/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * @param awsKmsKeyId - The KMS key ID to allow access * * @return the policy JSON string */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).withKms(awsKmsKeyId, KmsActions.DECRYPT).build(); }
@SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createUploaderPolicyNoKmsKey(String s3BucketName, String s3Key) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.PutObject).build(); }
AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder().withS3(s3BucketName, s3ObjectKey, S3Actions.GetObject); awsPolicyBuilder.withKms(storageKmsKeyId.trim(), KmsActions.DECRYPT);
/** * Gets a temporary session token that is only good for downloading the specified object key from the given bucket for a limited amount of time. * * @param storageEntity The storage entity of the external storage. * @param sessionName The session name to use for the temporary credentials. * @param awsPolicyBuilder The AWS policy builder. * * @return {@link Credentials} temporary session token */ private Credentials getDownloaderCredentials(StorageEntity storageEntity, String sessionName, AwsPolicyBuilder awsPolicyBuilder) { return stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), sessionName, getStorageDownloadRoleArn(storageEntity), getStorageDownloadSessionDuration(storageEntity), awsPolicyBuilder.build()); }
/** * Adds a permission to allow the specified actions to the given bucket and s3 key prefix. The permissions will allow the given actions to all objects with * the given prefix. * * @param bucketName S3 Bucket name * @param prefix S3 Object key prefix * @param actions List of actions to allow * * @return This builder */ public AwsPolicyBuilder withS3Prefix(String bucketName, String prefix, S3Actions... actions) { return withS3(bucketName, prefix + "/*", actions); } }
@SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createUploaderPolicyNoKmsKey(String s3BucketName, String s3Key) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.PutObject).build(); }
AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder().withS3(s3BucketName, s3ObjectKey, S3Actions.GetObject); awsPolicyBuilder.withKms(storageKmsKeyId.trim(), KmsActions.DECRYPT);
/** * Gets a temporary session token that is only good for downloading the specified object key from the given bucket for a limited amount of time. * * @param storageEntity The storage entity of the external storage. * @param sessionName The session name to use for the temporary credentials. * @param awsPolicyBuilder The AWS policy builder. * * @return {@link Credentials} temporary session token */ private Credentials getDownloaderCredentials(StorageEntity storageEntity, String sessionName, AwsPolicyBuilder awsPolicyBuilder) { return stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), sessionName, getStorageDownloadRoleArn(storageEntity), getStorageDownloadSessionDuration(storageEntity), awsPolicyBuilder.build()); }
/** * Adds a permission to allow the specified actions to the given bucket and s3 key prefix. The permissions will allow the given actions to all objects with * the given prefix. * * @param bucketName S3 Bucket name * @param prefix S3 Object key prefix * @param actions List of actions to allow * * @return This builder */ public AwsPolicyBuilder withS3Prefix(String bucketName, String prefix, S3Actions... actions) { return withS3(bucketName, prefix + "/*", actions); } }
/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * @param awsKmsKeyId - The KMS key ID to allow access * * @return the policy JSON string */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).withKms(awsKmsKeyId, KmsActions.DECRYPT).build(); }
/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * * @return the policy JSON string */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).build(); }
/** * Creates a restricted policy JSON string which only allows PutObject to the given bucket name and object key, and allows GenerateDataKey and Decrypt for * the given key ID. The Decrypt is required for multipart upload with KMS encryption. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * @param awsKmsKeyId - The KMS key ID to allow access * * @return the policy JSON string */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createUploaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.PutObject).withKms(awsKmsKeyId, KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT) .build(); }
/** * Creates a restricted policy JSON string which only allows GetObject to the given bucket name and object key, and allows Decrypt for the given key ID. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * * @return the policy JSON string */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createDownloaderPolicy(String s3BucketName, String s3Key) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.GetObject).build(); }
/** * Creates a restricted policy JSON string which only allows PutObject to the given bucket name and object key, and allows GenerateDataKey and Decrypt for * the given key ID. The Decrypt is required for multipart upload with KMS encryption. * * @param s3BucketName - The S3 bucket name to restrict uploads to * @param s3Key - The S3 object key to restrict the uploads to * @param awsKmsKeyId - The KMS key ID to allow access * * @return the policy JSON string */ @SuppressWarnings("PMD.CloseResource") // These are not SQL statements so they don't need to be closed. private Policy createUploaderPolicy(String s3BucketName, String s3Key, String awsKmsKeyId) { return new AwsPolicyBuilder().withS3(s3BucketName, s3Key, S3Actions.PutObject).withKms(awsKmsKeyId, KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT) .build(); }
new AwsPolicyBuilder().withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions).withS3(bucketName, null, S3Actions.ListObjects); if (kmsKeyId != null) awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions); .getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build());
new AwsPolicyBuilder().withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions).withS3(bucketName, null, S3Actions.ListObjects); if (kmsKeyId != null) awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions); .getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build());