From aaa3d7e63b2fb84e1bc8d20f51a92f00039a4e4b Mon Sep 17 00:00:00 2001
From: bsteiss <35940619+bsteiss@users.noreply.github.com>
Date: Thu, 30 Aug 2018 12:08:27 -0400
Subject: [PATCH] s3: add support for KMS Key ID - fixes #2217

This code supports aws:kms and the kms key id for the s3 backend.
---
 backend/s3/s3.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/backend/s3/s3.go b/backend/s3/s3.go
index 17463e4fa..2679f7156 100644
--- a/backend/s3/s3.go
+++ b/backend/s3/s3.go
@@ -498,6 +498,20 @@ func init() {
 			}, {
 				Value: "AES256",
 				Help:  "AES256",
+			}, {
+				Value: "aws:kms",
+				Help:  "aws:kms",
+			}},
+		}, {
+			Name:     "sse_kms_key_id",
+			Help:     "If using KMS ID you must provide the ARN of Key.",
+			Provider: "AWS",
+			Examples: []fs.OptionExample{{
+				Value: "",
+				Help:  "None",
+			}, {
+				Value: "arn:aws:kms:us-east-1:*",
+				Help:  "arn:aws:kms:*",
 			}},
 		}, {
 			Name:     "storage_class",
@@ -569,6 +583,7 @@ type Options struct {
 	LocationConstraint   string        `config:"location_constraint"`
 	ACL                  string        `config:"acl"`
 	ServerSideEncryption string        `config:"server_side_encryption"`
+	SSEKMSKeyID          string        `config:"sse_kms_key_id"`
 	StorageClass         string        `config:"storage_class"`
 	ChunkSize            fs.SizeSuffix `config:"chunk_size"`
 	DisableChecksum      bool          `config:"disable_checksum"`
@@ -1429,6 +1444,9 @@ func (o *Object) Update(in io.Reader, src fs.ObjectInfo, options ...fs.OpenOptio
 	if o.fs.opt.ServerSideEncryption != "" {
 		req.ServerSideEncryption = &o.fs.opt.ServerSideEncryption
 	}
+	if o.fs.opt.SSEKMSKeyID != "" {
+		req.SSEKMSKeyId = &o.fs.opt.SSEKMSKeyID
+	}
 	if o.fs.opt.StorageClass != "" {
 		req.StorageClass = &o.fs.opt.StorageClass
 	}