如何使用KMS将S3encryption到nodejs中?
我有一些问题。 我有几个lambda函数,如果我创build脚本本地化,并运行它,所有的工作,但如果我的代码工作在远程lambda我有错误:访问被拒绝
S3Service.prototype.PutFile = function (bucket, key, body, type, callback) { var s3 = new this.AWS.S3({region: awsConfig.region,"signatureVersion":"v4"}); var params = { Bucket: bucket, Key: key, Body: body, ContentType: type, ACL: 'public-read-write', ServerSideEncryption: 'aws:kms', SSEKMSKeyId: awsConfig.kmsKeyId }; s3.putObject(params, function (err, res) { if (err) { callback(new InternalServerError(err)); } else { callback(null); } }); }; S3Service.prototype.GetFile = function (params, callback) { var s3 = new this.AWS.S3({ region: awsConfig.region,"signatureVersion":"v4"}); s3.getObject(params, function (err, data) { if (err) { callback(new InternalServerError(err)); } else { callback(null, data.Body, data.ContentType); } }); }; 时段策略:
var policy = { "Version": "2012-10-17", "Statement":[{ "Sid":"DenyUnEncryptedObjectUploads", "Effect":"Deny", "Principal": "*", "Action":["s3:PutObject"], "Resource": "arn:aws:s3:::" + name + "/*", "Condition":{ "StringNotEquals":{ "s3:x-amz-server-side-encryption":"aws:kms" } } } ] };
生成kms密钥:
kms.createKey({ Description: 'qwe', KeyUsage: 'ENCRYPT_DECRYPT' }, function (err, data) { //var keyId = data.KeyMetadata.KeyId });
如何正确地把对象encryption到S3:ServerSideEncryption:'aws:kms'?
这听起来像是你的lambdaangular色策略的一个问题。 什么是lambda的作用?
特别是,确保它具有以下效果:
"PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::s3bucket", "arn:aws:s3:::s3bucket/*" ] }, { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:Encrypt" ], "Resource": ["*"] }] }