boto3 generate_presigned_url with SSE encryption

Question

I am looking for examples to generate presigned url using boto3 and sse encryption.

Here is my code so far

s3_client = boto3.client('s3',
                                  region_name='ap-south-1',
                                  endpoint_url='http://s3.ap-south-1.amazonaws.com',
                                  config=boto3.session.Config(signature_version='s3v4'),
                                  )
        try:
            response = s3_client.generate_presigned_url('put_object',
                                                        Params={'Bucket': bucket_name,
                                                                'Key': object_name},
                                                        ExpiresIn=expiration)
        except ClientError as e:
            logging.error("In client error exception code")
            logging.error(e)
            return None

I am struggling to find the right parameters to use SSE encryption. I am able to use PUT call to upload a file. I would also like to know the headers to use from the client side to adhere to sse encryption.

Hi, did you manage to do it? I have the exact same requirement and am unable to make it work — Pro, Aug 09 '20 at 18:54

Utkarsh Sharma · Answer 1 · 2022-04-22T08:02:14.743

import boto3

access_key = "..."
secret_key = "..."
bucket = "..."
s3 = boto3.client('s3',
              aws_access_key_id=access_key,
              aws_secret_access_key=secret_key)
return(s3.generate_presigned_url(
    ClientMethod='get_object',
    Params={
        'Bucket': bucket,
        'Key': filename,
        'SSECustomerAlgorithm': 'AES256',
    }
))

Also add the header:-

'x-amz-server-side-encryption': 'AES256'

in the front end code while calling the presigned url

score -1 · Answer 2 · answered Dec 25 '19 at 05:51

-1

You can add Conditions to the pre-signed URL that must be met for the upload to be valid. This could probably include x-amz-server-side-encryption.

See: Creating a POST Policy - Amazon S3

Alternatively, you could add a bucket policy that denies any request that is not encrypted.

See: How to Prevent Uploads of Unencrypted Objects to Amazon S3 | AWS Security Blog

answered Dec 25 '19 at 05:51

John Rotenstein

241,921
22
380
470

Should this be sent as part of a header? x-amz-server-side-encryption As I am using the PUT option, should this be sent as part of query string instead? I get the pre-signed UrL from the server code shown above. – user2384600 Dec 25 '19 at 07:09
I do see this as part of the query string ```x-amz-server-side-encryption-customer-algorithm``` but I have sse-s3 enabled on the bucket. – user2384600 Dec 25 '19 at 07:40
My only experience is with the code snippet on [Correct S3 Policy For Pre-Signed URLs](https://stackoverflow.com/a/39693952/174777) that creates a pre-signed URL with conditions. – John Rotenstein Dec 25 '19 at 09:40

boto3 generate_presigned_url with SSE encryption

2 Answers2