New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non default master key Server Side Encryption KMS support #235

Open
mubeta06 opened this Issue Jan 18, 2017 · 13 comments

Comments

Projects
None yet
6 participants
@mubeta06

mubeta06 commented Jan 18, 2017

Currently the buildkite agent KMS support is limited to (as per the environment script)

aws s3 cp --sse aws:kms source destination

which ends up employing the default master key for the S3 service, i.e. the key that is used to encrypt S3 objects when no other key is defined.

It would be ideal to make use of an explicit kms key id issued exclusively for buildkite agent purposes. Something like

aws s3 cp --sse-kms-key-id arn:aws:kms:ap-southeast-2:123456789:key/ac54dbd2-f301-42c1-bab9-88e6a84292a9

where the arn for the key could be passed in as a parameter to the Cloudformation template for the stack.

@lox

This comment has been minimized.

Contributor

lox commented Jan 18, 2017

Sounds like this would make for a sensible default, along with creating a dedicated key in the cloudformation stack.

I wonder what the behaviour of changing the KMS key associated with already SSE encrypted files is.

@lox lox added the enhancement label Jan 18, 2017

@mubeta06

This comment has been minimized.

mubeta06 commented Jan 19, 2017

Just my 2 cents worth. I think S3 default master key encryption as it is implemented today makes for a sensible default, the additional ability to specify as a parameter the arn of a kms key to the CF template for the stack would be slick.

@lox

This comment has been minimized.

Contributor

lox commented Jan 20, 2017

Yup, on reflection, I agree.

@ReshuS

This comment has been minimized.

ReshuS commented May 9, 2017

Hi,
aws s3 cp --sse-kms-key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
when I execute the above command am getting the following error.
-- when calling the put object operation: Server side encryption with aws kms managed key requires http header x-amz-server-side-encryption:aws:kms

How can i overcome this issue? pls help me with this.

@gugahoi

This comment has been minimized.

Contributor

gugahoi commented May 9, 2017

@ReshuS I believe you need to specify: --sse aws:kms too

@ReshuS

This comment has been minimized.

ReshuS commented May 10, 2017

@gugahoi ya, Thank you! Its working now... :-)

@sushilvarma2

This comment has been minimized.

sushilvarma2 commented Sep 8, 2017

When I am running this command facing following error:
aws s3 cp --sse=aws:kms --sse-kms-key-id kms-id-value file-to-be-copied.text s3://bucketname/.
error:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied.

@lox

This comment has been minimized.

Contributor

lox commented Sep 8, 2017

I hate to ask, but you're using your bucket name, not bucketname, right @sushilvarma2?

@sushilvarma2

This comment has been minimized.

sushilvarma2 commented Sep 8, 2017

yah that is right. that is just for reference.

@lox

This comment has been minimized.

Contributor

lox commented Sep 8, 2017

@sushilvarma2

This comment has been minimized.

sushilvarma2 commented Sep 8, 2017

Yah, I assigned S3, KMS role to the user.

It works without any issue when I am using default KMS ID and not even providing kms id. Just simple copy to S3 bucket.

I have also used this option, as advised in aws documentation.
aws configure set default.s3.signature_version s3v4.

I have tried both these policies also to the bucket but no help:

{
"Version": "2012-10-17",
"Id": "Policy1504851851295",
"Statement": [
{
"Sid": "Stmt1504851844388",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxx:user/testuser1"
},
"Action": "s3:",
"Resource": "arn:aws:s3:::bucketname/
",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
}
]
}
2nd time:
{
"Version": "2012-10-17",
"Id": "Policy1504851851295",
"Statement": [
{
"Sid": "Stmt1504851844388",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxxx:user/testuser1"
},
"Action": "s3:",
"Resource": "arn:aws:s3:::bucketname/
"
}
]
}

@sushilvarma2

This comment has been minimized.

sushilvarma2 commented Sep 8, 2017

This issue got resolved by adding user into "key users" section in encryption key. Earlier I have added this user only into "Key Administrator" section. Thanks everyone.

@vivek9018

This comment has been minimized.

vivek9018 commented Dec 26, 2017

Thanks a lot everyone, I had been breaking my head since yesterday, found this post, it worked.
Case: to copy data using aws cli from sse encrypted bucket to custom kms key encrypted bucket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment