如何使用 AmazonS3EncryptionClientV2 客户端加密从 AWS S3 存储桶下载对象？

Question

我们在代码中使用 AmazonS3EncryptionClient 与使用客户端加密的 S3 存储桶进行交互。但是在今天更新 nuget 包时，我注意到 AmazonS3EncryptionClient 已被标记为过时。如果我们想获得持续更新，看起来我们将需要使用 AmazonS3EncryptionClientV2。我在尝试从 AmazonS3EncryptionClient 迁移到 AmazonS3EncryptionClientV2 时遇到了这个问题。

在我们的旧代码中，我们使用了将 RegionEnpoint 作为参数的 AmazonS3EncryptionClient 构造函数。见下图。看起来采用 RegionEnpoint 的构造函数已在 AmazonS3EncryptionClientV2 中删除。

用于从 S3 存储桶获取对象的旧代码。

S3BucketConfiguration _s3BucketConfiguration = provider
   .GetService<IOptionsSnapshot<S3BucketConfiguration>>()
   .Value;

var credential = new BasicAWSCredentials(
    _s3BucketConfiguration.AccessKey, _s3BucketConfiguration.SecurityKey);

RegionEndpoint bucketRegion =
    RegionEndpoint.GetBySystemName(_s3BucketConfiguration.Region);

EncryptionMaterials encryptionMaterials = new EncryptionMaterials(_s3BucketConfiguration.KMSKeyId);

var client = new AmazonS3EncryptionClient(credential, bucketRegion, encryptionMaterials);

GetObjectResponse response = await _client.GetObjectAsync(new GetObjectRequest
{
    BucketName = _s3BucketConfig.BucketName,
    Key = filePath
});

我无法在 AmazonS3EncryptionClientV2 中传入 RegionEnpoint。

到目前为止我的代码。

S3BucketConfiguration _s3BucketConfiguration = provider
   .GetService<IOptionsSnapshot<S3BucketConfiguration>>()
   .Value;

var credential = new BasicAWSCredentials(
    _s3BucketConfiguration.AccessKey, _s3BucketConfiguration.SecurityKey);

RegionEndpoint bucketRegion =
    RegionEndpoint.GetBySystemName(_s3BucketConfiguration.Region);

var encryptionMaterials = new EncryptionMaterialsV2(
    _s3BucketConfiguration.KMSKeyId, 
    KmsType.KmsContext, 
    new Dictionary<string, string>()
);

var config = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2AndLegacy);

//If I add this line it will instantiate AmazonS3EncryptionClientV2 but, the GetObject call fails.
//If I do not add this line, it will give me same error while instiantiating AmazonS3EncryptionClientV2
//config.RegionEndpoint = bucketRegion; 

vr client = new AmazonS3EncryptionClientV2(credential, config, encryptionMaterials);

GetObjectResponse response = client.GetObjectAsync(new GetObjectRequest
{
    BucketName = _s3BucketConfig.BucketName,
    Key = filePath,
}).GetAwaiter().GetResult();

例外

No RegionEndpoint or ServiceURL configured

Answer 1

我可以通过RegionEndpoint成功地使用V1加密并使用V2客户端解密。

var configuration = new AmazonS3CryptoConfiguration()
{
    RegionEndpoint = RegionEndpoint.USWest2
};
var material = new EncryptionMaterials(KmsKeyId);
var client = new AmazonS3EncryptionClient(configuration, material);

var putObjectResponse = await client.PutObjectAsync(new PutObjectRequest()
{
    ContentBody = ContentBody,
    BucketName = Bucket,
    Key = Key
});

if (putObjectResponse.HttpStatusCode == System.Net.HttpStatusCode.OK)
{
    var configurationV2 = new AmazonS3CryptoConfigurationV2(SecurityProfile.V2AndLegacy)
    {
        RegionEndpoint = RegionEndpoint.USWest2
    };
    var materialV2 = new EncryptionMaterialsV2(KmsKeyId, KmsType.KmsContext, new Dictionary<string, string>());
    var clientV2 = new AmazonS3EncryptionClientV2(configurationV2, materialV2);

    var getObjectResponse = await clientV2.GetObjectAsync(new GetObjectRequest()
    {
        BucketName = Bucket,
        Key = Key
    });

    using (var reader = new StreamReader(getObjectResponse.ResponseStream))
    {
        Console.WriteLine(reader.ReadToEnd());
    }
}

能否确保在加密和解密过程中使用相同的RegionEndpoint？