Programmatically unset encryption for a file in aws s3

Question

I'm performing an android build via aws code build. The apk files generated are by default applied with server side encryption (aws-kms) I can unset the encryption manually by clicking as shown below from the s3 bucket by unselecting ASW-KMS

which gives the following popup

Here selecting None option manually will make the link downloadable. I want to achieve this programmatically.

I have already tried adding permissions as mentioned here. Also did experiment a fair bit with python boto3. However didn't meet with any success so far. Thanks in advance!

Answer 1

OK, I got a workaround for this. After the encypted (server side aws-kms) artifact is created and uploaded to s3 (as part of aws code build), create a copy of the file with 'ACL':'public-read'. The following are the steps:

s3 = boto3.resource('s3',aws_access_key_id='<YOUR ACCESS KEY>', aws_secret_access_key='<YOUR SECRET ACCESS KEY>', region_name = 'ap-southeast-1', config=Config(signature_version='s3v4'))

The config=Config(signature_version='s3v4')part is the trick to get access to the encrypted file.

copy_source = {'Bucket': 'SOURCE BUCKET','Key':'test/app-debug.apk'}
s3.meta.client.copy(copy_source, 'DESTINATION BUCKET', 'app-debug.apk', {'ACL':'public-read'})

From S3, you will get a downloadable URL.

Alternatively, you can get a downloadable link directly from the encrypted S3 item without copying it to another bucket. However, the issue is that s3v4 encryption comes with a maximum expiry of 7 days. So the link works at max for only 7 days.The following is the step for the same:

1. s3_client = boto3.client('s3',aws_access_key_id='<YOUR ACCESS KEY>', aws_secret_access_key='<YOUR SECRET KEY>', region_name='ap-southeast-1', config=Config(signature_version='s3v4'))
2. url = s3_client.generate_presigned_url(ClientMethod='get_object', Params={'Bucket':'SOURCE BUCKET', 'Key':'test/app-debug.apk'})