service/s3/api_op_PutBucketEncryption.go

// Code generated by smithy-go-codegen DO NOT EDIT. package s3 import ( "context" "fmt" awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" "github.com/aws/aws-sdk-go-v2/aws/signer/v4" internalChecksum "github.com/aws/aws-sdk-go-v2/service/internal/checksum" s3cust "github.com/aws/aws-sdk-go-v2/service/s3/internal/customizations" "github.com/aws/aws-sdk-go-v2/service/s3/types" "github.com/aws/smithy-go/middleware" "github.com/aws/smithy-go/ptr" smithyhttp "github.com/aws/smithy-go/transport/http" ) // This operation configures default encryption and Amazon S3 Bucket Keys for an // existing bucket. // // Directory buckets - For directory buckets, you must make requests for this API // operation to the Regional endpoint. These endpoints support path-style requests // in the format https://s3express-control.region-code.amazonaws.com/bucket-name . // Virtual-hosted-style requests aren't supported. For more information about // endpoints in Availability Zones, see [Regional and Zonal endpoints for directory buckets in Availability Zones]in the Amazon S3 User Guide. For more // information about endpoints in Local Zones, see [Concepts for directory buckets in Local Zones]in the Amazon S3 User Guide. // // By default, all buckets have a default encryption configuration that uses // server-side encryption with Amazon S3 managed keys (SSE-S3). // // - General purpose buckets // // - You can optionally configure default encryption for a bucket by using // server-side encryption with Key Management Service (KMS) keys (SSE-KMS) or // dual-layer server-side encryption with Amazon Web Services KMS keys (DSSE-KMS). // If you specify default encryption by using SSE-KMS, you can also configure [Amazon S3 Bucket Keys]. // For information about the bucket default encryption feature, see [Amazon S3 Bucket Default Encryption]in the // Amazon S3 User Guide. // // - If you use PutBucketEncryption to set your [default bucket encryption]to SSE-KMS, you should verify // that your KMS key ID is correct. Amazon S3 doesn't validate the KMS key ID // provided in PutBucketEncryption requests. // // - Directory buckets - You can optionally configure default encryption for a // bucket by using server-side encryption with Key Management Service (KMS) keys // (SSE-KMS). // // - We recommend that the bucket's default encryption uses the desired // encryption configuration and you don't override the bucket default encryption in // your CreateSession requests or PUT object requests. Then, new objects are // automatically encrypted with the desired encryption settings. For more // information about the encryption overriding behaviors in directory buckets, see [Specifying server-side encryption with KMS for new object uploads] // . // // - Your SSE-KMS configuration can only support 1 [customer managed key]per directory bucket's // lifetime. The [Amazon Web Services managed key]( aws/s3 ) isn't supported. // // - S3 Bucket Keys are always enabled for GET and PUT operations in a directory // bucket and can’t be disabled. S3 Bucket Keys aren't supported, when you copy // SSE-KMS encrypted objects from general purpose buckets to directory buckets, // from directory buckets to general purpose buckets, or between directory buckets, // through [CopyObject], [UploadPartCopy], [the Copy operation in Batch Operations], or [the import jobs]. In this case, Amazon S3 makes a call to KMS every time a // copy request is made for a KMS-encrypted object. // // - When you specify an [KMS customer managed key]for encryption in your directory bucket, only use the // key ID or key ARN. The key alias format of the KMS key isn't supported. // // - For directory buckets, if you use PutBucketEncryption to set your [default bucket encryption]to // SSE-KMS, Amazon S3 validates the KMS key ID provided in PutBucketEncryption // requests. // // If you're specifying a customer managed KMS key, we recommend using a fully // qualified KMS key ARN. If you use a KMS key alias instead, then KMS resolves the // key within the requester’s account. This behavior can result in data that's // encrypted with a KMS key that belongs to the requester, and not the bucket // owner. // // Also, this action requires Amazon Web Services Signature Version 4. For more // information, see [Authenticating Requests (Amazon Web Services Signature Version 4)]. // // Permissions // // - General purpose bucket permissions - The s3:PutEncryptionConfiguration // permission is required in a policy. The bucket owner has this permission by // default. The bucket owner can grant this permission to others. For more // information about permissions, see [Permissions Related to Bucket Operations]and [Managing Access Permissions to Your Amazon S3 Resources]in the Amazon S3 User Guide. // // - Directory bucket permissions - To grant access to this API operation, you // must have the s3express:PutEncryptionConfiguration permission in an IAM // identity-based policy instead of a bucket policy. Cross-account access to this // API operation isn't supported. This operation can only be performed by the // Amazon Web Services account that owns the resource. For more information about // directory bucket policies and permissions, see [Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone]in the Amazon S3 User Guide. // // To set a directory bucket default encryption with SSE-KMS, you must also have // // the kms:GenerateDataKey and the kms:Decrypt permissions in IAM identity-based // policies and KMS key policies for the target KMS key. // // HTTP Host header syntax Directory buckets - The HTTP Host header syntax is // s3express-control.region-code.amazonaws.com . // // The following operations are related to PutBucketEncryption : // // [GetBucketEncryption] // // [DeleteBucketEncryption] // // [Specifying server-side encryption with KMS for new object uploads]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html // [Concepts for directory buckets in Local Zones]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-lzs-for-directory-buckets.html // [KMS customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk // [Amazon S3 Bucket Default Encryption]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html // [CopyObject]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html // [Managing Access Permissions to Your Amazon S3 Resources]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html // [Permissions Related to Bucket Operations]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources // [UploadPartCopy]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html // [Amazon Web Services managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk // [Authenticating Requests (Amazon Web Services Signature Version 4)]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html // [Amazon Web Services Identity and Access Management (IAM) for S3 Express One Zone]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html // [Amazon S3 Bucket Keys]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html // [GetBucketEncryption]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html // [DeleteBucketEncryption]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html // [customer managed key]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk // [default bucket encryption]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html // [the import jobs]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job // [the Copy operation in Batch Operations]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops // [Regional and Zonal endpoints for directory buckets in Availability Zones]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/endpoint-directory-buckets-AZ.html func (c *Client) PutBucketEncryption(ctx context.Context, params *PutBucketEncryptionInput, optFns ...func(*Options)) (*PutBucketEncryptionOutput, error) { if params == nil { params = &PutBucketEncryptionInput{} } result, metadata, err := c.invokeOperation(ctx, "PutBucketEncryption", params, optFns, c.addOperationPutBucketEncryptionMiddlewares) if err != nil { return nil, err } out := result.(*PutBucketEncryptionOutput) out.ResultMetadata = metadata return out, nil } type PutBucketEncryptionInput struct { // Specifies default encryption for a bucket using server-side encryption with // different key options. // // Directory buckets - When you use this operation with a directory bucket, you // must use path-style requests in the format // https://s3express-control.region-code.amazonaws.com/bucket-name . // Virtual-hosted-style requests aren't supported. Directory bucket names must be // unique in the chosen Zone (Availability Zone or Local Zone). Bucket names must // also follow the format bucket-base-name--zone-id--x-s3 (for example, // DOC-EXAMPLE-BUCKET--usw2-az1--x-s3 ). For information about bucket naming // restrictions, see [Directory bucket naming rules]in the Amazon S3 User Guide // // [Directory bucket naming rules]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html // // This member is required. Bucket *string // Specifies the default server-side-encryption configuration. // // This member is required. ServerSideEncryptionConfiguration *types.ServerSideEncryptionConfiguration // Indicates the algorithm used to create the checksum for the request when you // use the SDK. This header will not provide any additional functionality if you // don't use the SDK. When you send this header, there must be a corresponding // x-amz-checksum or x-amz-trailer header sent. Otherwise, Amazon S3 fails the // request with the HTTP status code 400 Bad Request . For more information, see [Checking object integrity] // in the Amazon S3 User Guide. // // If you provide an individual checksum, Amazon S3 ignores any provided // ChecksumAlgorithm parameter. // // For directory buckets, when you use Amazon Web Services SDKs, CRC32 is the // default checksum algorithm that's used for performance. // // [Checking object integrity]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html ChecksumAlgorithm types.ChecksumAlgorithm // The Base64 encoded 128-bit MD5 digest of the server-side encryption // configuration. // // For requests made using the Amazon Web Services Command Line Interface (CLI) or // Amazon Web Services SDKs, this field is calculated automatically. // // This functionality is not supported for directory buckets. ContentMD5 *string // The account ID of the expected bucket owner. If the account ID that you provide // does not match the actual owner of the bucket, the request fails with the HTTP // status code 403 Forbidden (access denied). // // For directory buckets, this header is not supported in this API operation. If // you specify this header, the request fails with the HTTP status code 501 Not // Implemented . ExpectedBucketOwner *string noSmithyDocumentSerde } func (in *PutBucketEncryptionInput) bindEndpointParams(p *EndpointParameters) { p.Bucket = in.Bucket p.UseS3ExpressControlEndpoint = ptr.Bool(true) } type PutBucketEncryptionOutput struct { // Metadata pertaining to the operation's result. ResultMetadata middleware.Metadata noSmithyDocumentSerde } func (c *Client) addOperationPutBucketEncryptionMiddlewares(stack *middleware.Stack, options Options) (err error) { if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { return err } err = stack.Serialize.Add(&awsRestxml_serializeOpPutBucketEncryption{}, middleware.After) if err != nil { return err } err = stack.Deserialize.Add(&awsRestxml_deserializeOpPutBucketEncryption{}, middleware.After) if err != nil { return err } if err := addProtocolFinalizerMiddlewares(stack, options, "PutBucketEncryption"); err != nil { return fmt.Errorf("add protocol finalizers: %v", err) } if err = addlegacyEndpointContextSetter(stack, options); err != nil { return err } if err = addSetLoggerMiddleware(stack, options); err != nil { return err } if err = addClientRequestID(stack); err != nil { return err } if err = addComputeContentLength(stack); err != nil { return err } if err = addResolveEndpointMiddleware(stack, options); err != nil { return err } if err = addComputePayloadSHA256(stack); err != nil { return err } if err = addRetry(stack, options); err != nil { return err } if err = addRawResponseToMetadata(stack); err != nil { return err } if err = addRecordResponseTiming(stack); err != nil { return err } if err = addSpanRetryLoop(stack, options); err != nil { return err } if err = addClientUserAgent(stack, options); err != nil { return err } if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { return err } if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { return err } if err = addPutBucketContextMiddleware(stack); err != nil { return err } if err = addTimeOffsetBuild(stack, c); err != nil { return err } if err = addUserAgentRetryMode(stack, options); err != nil { return err } if err = addIsExpressUserAgent(stack); err != nil { return err } if err = addRequestChecksumMetricsTracking(stack, options); err != nil { return err } if err = addCredentialSource(stack, options); err != nil { return err } if err = addOpPutBucketEncryptionValidationMiddleware(stack); err != nil { return err } if err = stack.Initialize.Add(newServiceMetadataMiddleware_opPutBucketEncryption(options.Region), middleware.Before); err != nil { return err } if err = addMetadataRetrieverMiddleware(stack); err != nil { return err } if err = addRecursionDetection(stack); err != nil { return err } if err = addPutBucketEncryptionInputChecksumMiddlewares(stack, options); err != nil { return err } if err = addPutBucketEncryptionUpdateEndpoint(stack, options); err != nil { return err } if err = addResponseErrorMiddleware(stack); err != nil { return err } if err = v4.AddContentSHA256HeaderMiddleware(stack); err != nil { return err } if err = disableAcceptEncodingGzip(stack); err != nil { return err } if err = addRequestResponseLogging(stack, options); err != nil { return err } if err = addDisableHTTPSMiddleware(stack, options); err != nil { return err } if err = addSerializeImmutableHostnameBucketMiddleware(stack, options); err != nil { return err } if err = s3cust.AddExpressDefaultChecksumMiddleware(stack); err != nil { return err } if err = addSpanInitializeStart(stack); err != nil { return err } if err = addSpanInitializeEnd(stack); err != nil { return err } if err = addSpanBuildRequestStart(stack); err != nil { return err } if err = addSpanBuildRequestEnd(stack); err != nil { return err } return nil } func (v *PutBucketEncryptionInput) bucket() (string, bool) { if v.Bucket == nil { return "", false } return *v.Bucket, true } func newServiceMetadataMiddleware_opPutBucketEncryption(region string) *awsmiddleware.RegisterServiceMetadata { return &awsmiddleware.RegisterServiceMetadata{ Region: region, ServiceID: ServiceID, OperationName: "PutBucketEncryption", } } // getPutBucketEncryptionRequestAlgorithmMember gets the request checksum // algorithm value provided as input. func getPutBucketEncryptionRequestAlgorithmMember(input interface{}) (string, bool) { in := input.(*PutBucketEncryptionInput) if len(in.ChecksumAlgorithm) == 0 { return "", false } return string(in.ChecksumAlgorithm), true } func addPutBucketEncryptionInputChecksumMiddlewares(stack *middleware.Stack, options Options) error { return addInputChecksumMiddleware(stack, internalChecksum.InputMiddlewareOptions{ GetAlgorithm: getPutBucketEncryptionRequestAlgorithmMember, RequireChecksum: true, RequestChecksumCalculation: options.RequestChecksumCalculation, EnableTrailingChecksum: false, EnableComputeSHA256PayloadHash: true, EnableDecodedContentLengthHeader: true, }) } // getPutBucketEncryptionBucketMember returns a pointer to string denoting a // provided bucket member valueand a boolean indicating if the input has a modeled // bucket name, func getPutBucketEncryptionBucketMember(input interface{}) (*string, bool) { in := input.(*PutBucketEncryptionInput) if in.Bucket == nil { return nil, false } return in.Bucket, true } func addPutBucketEncryptionUpdateEndpoint(stack *middleware.Stack, options Options) error { return s3cust.UpdateEndpoint(stack, s3cust.UpdateEndpointOptions{ Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketEncryptionBucketMember, }, UsePathStyle: options.UsePathStyle, UseAccelerate: options.UseAccelerate, SupportsAccelerate: true, TargetS3ObjectLambda: false, EndpointResolver: options.EndpointResolver, EndpointResolverOptions: options.EndpointOptions, UseARNRegion: options.UseARNRegion, DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) }

service/s3/api_op_PutBucketEncryption.go (221 lines of code) (raw):