Closed justinas-b closed 4 months ago
justinas-b
commented
7 months ago I see there is https://github.com/awslabs/mountpoint-s3/issues/534 in progress already to add support under mountpoint-s3, though once it is released i guess https://github.com/awslabs/mountpoint-s3-csi-driver will have to be updated
justinas-b
commented
7 months ago Also, i see https://github.com/awslabs/mountpoint-s3/pull/715 was already merged, but i cannot see --sse nor --sse-kms-key-id flags in v1.4.1:
bash-4.2# mountpoint-s3/bin/mount-s3 --version
mount-s3 1.4.1I am assuming those features were not released yet?
jjkr
commented
7 months ago Thank you for the request. That's correct this feature is still in development in mountpoint itself and the issue you linked is the correct place to get updates on the current development. Once mountpoint is released, the CSI driver will make any necessary changes and release support shortly after.
vitascherry
commented
7 months ago @jjkr, hi, sorry for the stupid question here, but do you know when it may be released or which release it may go? thanks in advance
DugeraProve
commented
4 months ago @justinas-b , for reading from an S3 Bucket with S3 AWS Customer KMS Encryption, was there any specific mountoptions required to enable you to read from the Bucket. I'm having issues reading a simple file. The S3 bucket is mounted successfully and I can see all the folders and files but when I go to read(cat, more, tail, vi) a simple text file I get an Input/output error. I see that reading files was reported as an issue here also https://github.com/awslabs/mountpoint-s3-csi-driver/issues/194
dannycjones
commented
4 months ago for reading from an S3 Bucket with S3 AWS Customer KMS Encryption, was there any specific mountoptions required to enable you to read from the Bucket. I'm having issues reading a simple file. The S3 bucket is mounted successfully and I can see all the folders and files but when I go to read(cat, more, tail, vi) a simple text file I get an Input/output error. I see that reading files was reported as an issue here also #194
@DugeraProve there should be no configuration required outside of permissions to ensure you can decrypt using the key. This is how KMS encryption has worked since before the KMS configuration feature (https://github.com/awslabs/mountpoint-s3/issues/534) in this ticket. If you're seeing EIO, you should find more information in Mountpoint's logs. I expect that it may be because the role the CSI driver is using does not have kms:Decrypt permission.
If you are still blocked, please do open a new issue: https://github.com/awslabs/mountpoint-s3-csi-driver/issues/new/choose
dannycjones
commented
4 months ago CSI Driver v1.6.0 release contained the new feature allowing specific encryption modes and KMS key IDs to be specified outside of the bucket default: https://github.com/awslabs/mountpoint-s3-csi-driver/releases/tag/v1.6.0
There's a new example added for showing a static provisioning using KMS keys when uploading new objects: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/kms_sse.yaml
Closing this, the feature is now available!
/feature
Hey! It would be very useful to have support for encryption using KMS key. Currently on S3 bucket policies we have below controls implemented:
Even though we could read from S3/volumes, due to this limitation we cannot write to volumes/S3 buckets as there is no way to explicitly say that object should be encrypted when writing.
On
s3-csi-nodedaemonset` i cannot find any related errors, even with increased verbosity.