签名不匹配请使用以下代码手动添加供参考 AWS java SDK 手动设置签名版本
if the signature not match please use the following code to add manually for reference AWS java SDK manually set signature version
System.setProperty(SDKGlobalConfiguration.ENABLE_S3_SIGV4_SYSTEM_PROPERTY, "true");
我们可以使用下面的代码来获取主持的网址
We can use the below code to get presided URL get
GeneratePresignedUrlRequest genreq = new GeneratePresignedUrlRequest(BUCKET_NAME, keyName, HttpMethod.GET)
.withExpiration(expiration);
URL puturl = s3Client.generatePresignedUrl(genreq);
此 URL 将包含时间和签名的到期时间,如下所示
This URL will contain the expiry of time and signature like following
输出
https://mybucket.s3.amazonaws.com/abc_count.png?AWSAccessKeyId=AKIAJXXXXXXXXXXXXXXX&Expires=1503602631&Signature=ibOGfAovnhIF13DALdAgsdtg2s%3D
希望有人对此有所帮助
这篇关于在 Amazon S3 中使用 KMS 密钥解密文件时出错的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
