Adds in support for SSEKMSKeyId by parsing it from the store url and passing it into the S3StoreConfig. Done analogously to the SSE paramater.
Also added a unit test for parseStoreArgs which checks that the SSEKMSKeyId field (amongst others) is correctly parsed from the store URL
Additional Testing:
Ran TestStoreInteractions using SSE and SSEKMSKeyId parameters on a bucket with SSE KMS + key. Used this structure as the fragment store: s3://bucket-with-kms-key/?find=rwFind&replace=rwReplace&endpoint=https://region.amazonaws.com&sse=aws:kms&ssekmskeyid=test-key") where test-key matched the one on bucket-with-kms-key. The test ran successfully and was able to Persist, List, Open/Read, and Delete objects from the bucket.
With the above setup, I removed the deletion portion of the test so that the encrypted objects would remain in the bucket. I then attempted through the CLI to call get-objects, once with a role without permissions to decrypt the objects and once with a role with permission to decrypt the objects. (*Note the kms key does not actually need to be passed in, rather the role calling the endpoint needs to have permissions to decrypt the object (source)).
The result for the role without decryption perms was:
An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
And the result for the role with decryption perms was a successful download.
This is in evidence of the Persist correctly using the SSEKMSKeyId passed in from the fragment store to authorize decryption
Adds in support for
SSEKMSKeyIdby parsing it from the store url and passing it into theS3StoreConfig. Done analogously to theSSEparamater.Also added a unit test for
parseStoreArgswhich checks that theSSEKMSKeyIdfield (amongst others) is correctly parsed from the store URLAdditional Testing:
Ran
TestStoreInteractionsusingSSEandSSEKMSKeyIdparameters on a bucket with SSE KMS + key. Used this structure as the fragment store:s3://bucket-with-kms-key/?find=rwFind&replace=rwReplace&endpoint=https://region.amazonaws.com&sse=aws:kms&ssekmskeyid=test-key")wheretest-keymatched the one onbucket-with-kms-key. The test ran successfully and was able toPersist, List, Open/Read, and Deleteobjects from the bucket.With the above setup, I removed the deletion portion of the test so that the encrypted objects would remain in the bucket. I then attempted through the CLI to call
get-objects, once with a role without permissions to decrypt the objects and once with a role with permission to decrypt the objects. (*Note the kms key does not actually need to be passed in, rather the role calling the endpoint needs to have permissions to decrypt the object (source)). The result for the role without decryption perms was:An error occurred (AccessDenied) when calling the GetObject operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.And the result for the role with decryption perms was a successful download. This is in evidence of thePersistcorrectly using theSSEKMSKeyIdpassed in from the fragment store to authorize decryptionThis change is