Class: Aws::S3::Encryption::Client

Inherits:
Object
  • Object
show all
Extended by:
Deprecations
Defined in:
lib/aws-sdk-s3/encryption/client.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options = {}) ⇒ Client

Creates a new encryption client. You must provide on of the following options:

  • ‘:encryption_key`

  • ‘:kms_key_id`

  • ‘:key_provider`

You may also pass any other options accepted by ‘Client#initialize`.

Parameters:

  • options (Hash) (defaults to: {})

    a customizable set of options

Options Hash (options):

  • :client (S3::Client)

    A basic S3 client that is used to make api calls. If a ‘:client` is not provided, a new Client will be constructed.

  • :encryption_key (OpenSSL::PKey::RSA, String)

    The master key to use for encrypting/decrypting all objects.

  • :kms_key_id (String)

    When you provide a ‘:kms_key_id`, then AWS Key Management Service (KMS) will be used to manage the object encryption keys. By default a KMS::Client will be constructed for KMS API calls. Alternatively, you can provide your own via `:kms_client`.

  • :key_provider (#key_for)

    Any object that responds to ‘#key_for`. This method should accept a materials description JSON document string and return return an encryption key.

  • :envelope_location (Symbol) — default: :metadata

    Where to store the envelope encryption keys. By default, the envelope is stored with the encrypted object. If you pass ‘:instruction_file`, then the envelope is stored in a separate object in Amazon S3.

  • :instruction_file_suffix (String) — default: '.instruction'

    When ‘:envelope_location` is `:instruction_file` then the instruction file uses the object key with this suffix appended.

  • :kms_client (KMS::Client)

    A default KMS::Client is constructed when using KMS to manage encryption keys.



220
221
222
223
224
225
# File 'lib/aws-sdk-s3/encryption/client.rb', line 220

def initialize(options = {})
  @client = extract_client(options)
  @cipher_provider = cipher_provider(options)
  @envelope_location = extract_location(options)
  @instruction_file_suffix = extract_suffix(options)
end

Instance Attribute Details

#clientS3::Client (readonly)

Returns:



228
229
230
# File 'lib/aws-sdk-s3/encryption/client.rb', line 228

def client
  @client
end

#envelope_locationSymbol<:metadata, :instruction_file> (readonly)

Returns:

  • (Symbol<:metadata, :instruction_file>)


235
236
237
# File 'lib/aws-sdk-s3/encryption/client.rb', line 235

def envelope_location
  @envelope_location
end

#instruction_file_suffixString (readonly)

Returns When #envelope_location is ‘:instruction_file`, the envelope is stored in the object with the object key suffixed by this string.

Returns:

  • (String)

    When #envelope_location is ‘:instruction_file`, the envelope is stored in the object with the object key suffixed by this string.



240
241
242
# File 'lib/aws-sdk-s3/encryption/client.rb', line 240

def instruction_file_suffix
  @instruction_file_suffix
end

#key_providerKeyProvider? (readonly)

Returns ‘nil` if you are using AWS Key Management Service (KMS).

Returns:

  • (KeyProvider, nil)

    Returns ‘nil` if you are using AWS Key Management Service (KMS).



232
233
234
# File 'lib/aws-sdk-s3/encryption/client.rb', line 232

def key_provider
  @key_provider
end

Instance Method Details

#get_object(params = {}, &block) ⇒ Types::GetObjectOutput

Note:

The ‘:range` request parameter is not yet supported.

Gets an object from Amazon S3, decrypting data locally. See Client#get_object for documentation on accepted request parameters.

Parameters:

  • params (Hash) (defaults to: {})

    a customizable set of options

Options Hash (params):

  • :instruction_file_suffix (String)

    The suffix used to find the instruction file containing the encryption envelope. You should not set this option when the envelope is stored in the object metadata. Defaults to #instruction_file_suffix.

  • :instruction_file_suffix (String)
  • :response_target (String, IO)

    Where to write response data, file path, or IO object.

  • :bucket (required, String)
  • :if_match (String)

    Return the object only if its entity tag (ETag) is the same as the one specified, otherwise return a 412 (precondition failed).

  • :if_modified_since (Time, DateTime, Date, Integer, String)

    Return the object only if it has been modified since the specified time, otherwise return a 304 (not modified).

  • :if_none_match (String)

    Return the object only if its entity tag (ETag) is different from the one specified, otherwise return a 304 (not modified).

  • :if_unmodified_since (Time, DateTime, Date, Integer, String)

    Return the object only if it has not been modified since the specified time, otherwise return a 412 (precondition failed).

  • :key (required, String)
  • :range (String)

    Downloads the specified range bytes of an object. For more information about the HTTP Range header, go to www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35.

  • :response_cache_control (String)

    Sets the Cache-Control header of the response.

  • :response_content_disposition (String)

    Sets the Content-Disposition header of the response

  • :response_content_encoding (String)

    Sets the Content-Encoding header of the response.

  • :response_content_language (String)

    Sets the Content-Language header of the response.

  • :response_content_type (String)

    Sets the Content-Type header of the response.

  • :response_expires (Time, DateTime, Date, Integer, String)

    Sets the Expires header of the response.

  • :version_id (String)

    VersionId used to reference a specific version of the object.

  • :sse_customer_algorithm (String)

    Specifies the algorithm to use to when encrypting the object (e.g., AES256).

  • :sse_customer_key (String)

    Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon does not store the encryption key. The key must be appropriate for use with the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm header.

  • :sse_customer_key_md5 (String)

    Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

  • :request_payer (String)

    Confirms that the requester knows that she or he will be charged for the request. Bucket owners need not specify this parameter in their requests. Documentation on downloading objects from requester pays buckets can be found at docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html

  • :part_number (Integer)

    Part number of the object being read. This is a positive integer between 1 and 10,000. Effectively performs a ‘ranged’ GET request for the part specified. Useful for downloading just a part of an object.

Returns:

See Also:



272
273
274
275
276
277
278
279
280
281
282
283
284
285
# File 'lib/aws-sdk-s3/encryption/client.rb', line 272

def get_object(params = {}, &block)
  if params[:range]
    raise NotImplementedError, '#get_object with :range not supported yet'
  end
  envelope_location, instruction_file_suffix = envelope_options(params)
  req = @client.build_request(:get_object, params)
  req.handlers.add(DecryptHandler)
  req.context[:encryption] = {
    cipher_provider: @cipher_provider,
    envelope_location: envelope_location,
    instruction_file_suffix: instruction_file_suffix,
  }
  req.send_request(target: block)
end

#put_object(params = {}) ⇒ Types::PutObjectOutput

Uploads an object to Amazon S3, encrypting data client-side. See Client#put_object for documentation on accepted request parameters.

Options Hash (params):

  • :acl (String)

    The canned ACL to apply to the object.

  • :body (String, IO)

    Object data.

  • :bucket (required, String)

    Name of the bucket to which the PUT operation was initiated.

  • :cache_control (String)

    Specifies caching behavior along the request/reply chain.

  • :content_disposition (String)

    Specifies presentational information for the object.

  • :content_encoding (String)

    Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field.

  • :content_language (String)

    The language the content is in.

  • :content_length (Integer)

    Size of the body in bytes. This parameter is useful when the size of the body cannot be determined automatically.

  • :content_md5 (String)

    The base64-encoded 128-bit MD5 digest of the part data.

  • :content_type (String)

    A standard MIME type describing the format of the object data.

  • :expires (Time, DateTime, Date, Integer, String)

    The date and time at which the object is no longer cacheable.

  • :grant_full_control (String)

    Gives the grantee READ, READ_ACP, and WRITE_ACP permissions on the object.

  • :grant_read (String)

    Allows grantee to read the object data and its metadata.

  • :grant_read_acp (String)

    Allows grantee to read the object ACL.

  • :grant_write_acp (String)

    Allows grantee to write the ACL for the applicable object.

  • :key (required, String)

    Object key for which the PUT operation was initiated.

  • :metadata (Hash<String,String>)

    A map of metadata to store with the object in S3.

  • :server_side_encryption (String)

    The Server-side encryption algorithm used when storing this object in S3 (e.g., AES256, aws:kms).

  • :storage_class (String)

    The type of storage to use for the object. Defaults to ‘STANDARD’.

  • :website_redirect_location (String)

    If the bucket is configured as a website, redirects requests for this object to another object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata.

  • :sse_customer_algorithm (String)

    Specifies the algorithm to use to when encrypting the object (e.g., AES256).

  • :sse_customer_key (String)

    Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon does not store the encryption key. The key must be appropriate for use with the algorithm specified in the x-amz-server-side​-encryption​-customer-algorithm header.

  • :sse_customer_key_md5 (String)

    Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure the encryption key was transmitted without error.

  • :ssekms_key_id (String)

    Specifies the AWS KMS key ID to use for object encryption. All GET and PUT requests for an object protected by AWS KMS will fail if not made via SSL or using SigV4. Documentation on configuring any of the officially supported AWS SDKs and CLI can be found at docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version

  • :request_payer (String)

    Confirms that the requester knows that she or he will be charged for the request. Bucket owners need not specify this parameter in their requests. Documentation on downloading objects from requester pays buckets can be found at docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html

  • :tagging (String)

    The tag-set for the object. The tag-set must be encoded as URL Query parameters. (For example, “Key1=Value1”)

  • :object_lock_mode (String)

    The Object Lock mode that you want to apply to this object.

  • :object_lock_retain_until_date (Time, DateTime, Date, Integer, String)

    The date and time when you want this object’s Object Lock to expire.

  • :object_lock_legal_hold_status (String)

    The Legal Hold status that you want to apply to the specified object.

Returns:

See Also:



248
249
250
251
252
253
254
255
256
257
# File 'lib/aws-sdk-s3/encryption/client.rb', line 248

def put_object(params = {})
  req = @client.build_request(:put_object, params)
  req.handlers.add(EncryptHandler, priority: 95)
  req.context[:encryption] = {
    cipher_provider: @cipher_provider,
    envelope_location: @envelope_location,
    instruction_file_suffix: @instruction_file_suffix,
  }
  req.send_request
end