Menu
How can I use boto3 resource to read a KMS encrypted file from S3 bucket?
Below is the snippet that I am using to read a non-encrypted file -
s3 = boto3.resource('s3')
obj = s3.Object(bucket_name, key)
body = obj.get()['Body'].read()
print(' body = {}'.format(body))
432
There's a helpful answer at Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?
No, you don’t need to specify the AWS KMS key ID when you download an SSE-KMS-encrypted object from an S3 bucket. Instead, you need the permission to decrypt the AWS KMS key.
So, you don't need to provide KMS info on a GetObject request (which is what the boto3 resource-level methods are doing under the covers), unless you're doing CMK. You just need to have permission to access the KMS key for decryption. S3/KMS will do the rest for you.
You can configure the IAM policy associated with the Lambda function’s IAM role per the linked article.
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
