Utilising SSEC with PreSignedRequests - PHP
I am in the process of evaluating Object Storage for use in a few projects I have going on, I'm interested in utilising SSEC for storing the objects, this appears to be working as expected.
I'm utilising aws-sdk-php v3.271.
Example call to putObject:
$result = $this->_client->putObject([ 'Bucket' => $this->_bucket, 'Key' => $this->gen_name(), 'SourceFile' => $this->_fullFilePath, 'SSECustomerAlgorithm' =>$this->_customerAlgorithm, 'SSECustomerKey' => $this->_customerKey ]);
The trouble comes when trying to create a Presigned Request, if I provide the same SSECustomerAlgorithm and SSECustomerKey I get a signature mismatch error.
$result = $this->_client->getCommand('getObject', [ 'Bucket' => $this->_bucket, 'Key' => $object, 'SSECustomerAlgorithm' =>$this->_customerAlgorithm, 'SSECustomerKey' => $this->_customerKey ]);
This call works fine for unencrypted files:
$result = $this->_client->getCommand('getObject', [ 'Bucket' => $this->_bucket, 'Key' => $object ]);
Just looking to understand the signature mismatch when providing the encryption details.
Based on the S3 API documentation, in order to GET an object that you have uploaded using encryption, you need to include the following headers:
- x-amz-server-side-encryption-customer-algorithm - x-amz-server-side-encryption-customer-key - x-amz-server-side-encryption-customer-key-MD5
I think what this means is that you need to add
SSECustomerKeyMD5 to your GET API call for it to work.
Thank you [@tlambert] (/community/user/tlambert) am I correct in thinking that the call would contain the key itself so should only be used for post requests?
@2ejames That's correct.
From the S3 API documentation:
To get an object from such a logical hierarchy, specify the full key name for the object in the GET operation.
GET /Key+?partNumber=PartNumber&response-cache-control=ResponseCacheControl&response-content-disposition=ResponseContentDisposition&response-content-encoding=ResponseContentEncoding&response-content-language=ResponseContentLanguage&response-content-type=ResponseContentType&response-expires=ResponseExpires&versionId=VersionId HTTP/1.1 Host: Bucket.s3.amazonaws.com If-Match: IfMatch If-Modified-Since: IfModifiedSince If-None-Match: IfNoneMatch If-Unmodified-Since: IfUnmodifiedSince Range: Range x-amz-server-side-encryption-customer-algorithm: SSECustomerAlgorithm x-amz-server-side-encryption-customer-key: SSECustomerKey x-amz-server-side-encryption-customer-key-MD5: SSECustomerKeyMD5 x-amz-request-payer: RequestPayer x-amz-expected-bucket-owner: ExpectedBucketOwner x-amz-checksum-mode: ChecksumMode