Class: Aws::S3::EncryptionV2::Client
- Inherits:
-
Object
- Object
- Aws::S3::EncryptionV2::Client
- Extended by:
- Deprecations, Forwardable
- Defined in:
- lib/aws-sdk-s3/encryptionV2/client.rb
Instance Attribute Summary collapse
- #client ⇒ S3::Client readonly
- #envelope_location ⇒ Symbol<:metadata, :instruction_file> readonly
-
#instruction_file_suffix ⇒ String
readonly
When #envelope_location is ‘:instruction_file`, the envelope is stored in the object with the object key suffixed by this string.
-
#key_provider ⇒ KeyProvider?
readonly
Returns ‘nil` if you are using AWS Key Management Service (KMS).
-
#kms_allow_decrypt_with_any_cmk ⇒ Boolean
readonly
If true the provided KMS key_id will not be used during decrypt, allowing decryption with the key_id from the object.
-
#security_profile ⇒ Symbol
readonly
Determines the support for reading objects written using older key wrap or content encryption schemas.
Instance Method Summary collapse
-
#get_object(params = {}, &block) ⇒ Types::GetObjectOutput
Gets an object from Amazon S3, decrypting data locally.
-
#initialize(options = {}) ⇒ Client
constructor
Creates a new encryption client.
-
#put_object(params = {}) ⇒ Types::PutObjectOutput
Uploads an object to Amazon S3, encrypting data client-side.
Constructor Details
#initialize(options = {}) ⇒ Client
Creates a new encryption client. You must configure all of the following:
-
a key or key provider - The key provided also determines the key wrapping schema(s) supported for both encryption and decryption.
-
‘key_wrap_schema` - The key wrapping schema. It must match the type of key configured.
-
‘content_encryption_schema` - The only supported value currently is `:aes_gcm_no_padding`
More options will be added in future releases.
-
‘security_profile` - Determines the support for reading objects written
using older key wrap or content encryption schemas. If you need to read legacy objects encrypted by an existing V1 Client, then set this to `:v2_and_legacy`. Otherwise, set it to `:v2`
To configure the key you must provide one of the following set of options:
-
‘:encryption_key`
-
‘:kms_key_id`
-
‘:key_provider`
You may also pass any other options accepted by ‘Client#initialize`.
310 311 312 313 314 315 316 317 318 319 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 310 def initialize( = {}) validate_params() @client = extract_client() @cipher_provider = cipher_provider() @envelope_location = extract_location() @instruction_file_suffix = extract_suffix() @kms_allow_decrypt_with_any_cmk = [:kms_key_id] == :kms_allow_decrypt_with_any_cmk @security_profile = extract_security_profile() end |
Instance Attribute Details
#client ⇒ S3::Client (readonly)
322 323 324 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 322 def client @client end |
#envelope_location ⇒ Symbol<:metadata, :instruction_file> (readonly)
337 338 339 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 337 def envelope_location @envelope_location end |
#instruction_file_suffix ⇒ String (readonly)
Returns When #envelope_location is ‘:instruction_file`, the envelope is stored in the object with the object key suffixed by this string.
342 343 344 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 342 def instruction_file_suffix @instruction_file_suffix end |
#key_provider ⇒ KeyProvider? (readonly)
Returns ‘nil` if you are using AWS Key Management Service (KMS).
326 327 328 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 326 def key_provider @key_provider end |
#kms_allow_decrypt_with_any_cmk ⇒ Boolean (readonly)
Returns If true the provided KMS key_id will not be used during decrypt, allowing decryption with the key_id from the object.
334 335 336 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 334 def kms_allow_decrypt_with_any_cmk @kms_allow_decrypt_with_any_cmk end |
#security_profile ⇒ Symbol (readonly)
Returns Determines the support for reading objects written using older key wrap or content encryption schemas.
330 331 332 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 330 def security_profile @security_profile end |
Instance Method Details
#get_object(params = {}, &block) ⇒ Types::GetObjectOutput
The ‘:range` request parameter is not supported.
Gets an object from Amazon S3, decrypting data locally. See Client#get_object for documentation on accepted request parameters. Warning: If you provide a block to get_object or set the request parameter :response_target to a Proc, then read the entire object to the end before you start using the decrypted data. This is to verify that the object has not been modified since it was encrypted.
398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 398 def get_object(params = {}, &block) if params[:range] raise NotImplementedError, '#get_object with :range not supported' end envelope_location, instruction_file_suffix = (params) kms_encryption_context = params.delete(:kms_encryption_context) kms_any_cmk_mode = kms_any_cmk_mode(params) security_profile = security_profile_from_params(params) req = @client.build_request(:get_object, params) req.handlers.add(DecryptHandler) req.context[:encryption] = { cipher_provider: @cipher_provider, envelope_location: envelope_location, instruction_file_suffix: instruction_file_suffix, kms_encryption_context: kms_encryption_context, kms_allow_decrypt_with_any_cmk: kms_any_cmk_mode, security_profile: security_profile } req.send_request(target: block) end |
#put_object(params = {}) ⇒ Types::PutObjectOutput
Uploads an object to Amazon S3, encrypting data client-side. See Client#put_object for documentation on accepted request parameters.
354 355 356 357 358 359 360 361 362 363 364 365 |
# File 'lib/aws-sdk-s3/encryptionV2/client.rb', line 354 def put_object(params = {}) kms_encryption_context = params.delete(:kms_encryption_context) req = @client.build_request(:put_object, params) req.handlers.add(EncryptHandler, priority: 95) req.context[:encryption] = { cipher_provider: @cipher_provider, envelope_location: @envelope_location, instruction_file_suffix: @instruction_file_suffix, kms_encryption_context: kms_encryption_context } req.send_request end |