java - 如何使用 kms 角色将文件上传到 Amazon S3?
问题描述
我想将文件从提供 IAM 凭证的环境上传到 Amazon S3。但是我收到此错误:
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: EF93490A8356F585)
IAM 角色如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sam-94a493b-dev"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::sam-bbcb194a493b-dev/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:000351272236:key/9b7a989c-ee8e-4c83-b765-6debe0f94eaa"
]
}
]
}
我使用默认客户端访问 Amazon S3 客户端和putObject方法将对象放入具有fileNameWithPath(path/in/s3/filename.ext) 的存储桶中访问 s3 的代码如下:
AmazonS3 s3client = AmazonS3ClientBuilder.defaultClient();
s3client.putObject(bucketName, fileNameWithPath, file)
我得到的错误是:
com.amazonaws.services.s3.model.AmazonS3Exception: Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: EF93490A8356F585)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1587) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1257) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1029) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:741) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:715) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:697) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:665) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:647) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:511) ~[aws-java-sdk-core-1.11.163.jar!/:?]
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4227) ~[aws-java-sdk-s3-1.11.163.jar!/:?]
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:4174) ~[aws-java-sdk-s3-1.11.163.jar!/:?]
at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1722) ~[aws-java-sdk-s3-1.11.163.jar!/:?]
at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1577) ~[aws-java-sdk-s3-1.11.163.jar!/:?]
at com.example.services.S3Service.uploadFile(S3Service.java:63) ~[classes!/:?]
我的 aws sdk 版本是 -1.11.163默认情况下应该有签名版本 4。我不确定问题出在哪里
我已经尝试在“AES256”和“ putObjectAWS4 -HMAC-SHA256”中设置各种 SSEAlgorithm,但这些都没有帮助。
任何线索都将被应用。
解决方案
我按照以下步骤解决了这个问题 -
- 明确指定
request通过PutObjectRequest - 创建一个
new ObjectMetadata并设置SSEAlgorithm它 - “aws:kms”。 - 附加
objectMetadata到request. - 发送
requestviaputObject方法。
这是代码 -
PutObjectRequest request = new PutObjectRequest(bucketName, ruleFilePath, file);
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setSSEAlgorithm("aws:kms");
request.setMetadata(objectMetadata);
this.s3client.putObject(request);
推荐阅读
- vector - 如何获取和替换 Rust Vec 中的值?
- python - 如何下载html表格内容?
- python-3.x - Python 3 中没有函数的 Deepcopy 对象
- r - RStudio 中的传单:RHTML 文档的内容是静态的,RMarkdown 的内容是动态的
- django - 从 HttpResponse 导入 django.http ^ SyntaxError: invalid syntax
- reactjs - React Semantic UI Modal 未显示
- javascript - React 渲染一个空组件
- node.js - 如何串行链接http请求函数
- php - 从 json 打印 PHP 文本
- node.js - 如何根据用户类型重定向用户