7

I'm performing an android build via aws code build. The apk files generated are by default applied with server side encryption (aws-kms) I can unset the encryption manually by clicking as shown below from the s3 bucket by unselecting ASW-KMS

which gives the following popup

Here selecting None option manually will make the link downloadable. I want to achieve this programmatically.

I have already tried adding permissions as mentioned here. Also did experiment a fair bit with python boto3. However didn't meet with any success so far. Thanks in advance!

ranjjose
  • 2,138
  • 1
  • 24
  • 46
  • 1
    Server side encryption settings shoild not affect the ability to download the file in any way. What is the actual problem you are trying to solve? – Mark B May 28 '17 at 16:22
  • Thanks for the reply. I'm basically trying to do a build automation using aws tools. I'm pretty new to aws. I have experience using jenkins based build automation from github using webhooks. Now, I want to achieve the same using aws. So I created a code build connected it to code pipeline I can either trigger the pipeline using an aws lambda function or from boto3 client (this I already did). The idea is to connect another lambda function after code build stage which will send a mail with the result of build process along with a downloadable link of the apk generated. (cont'd) – ranjjose May 28 '17 at 16:28
  • 2
    The current issue is that the artifact uploaded into s3 from the aws code code build is by default encrypted via aws-kms and when click on that link from s3 bucket, it gives the error with the message, `Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.` – ranjjose May 28 '17 at 16:29
  • 1
    How are you obtaining/generating the link to the file in S3 exactly? – Mark B May 28 '17 at 16:50
  • 1
    I'm not doing anything from my end for uploading the artifact to s3.The file is generated (artifact) as per the buildspec.yml file and will always have the same name and it is stored in a fixed location in S3. The buildspec just says the location of the artifact to be uploaded and in the AWS code-build, I just mention the S3 bucket name. I'm assuming the link which I see in S3 for the uploaded artifact is constant. – ranjjose May 28 '17 at 17:09
  • The URL found at S3 is of the form https://s3-ap-southeast-1.amazonaws.com///app-debug.apk. (It's an android build btw) – ranjjose May 29 '17 at 01:47

1 Answers1

1

OK, I got a workaround for this. After the encypted (server side aws-kms) artifact is created and uploaded to s3 (as part of aws code build), create a copy of the file with 'ACL':'public-read'. The following are the steps: 

s3 = boto3.resource('s3',aws_access_key_id='<YOUR ACCESS KEY>', aws_secret_access_key='<YOUR SECRET ACCESS KEY>', region_name = 'ap-southeast-1', config=Config(signature_version='s3v4'))

The config=Config(signature_version='s3v4')part is the trick to get access to the encrypted file.

copy_source = {'Bucket': 'SOURCE BUCKET','Key':'test/app-debug.apk'}
s3.meta.client.copy(copy_source, 'DESTINATION BUCKET', 'app-debug.apk', {'ACL':'public-read'})

From S3, you will get a downloadable URL.

Alternatively, you can get a downloadable link directly from the encrypted S3 item without copying it to another bucket. However, the issue is that s3v4 encryption comes with a maximum expiry of 7 days. So the link works at max for only 7 days.The following is the step for the same:

  1. s3_client = boto3.client('s3',aws_access_key_id='<YOUR ACCESS KEY>', aws_secret_access_key='<YOUR SECRET KEY>', region_name='ap-southeast-1', config=Config(signature_version='s3v4'))
  2. url = s3_client.generate_presigned_url(ClientMethod='get_object', Params={'Bucket':'SOURCE BUCKET', 'Key':'test/app-debug.apk'})
ranjjose
  • 2,138
  • 1
  • 24
  • 46