I have found aws documentation for doing this with Java, and a couple of scattered references for javascript developers, but I have not been able to accomplish this without receiving access denied from aws. I’ve tried a lot of different variations.
To make matters a little worse, my development environment is a proprietary framework that handles a lot of the role and credentialling in the background, but I have been able to identify that the ksm policy is the sticking point, and I have not found the solution.
I’ve tried passing parameters to the signing process:
const params = {
Bucket: targetBucket,
ServerSideEncryption: 'aws:kms',
SSEKMSKeyId: keyId,
Conditions: [{ acl: 'private' }, { key: filepath } ]
};
return new Promise((res, rej) => {
clientS3.createPresignedPost(params, (err, data) => {
if (err) {
console.log(err.message);
rej(err);
} else {
console.log(data);
res({ data, filepath, encryption, bucket });
}
});
});
That didn’t work. Access denied. (Yes, I included these values in the formdata, to ensure a correctly signed request.)
I also tried adding headers to the post request itself, via:
return axios
.post(response.data.url, formData, {
headers: {
'Content-Type': 'multipart/form-data',
'x-amz-server-side-encryption-aws-kms-key-id': response.encryption,
'x-amz-server-side-encryption-context': bucketArn
},
....
Access Denied. I’ve tried mixing and matching approaches. I can make things worse by breaking the signature, but I can’t land the encrypted file or find documentation to accomplish this.