s3: add support for KMS Key ID - fixes #2217

This code supports aws:kms and the kms key id for the s3 backend.
2025-02-02 03:29:51 +01:00 · 2018-08-30 12:08:27 -04:00 · 2018-08-30 12:08:27 -04:00 · aaa3d7e63b
commit aaa3d7e63b
parent e4c5f248c0
1 changed files with 18 additions and 0 deletions
--- a/backend/s3/s3.go
+++ b/backend/s3/s3.go
@ -498,6 +498,20 @@ func init() {
 			}, {
 				Value: "AES256",
 				Help:  "AES256",
+			}, {
+				Value: "aws:kms",
+				Help:  "aws:kms",
+			}},
+		}, {
+			Name:     "sse_kms_key_id",
+			Help:     "If using KMS ID you must provide the ARN of Key.",
+			Provider: "AWS",
+			Examples: []fs.OptionExample{{
+				Value: "",
+				Help:  "None",
+			}, {
+				Value: "arn:aws:kms:us-east-1:*",
+				Help:  "arn:aws:kms:*",
 			}},
 		}, {
 			Name:     "storage_class",
@ -569,6 +583,7 @@ type Options struct {
 	LocationConstraint   string        `config:"location_constraint"`
 	ACL                  string        `config:"acl"`
 	ServerSideEncryption string        `config:"server_side_encryption"`
+	SSEKMSKeyID          string        `config:"sse_kms_key_id"`
 	StorageClass         string        `config:"storage_class"`
 	ChunkSize            fs.SizeSuffix `config:"chunk_size"`
 	DisableChecksum      bool          `config:"disable_checksum"`
@ -1429,6 +1444,9 @@ func (o *Object) Update(in io.Reader, src fs.ObjectInfo, options ...fs.OpenOptio
 	if o.fs.opt.ServerSideEncryption != "" {
 		req.ServerSideEncryption = &o.fs.opt.ServerSideEncryption
 	}
+	if o.fs.opt.SSEKMSKeyID != "" {
+		req.SSEKMSKeyId = &o.fs.opt.SSEKMSKeyID
+	}
 	if o.fs.opt.StorageClass != "" {
 		req.StorageClass = &o.fs.opt.StorageClass
 	}