Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support encryption using KMS key #153

Closed
justinas-b opened this issue Feb 26, 2024 · 7 comments
Closed

Support encryption using KMS key #153

justinas-b opened this issue Feb 26, 2024 · 7 comments

Comments

@justinas-b
Copy link

/feature

Hey! It would be very useful to have support for encryption using KMS key. Currently on S3 bucket policies we have below controls implemented:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybucket/*",
            "Condition": {
                "Null": { 
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        }
    ]
}

Even though we could read from S3/volumes, due to this limitation we cannot write to volumes/S3 buckets as there is no way to explicitly say that object should be encrypted when writing.

/app # echo "test" > /data/test.txt
sh: write error: I/O error

On s3-csi-node daemonset` i cannot find any related errors, even with increased verbosity.
@justinas-b
Copy link
Author

I see there is awslabs/mountpoint-s3#534 in progress already to add support under mountpoint-s3, though once it is released i guess https://github.com/awslabs/mountpoint-s3-csi-driver will have to be updated

@justinas-b
Copy link
Author

Also, i see awslabs/mountpoint-s3#715 was already merged, but i cannot see --sse nor --sse-kms-key-id flags in v1.4.1:

bash-4.2# mountpoint-s3/bin/mount-s3  --version
mount-s3 1.4.1

I am assuming those features were not released yet?

@jjkr
Copy link
Contributor

jjkr commented Feb 27, 2024

Thank you for the request. That's correct this feature is still in development in mountpoint itself and the issue you linked is the correct place to get updates on the current development. Once mountpoint is released, the CSI driver will make any necessary changes and release support shortly after.

@vitascherry
Copy link

@jjkr, hi, sorry for the stupid question here, but do you know when it may be released or which release it may go? thanks in advance

@jjkr jjkr mentioned this issue Apr 25, 2024
Merged
@DugeraProve
Copy link

DugeraProve commented May 9, 2024
edited
Loading

@justinas-b , for reading from an S3 Bucket with S3 AWS Customer KMS Encryption, was there any specific mountoptions required to enable you to read from the Bucket. I'm having issues reading a simple file. The S3 bucket is mounted successfully and I can see all the folders and files but when I go to read(cat, more, tail, vi) a simple text file I get an Input/output error. I see that reading files was reported as an issue here also #194

@dannycjones
Copy link
Contributor

for reading from an S3 Bucket with S3 AWS Customer KMS Encryption, was there any specific mountoptions required to enable you to read from the Bucket. I'm having issues reading a simple file. The S3 bucket is mounted successfully and I can see all the folders and files but when I go to read(cat, more, tail, vi) a simple text file I get an Input/output error. I see that reading files was reported as an issue here also #194

@DugeraProve there should be no configuration required outside of permissions to ensure you can decrypt using the key. This is how KMS encryption has worked since before the KMS configuration feature (awslabs/mountpoint-s3#534) in this ticket. If you're seeing EIO, you should find more information in Mountpoint's logs. I expect that it may be because the role the CSI driver is using does not have kms:Decrypt permission.

If you are still blocked, please do open a new issue: https://github.com/awslabs/mountpoint-s3-csi-driver/issues/new/choose

@dannycjones
Copy link
Contributor

dannycjones commented May 9, 2024
edited
Loading

CSI Driver v1.6.0 release contained the new feature allowing specific encryption modes and KMS key IDs to be specified outside of the bucket default: https://github.com/awslabs/mountpoint-s3-csi-driver/releases/tag/v1.6.0

There's a new example added for showing a static provisioning using KMS keys when uploading new objects: https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/examples/kubernetes/static_provisioning/kms_sse.yaml

Closing this, the feature is now available!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dannycjones @jjkr @justinas-b @vitascherry @DugeraProve