aws-sdk-s3 1.159.0 → 1.163.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/bucket.rb +120 -43
- data/lib/aws-sdk-s3/client.rb +1105 -389
- data/lib/aws-sdk-s3/client_api.rb +8 -0
- data/lib/aws-sdk-s3/endpoints.rb +99 -396
- data/lib/aws-sdk-s3/object.rb +336 -129
- data/lib/aws-sdk-s3/object_summary.rb +324 -109
- data/lib/aws-sdk-s3/object_version.rb +14 -8
- data/lib/aws-sdk-s3/plugins/endpoints.rb +10 -1
- data/lib/aws-sdk-s3/types.rb +644 -306
- data/lib/aws-sdk-s3.rb +1 -1
- data/sig/client.rbs +10 -1
- data/sig/resource.rbs +1 -0
- data/sig/types.rbs +10 -2
- metadata +4 -4
data/lib/aws-sdk-s3/client.rb
CHANGED
@@ -32,6 +32,7 @@ require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
|
32
32
|
require 'aws-sdk-core/plugins/request_compression.rb'
|
33
33
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
34
34
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
35
|
+
require 'aws-sdk-core/plugins/telemetry.rb'
|
35
36
|
require 'aws-sdk-core/plugins/sign.rb'
|
36
37
|
require 'aws-sdk-core/plugins/protocols/rest_xml.rb'
|
37
38
|
require 'aws-sdk-s3/plugins/accelerate.rb'
|
@@ -104,6 +105,7 @@ module Aws::S3
|
|
104
105
|
add_plugin(Aws::Plugins::RequestCompression)
|
105
106
|
add_plugin(Aws::Plugins::DefaultsMode)
|
106
107
|
add_plugin(Aws::Plugins::RecursionDetection)
|
108
|
+
add_plugin(Aws::Plugins::Telemetry)
|
107
109
|
add_plugin(Aws::Plugins::Sign)
|
108
110
|
add_plugin(Aws::Plugins::Protocols::RestXml)
|
109
111
|
add_plugin(Aws::S3::Plugins::Accelerate)
|
@@ -432,6 +434,16 @@ module Aws::S3
|
|
432
434
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
433
435
|
# requests are made, and retries are disabled.
|
434
436
|
#
|
437
|
+
# @option options [Aws::Telemetry::TelemetryProviderBase] :telemetry_provider (Aws::Telemetry::NoOpTelemetryProvider)
|
438
|
+
# Allows you to provide a telemetry provider, which is used to
|
439
|
+
# emit telemetry data. By default, uses `NoOpTelemetryProvider` which
|
440
|
+
# will not record or emit any telemetry data. The SDK supports the
|
441
|
+
# following telemetry providers:
|
442
|
+
#
|
443
|
+
# * OpenTelemetry (OTel) - To use the OTel provider, install and require the
|
444
|
+
# `opentelemetry-sdk` gem and then, pass in an instance of a
|
445
|
+
# `Aws::Telemetry::OTelProvider` for telemetry provider.
|
446
|
+
#
|
435
447
|
# @option options [Aws::TokenProvider] :token_provider
|
436
448
|
# A Bearer Token Provider. This can be an instance of any one of the
|
437
449
|
# following classes:
|
@@ -520,6 +532,12 @@ module Aws::S3
|
|
520
532
|
# @option options [String] :ssl_ca_store
|
521
533
|
# Sets the X509::Store to verify peer certificate.
|
522
534
|
#
|
535
|
+
# @option options [OpenSSL::X509::Certificate] :ssl_cert
|
536
|
+
# Sets a client certificate when creating http connections.
|
537
|
+
#
|
538
|
+
# @option options [OpenSSL::PKey] :ssl_key
|
539
|
+
# Sets a client key when creating http connections.
|
540
|
+
#
|
523
541
|
# @option options [Float] :ssl_timeout
|
524
542
|
# Sets the SSL timeout in seconds
|
525
543
|
#
|
@@ -782,9 +800,15 @@ module Aws::S3
|
|
782
800
|
# [Multipart Upload and Permissions][6] in the *Amazon S3 User
|
783
801
|
# Guide*.
|
784
802
|
#
|
803
|
+
# If you provide an [additional checksum value][7] in your
|
804
|
+
# `MultipartUpload` requests and the object is encrypted with Key
|
805
|
+
# Management Service, you must have permission to use the
|
806
|
+
# `kms:Decrypt` action for the `CompleteMultipartUpload` request to
|
807
|
+
# succeed.
|
808
|
+
#
|
785
809
|
# * **Directory bucket permissions** - To grant access to this API
|
786
810
|
# operation on a directory bucket, we recommend that you use the [
|
787
|
-
# `CreateSession` ][
|
811
|
+
# `CreateSession` ][8] API operation for session-based
|
788
812
|
# authorization. Specifically, you grant the
|
789
813
|
# `s3express:CreateSession` permission to the directory bucket in a
|
790
814
|
# bucket policy or an IAM identity-based policy. Then, you make the
|
@@ -795,13 +819,11 @@ module Aws::S3
|
|
795
819
|
# token for use. Amazon Web Services CLI or SDKs create session and
|
796
820
|
# refresh the session token automatically to avoid service
|
797
821
|
# interruptions when a session expires. For more information about
|
798
|
-
# authorization, see [ `CreateSession` ][
|
822
|
+
# authorization, see [ `CreateSession` ][8].
|
799
823
|
#
|
800
|
-
#
|
801
|
-
# `
|
802
|
-
#
|
803
|
-
# `kms:Decrypt` action for the `CompleteMultipartUpload` request to
|
804
|
-
# succeed.
|
824
|
+
# If the object is encrypted with SSE-KMS, you must also have the
|
825
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
826
|
+
# identity-based policies and KMS key policies for the KMS key.
|
805
827
|
#
|
806
828
|
# Special errors
|
807
829
|
# : * Error Code: `EntityTooSmall`
|
@@ -860,8 +882,8 @@ module Aws::S3
|
|
860
882
|
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
|
861
883
|
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
|
862
884
|
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuAndPermissions.html
|
863
|
-
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
864
|
-
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
885
|
+
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Checksum.html
|
886
|
+
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
|
865
887
|
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
|
866
888
|
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
|
867
889
|
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
|
@@ -1247,6 +1269,10 @@ module Aws::S3
|
|
1247
1269
|
# destination. The `s3express:SessionMode` condition key can't be
|
1248
1270
|
# set to `ReadOnly` on the copy destination bucket.
|
1249
1271
|
#
|
1272
|
+
# If the object is encrypted with SSE-KMS, you must also have the
|
1273
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
1274
|
+
# identity-based policies and KMS key policies for the KMS key.
|
1275
|
+
#
|
1250
1276
|
# For example policies, see [Example bucket policies for S3 Express
|
1251
1277
|
# One Zone][6] and [Amazon Web Services Identity and Access
|
1252
1278
|
# Management (IAM) identity-based policies for S3 Express One
|
@@ -1693,9 +1719,8 @@ module Aws::S3
|
|
1693
1719
|
#
|
1694
1720
|
# @option params [String] :server_side_encryption
|
1695
1721
|
# The server-side encryption algorithm used when storing this object in
|
1696
|
-
# Amazon S3
|
1697
|
-
#
|
1698
|
-
# and will receive a `400 Bad Request` response.
|
1722
|
+
# Amazon S3. Unrecognized or unsupported values won’t write a
|
1723
|
+
# destination object and will receive a `400 Bad Request` response.
|
1699
1724
|
#
|
1700
1725
|
# Amazon S3 automatically encrypts all new objects that are copied to an
|
1701
1726
|
# S3 bucket. When copying an object, if you don't specify encryption
|
@@ -1703,35 +1728,72 @@ module Aws::S3
|
|
1703
1728
|
# object is set to the default encryption configuration of the
|
1704
1729
|
# destination bucket. By default, all buckets have a base level of
|
1705
1730
|
# encryption configuration that uses server-side encryption with Amazon
|
1706
|
-
# S3 managed keys (SSE-S3). If the destination bucket has a
|
1707
|
-
# encryption configuration
|
1708
|
-
#
|
1709
|
-
# encryption with Amazon Web Services KMS keys (DSSE-KMS), or
|
1710
|
-
# server-side encryption with customer-provided encryption keys (SSE-C),
|
1711
|
-
# Amazon S3 uses the corresponding KMS key, or a customer-provided key
|
1712
|
-
# to encrypt the target object copy.
|
1713
|
-
#
|
1714
|
-
# When you perform a `CopyObject` operation, if you want to use a
|
1715
|
-
# different type of encryption setting for the target object, you can
|
1716
|
-
# specify appropriate encryption-related headers to encrypt the target
|
1717
|
-
# object with an Amazon S3 managed key, a KMS key, or a
|
1718
|
-
# customer-provided key. If the encryption setting in your request is
|
1719
|
-
# different from the default encryption configuration of the destination
|
1720
|
-
# bucket, the encryption setting in your request takes precedence.
|
1731
|
+
# S3 managed keys (SSE-S3). If the destination bucket has a different
|
1732
|
+
# default encryption configuration, Amazon S3 uses the corresponding
|
1733
|
+
# encryption key to encrypt the target object copy.
|
1721
1734
|
#
|
1722
1735
|
# With server-side encryption, Amazon S3 encrypts your data as it writes
|
1723
1736
|
# your data to disks in its data centers and decrypts the data when you
|
1724
1737
|
# access it. For more information about server-side encryption, see
|
1725
1738
|
# [Using Server-Side Encryption][1] in the *Amazon S3 User Guide*.
|
1726
1739
|
#
|
1727
|
-
# <
|
1728
|
-
#
|
1729
|
-
#
|
1730
|
-
#
|
1740
|
+
# <b>General purpose buckets </b>
|
1741
|
+
#
|
1742
|
+
# * For general purpose buckets, there are the following supported
|
1743
|
+
# options for server-side encryption: server-side encryption with Key
|
1744
|
+
# Management Service (KMS) keys (SSE-KMS), dual-layer server-side
|
1745
|
+
# encryption with Amazon Web Services KMS keys (DSSE-KMS), and
|
1746
|
+
# server-side encryption with customer-provided encryption keys
|
1747
|
+
# (SSE-C). Amazon S3 uses the corresponding KMS key, or a
|
1748
|
+
# customer-provided key to encrypt the target object copy.
|
1749
|
+
#
|
1750
|
+
# * When you perform a `CopyObject` operation, if you want to use a
|
1751
|
+
# different type of encryption setting for the target object, you can
|
1752
|
+
# specify appropriate encryption-related headers to encrypt the target
|
1753
|
+
# object with an Amazon S3 managed key, a KMS key, or a
|
1754
|
+
# customer-provided key. If the encryption setting in your request is
|
1755
|
+
# different from the default encryption configuration of the
|
1756
|
+
# destination bucket, the encryption setting in your request takes
|
1757
|
+
# precedence.
|
1758
|
+
#
|
1759
|
+
# <b>Directory buckets </b>
|
1760
|
+
#
|
1761
|
+
# * For directory buckets, there are only two supported options for
|
1762
|
+
# server-side encryption: server-side encryption with Amazon S3
|
1763
|
+
# managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
|
1764
|
+
# keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
|
1765
|
+
# encryption uses the desired encryption configuration and you don't
|
1766
|
+
# override the bucket default encryption in your `CreateSession`
|
1767
|
+
# requests or `PUT` object requests. Then, new objects are
|
1768
|
+
# automatically encrypted with the desired encryption settings. For
|
1769
|
+
# more information, see [Protecting data with server-side
|
1770
|
+
# encryption][2] in the *Amazon S3 User Guide*. For more information
|
1771
|
+
# about the encryption overriding behaviors in directory buckets, see
|
1772
|
+
# [Specifying server-side encryption with KMS for new object
|
1773
|
+
# uploads][3].
|
1774
|
+
#
|
1775
|
+
# * To encrypt new object copies to a directory bucket with SSE-KMS, we
|
1776
|
+
# recommend you specify SSE-KMS as the directory bucket's default
|
1777
|
+
# encryption configuration with a KMS key (specifically, a [customer
|
1778
|
+
# managed key][4]). [Amazon Web Services managed key][5] (`aws/s3`)
|
1779
|
+
# isn't supported. Your SSE-KMS configuration can only support 1
|
1780
|
+
# [customer managed key][4] per directory bucket for the lifetime of
|
1781
|
+
# the bucket. After you specify a customer managed key for SSE-KMS,
|
1782
|
+
# you can't override the customer managed key for the bucket's
|
1783
|
+
# SSE-KMS configuration. Then, when you perform a `CopyObject`
|
1784
|
+
# operation and want to specify server-side encryption settings for
|
1785
|
+
# new object copies with SSE-KMS in the encryption-related request
|
1786
|
+
# headers, you must ensure the encryption key is the same customer
|
1787
|
+
# managed key that you specified for the directory bucket's default
|
1788
|
+
# encryption configuration.
|
1731
1789
|
#
|
1732
1790
|
#
|
1733
1791
|
#
|
1734
1792
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
|
1793
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
1794
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
1795
|
+
# [4]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1796
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1735
1797
|
#
|
1736
1798
|
# @option params [String] :storage_class
|
1737
1799
|
# If the `x-amz-storage-class` header is not used, the copied object
|
@@ -1828,33 +1890,51 @@ module Aws::S3
|
|
1828
1890
|
# </note>
|
1829
1891
|
#
|
1830
1892
|
# @option params [String] :ssekms_key_id
|
1831
|
-
# Specifies the KMS ID (Key ID, Key ARN, or Key Alias) to use for
|
1832
|
-
# encryption. All GET and PUT requests for an object protected by
|
1833
|
-
# will fail if they're not made via SSL or using SigV4. For
|
1834
|
-
# about configuring any of the officially supported Amazon
|
1835
|
-
# SDKs and Amazon Web Services CLI, see [Specifying the
|
1836
|
-
# Version in Request Authentication][1] in the *Amazon S3 User
|
1893
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
1894
|
+
# object encryption. All GET and PUT requests for an object protected by
|
1895
|
+
# KMS will fail if they're not made via SSL or using SigV4. For
|
1896
|
+
# information about configuring any of the officially supported Amazon
|
1897
|
+
# Web Services SDKs and Amazon Web Services CLI, see [Specifying the
|
1898
|
+
# Signature Version in Request Authentication][1] in the *Amazon S3 User
|
1899
|
+
# Guide*.
|
1837
1900
|
#
|
1838
|
-
#
|
1839
|
-
#
|
1840
|
-
#
|
1841
|
-
#
|
1901
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
1902
|
+
# with `aws:kms`, you must specify the `
|
1903
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
1904
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
1905
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
1906
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
1907
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
1908
|
+
# managed key][2] per directory bucket for the lifetime of the bucket.
|
1909
|
+
# [Amazon Web Services managed key][3] (`aws/s3`) isn't supported.
|
1842
1910
|
#
|
1843
1911
|
#
|
1844
1912
|
#
|
1845
1913
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
1914
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
1915
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
1846
1916
|
#
|
1847
1917
|
# @option params [String] :ssekms_encryption_context
|
1848
|
-
# Specifies the Amazon Web Services KMS Encryption Context
|
1849
|
-
#
|
1850
|
-
#
|
1851
|
-
#
|
1852
|
-
# `CopyObject` requests.
|
1918
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
1919
|
+
# additional encryption context to use for the destination object
|
1920
|
+
# encryption. The value of this header is a base64-encoded UTF-8 string
|
1921
|
+
# holding JSON with the encryption context key-value pairs.
|
1853
1922
|
#
|
1854
|
-
#
|
1855
|
-
#
|
1923
|
+
# **General purpose buckets** - This value must be explicitly added to
|
1924
|
+
# specify encryption context for `CopyObject` requests if you want an
|
1925
|
+
# additional encryption context for your destination object. The
|
1926
|
+
# additional encryption context of the source object won't be copied to
|
1927
|
+
# the destination object. For more information, see [Encryption
|
1928
|
+
# context][1] in the *Amazon S3 User Guide*.
|
1856
1929
|
#
|
1857
|
-
#
|
1930
|
+
# **Directory buckets** - You can optionally provide an explicit
|
1931
|
+
# encryption context value. The value must match the default encryption
|
1932
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
1933
|
+
# encryption context value is not supported.
|
1934
|
+
#
|
1935
|
+
#
|
1936
|
+
#
|
1937
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
1858
1938
|
#
|
1859
1939
|
# @option params [Boolean] :bucket_key_enabled
|
1860
1940
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
@@ -1869,14 +1949,19 @@ module Aws::S3
|
|
1869
1949
|
# For more information, see [Amazon S3 Bucket Keys][1] in the *Amazon S3
|
1870
1950
|
# User Guide*.
|
1871
1951
|
#
|
1872
|
-
# <note markdown="1">
|
1873
|
-
#
|
1952
|
+
# <note markdown="1"> **Directory buckets** - S3 Bucket Keys aren't supported, when you
|
1953
|
+
# copy SSE-KMS encrypted objects from general purpose buckets to
|
1954
|
+
# directory buckets, from directory buckets to general purpose buckets,
|
1955
|
+
# or between directory buckets, through [CopyObject][2]. In this case,
|
1956
|
+
# Amazon S3 makes a call to KMS every time a copy request is made for a
|
1957
|
+
# KMS-encrypted object.
|
1874
1958
|
#
|
1875
1959
|
# </note>
|
1876
1960
|
#
|
1877
1961
|
#
|
1878
1962
|
#
|
1879
1963
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
|
1964
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
1880
1965
|
#
|
1881
1966
|
# @option params [String] :copy_source_sse_customer_algorithm
|
1882
1967
|
# Specifies the algorithm to use when decrypting the source object (for
|
@@ -2618,9 +2703,53 @@ module Aws::S3
|
|
2618
2703
|
# using server-side encryption with customer-provided encryption
|
2619
2704
|
# keys (SSE-C)][11] in the *Amazon S3 User Guide*.
|
2620
2705
|
#
|
2621
|
-
# * **Directory buckets** -For directory buckets, only
|
2622
|
-
#
|
2623
|
-
#
|
2706
|
+
# * **Directory buckets** - For directory buckets, there are only two
|
2707
|
+
# supported options for server-side encryption: server-side
|
2708
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
2709
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
2710
|
+
# recommend that the bucket's default encryption uses the desired
|
2711
|
+
# encryption configuration and you don't override the bucket
|
2712
|
+
# default encryption in your `CreateSession` requests or `PUT`
|
2713
|
+
# object requests. Then, new objects are automatically encrypted
|
2714
|
+
# with the desired encryption settings. For more information, see
|
2715
|
+
# [Protecting data with server-side encryption][12] in the *Amazon
|
2716
|
+
# S3 User Guide*. For more information about the encryption
|
2717
|
+
# overriding behaviors in directory buckets, see [Specifying
|
2718
|
+
# server-side encryption with KMS for new object uploads][13].
|
2719
|
+
#
|
2720
|
+
# In the Zonal endpoint API calls (except [CopyObject][14] and
|
2721
|
+
# [UploadPartCopy][9]) using the REST API, the encryption request
|
2722
|
+
# headers must match the encryption settings that are specified in
|
2723
|
+
# the `CreateSession` request. You can't override the values of the
|
2724
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
2725
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
2726
|
+
# `x-amz-server-side-encryption-context`, and
|
2727
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
2728
|
+
# specified in the `CreateSession` request. You don't need to
|
2729
|
+
# explicitly specify these encryption settings values in Zonal
|
2730
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
2731
|
+
# values from the `CreateSession` request to protect new objects in
|
2732
|
+
# the directory bucket.
|
2733
|
+
#
|
2734
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
2735
|
+
# `CreateSession`, the session token refreshes automatically to
|
2736
|
+
# avoid service interruptions when a session expires. The CLI or the
|
2737
|
+
# Amazon Web Services SDKs use the bucket's default encryption
|
2738
|
+
# configuration for the `CreateSession` request. It's not supported
|
2739
|
+
# to override the encryption settings values in the `CreateSession`
|
2740
|
+
# request. So in the Zonal endpoint API calls (except
|
2741
|
+
# [CopyObject][14] and [UploadPartCopy][9]), the encryption request
|
2742
|
+
# headers must match the default encryption configuration of the
|
2743
|
+
# directory bucket.
|
2744
|
+
#
|
2745
|
+
# </note>
|
2746
|
+
#
|
2747
|
+
# <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
|
2748
|
+
# operation and an `UploadPartCopy` operation, the request headers
|
2749
|
+
# you provide in the `CreateMultipartUpload` request must match the
|
2750
|
+
# default encryption configuration of the destination bucket.
|
2751
|
+
#
|
2752
|
+
# </note>
|
2624
2753
|
#
|
2625
2754
|
# HTTP Host header syntax
|
2626
2755
|
#
|
@@ -2631,13 +2760,13 @@ module Aws::S3
|
|
2631
2760
|
#
|
2632
2761
|
# * [UploadPart][1]
|
2633
2762
|
#
|
2634
|
-
# * [CompleteMultipartUpload][
|
2763
|
+
# * [CompleteMultipartUpload][15]
|
2635
2764
|
#
|
2636
|
-
# * [AbortMultipartUpload][
|
2765
|
+
# * [AbortMultipartUpload][16]
|
2637
2766
|
#
|
2638
|
-
# * [ListParts][
|
2767
|
+
# * [ListParts][17]
|
2639
2768
|
#
|
2640
|
-
# * [ListMultipartUploads][
|
2769
|
+
# * [ListMultipartUploads][18]
|
2641
2770
|
#
|
2642
2771
|
#
|
2643
2772
|
#
|
@@ -2652,10 +2781,13 @@ module Aws::S3
|
|
2652
2781
|
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
2653
2782
|
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
2654
2783
|
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html
|
2655
|
-
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/
|
2656
|
-
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/
|
2657
|
-
# [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
2658
|
-
# [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
2784
|
+
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
2785
|
+
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
2786
|
+
# [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
2787
|
+
# [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
|
2788
|
+
# [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
|
2789
|
+
# [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
|
2790
|
+
# [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
|
2659
2791
|
#
|
2660
2792
|
# @option params [String] :acl
|
2661
2793
|
# The canned ACL to apply to the object. Amazon S3 supports a set of
|
@@ -3018,10 +3150,52 @@ module Aws::S3
|
|
3018
3150
|
# The server-side encryption algorithm used when you store this object
|
3019
3151
|
# in Amazon S3 (for example, `AES256`, `aws:kms`).
|
3020
3152
|
#
|
3021
|
-
# <
|
3022
|
-
#
|
3153
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
3154
|
+
# two supported options for server-side encryption: server-side
|
3155
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
3156
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
3157
|
+
# recommend that the bucket's default encryption uses the desired
|
3158
|
+
# encryption configuration and you don't override the bucket default
|
3159
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
3160
|
+
# requests. Then, new objects are automatically encrypted with the
|
3161
|
+
# desired encryption settings. For more information, see [Protecting
|
3162
|
+
# data with server-side encryption][1] in the *Amazon S3 User Guide*.
|
3163
|
+
# For more information about the encryption overriding behaviors in
|
3164
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
3165
|
+
# for new object uploads][2].
|
3166
|
+
#
|
3167
|
+
# In the Zonal endpoint API calls (except [CopyObject][3] and
|
3168
|
+
# [UploadPartCopy][4]) using the REST API, the encryption request
|
3169
|
+
# headers must match the encryption settings that are specified in the
|
3170
|
+
# `CreateSession` request. You can't override the values of the
|
3171
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
3172
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
3173
|
+
# `x-amz-server-side-encryption-context`, and
|
3174
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
3175
|
+
# specified in the `CreateSession` request. You don't need to
|
3176
|
+
# explicitly specify these encryption settings values in Zonal
|
3177
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
3178
|
+
# values from the `CreateSession` request to protect new objects in
|
3179
|
+
# the directory bucket.
|
3180
|
+
#
|
3181
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
3182
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
3183
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
3184
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
3185
|
+
# for the `CreateSession` request. It's not supported to override the
|
3186
|
+
# encryption settings values in the `CreateSession` request. So in the
|
3187
|
+
# Zonal endpoint API calls (except [CopyObject][3] and
|
3188
|
+
# [UploadPartCopy][4]), the encryption request headers must match the
|
3189
|
+
# default encryption configuration of the directory bucket.
|
3023
3190
|
#
|
3024
|
-
#
|
3191
|
+
# </note>
|
3192
|
+
#
|
3193
|
+
#
|
3194
|
+
#
|
3195
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
3196
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
3197
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
3198
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3025
3199
|
#
|
3026
3200
|
# @option params [String] :storage_class
|
3027
3201
|
# By default, Amazon S3 uses the STANDARD Storage Class to store newly
|
@@ -3080,34 +3254,71 @@ module Aws::S3
|
|
3080
3254
|
# </note>
|
3081
3255
|
#
|
3082
3256
|
# @option params [String] :ssekms_key_id
|
3083
|
-
# Specifies the ID (Key ID, Key ARN, or Key Alias)
|
3084
|
-
# encryption
|
3085
|
-
#
|
3086
|
-
#
|
3087
|
-
#
|
3088
|
-
#
|
3257
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
3258
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
3259
|
+
# that's issuing the command, you must use the full Key ARN not the Key
|
3260
|
+
# ID.
|
3261
|
+
#
|
3262
|
+
# **General purpose buckets** - If you specify
|
3263
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
|
3264
|
+
# header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
|
3265
|
+
# to use. If you specify `x-amz-server-side-encryption:aws:kms` or
|
3266
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
3267
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
3268
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
3269
|
+
#
|
3270
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
3271
|
+
# with `aws:kms`, you must specify the `
|
3272
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
3273
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
3274
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
3275
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
3276
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
3277
|
+
# managed key][1] per directory bucket for the lifetime of the bucket.
|
3278
|
+
# [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
|
3279
|
+
#
|
3280
|
+
#
|
3281
|
+
#
|
3282
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
3283
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
3089
3284
|
#
|
3090
3285
|
# @option params [String] :ssekms_encryption_context
|
3091
3286
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
3092
|
-
# object encryption. The value of this header is a
|
3093
|
-
#
|
3094
|
-
#
|
3095
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
3287
|
+
# object encryption. The value of this header is a Base64-encoded string
|
3288
|
+
# of a UTF-8 encoded JSON, which contains the encryption context as
|
3289
|
+
# key-value pairs.
|
3096
3290
|
#
|
3097
|
-
#
|
3291
|
+
# **Directory buckets** - You can optionally provide an explicit
|
3292
|
+
# encryption context value. The value must match the default encryption
|
3293
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
3294
|
+
# encryption context value is not supported.
|
3098
3295
|
#
|
3099
3296
|
# @option params [Boolean] :bucket_key_enabled
|
3100
3297
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
3101
3298
|
# encryption with server-side encryption using Key Management Service
|
3102
|
-
# (KMS) keys (SSE-KMS).
|
3103
|
-
# to use an S3 Bucket Key for object encryption with SSE-KMS.
|
3299
|
+
# (KMS) keys (SSE-KMS).
|
3104
3300
|
#
|
3105
|
-
#
|
3301
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
3302
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
|
3303
|
+
# Also, specifying this header with a PUT action doesn't affect
|
3106
3304
|
# bucket-level settings for S3 Bucket Key.
|
3107
3305
|
#
|
3108
|
-
#
|
3306
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
3307
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
3308
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
|
3309
|
+
# from general purpose buckets to directory buckets, from directory
|
3310
|
+
# buckets to general purpose buckets, or between directory buckets,
|
3311
|
+
# through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
|
3312
|
+
# Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
3313
|
+
# makes a call to KMS every time a copy request is made for a
|
3314
|
+
# KMS-encrypted object.
|
3315
|
+
#
|
3109
3316
|
#
|
3110
|
-
#
|
3317
|
+
#
|
3318
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
3319
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3320
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
3321
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
3111
3322
|
#
|
3112
3323
|
# @option params [String] :request_payer
|
3113
3324
|
# Confirms that the requester knows that they will be charged for the
|
@@ -3268,9 +3479,10 @@ module Aws::S3
|
|
3268
3479
|
|
3269
3480
|
# Creates a session that establishes temporary security credentials to
|
3270
3481
|
# support fast authentication and authorization for the Zonal endpoint
|
3271
|
-
#
|
3272
|
-
#
|
3273
|
-
# [S3 Express One Zone APIs][1] in the *Amazon S3
|
3482
|
+
# API operations on directory buckets. For more information about Zonal
|
3483
|
+
# endpoint API operations that include the Availability Zone in the
|
3484
|
+
# request endpoint, see [S3 Express One Zone APIs][1] in the *Amazon S3
|
3485
|
+
# User Guide*.
|
3274
3486
|
#
|
3275
3487
|
# To make Zonal endpoint API requests on a directory bucket, use the
|
3276
3488
|
# `CreateSession` API operation. Specifically, you grant
|
@@ -3279,13 +3491,13 @@ module Aws::S3
|
|
3279
3491
|
# the `CreateSession` API request on the bucket, which returns temporary
|
3280
3492
|
# security credentials that include the access key ID, secret access
|
3281
3493
|
# key, session token, and expiration. These credentials have associated
|
3282
|
-
# permissions to access the Zonal endpoint
|
3283
|
-
# created, you don’t need to use other policies to grant
|
3284
|
-
# each Zonal endpoint API individually. Instead, in your
|
3285
|
-
# API requests, you sign your requests by applying the
|
3286
|
-
# security credentials of the session to the request headers
|
3287
|
-
# following the SigV4 protocol for authentication. You also apply
|
3288
|
-
# session token to the `x-amz-s3session-token` request header for
|
3494
|
+
# permissions to access the Zonal endpoint API operations. After the
|
3495
|
+
# session is created, you don’t need to use other policies to grant
|
3496
|
+
# permissions to each Zonal endpoint API individually. Instead, in your
|
3497
|
+
# Zonal endpoint API requests, you sign your requests by applying the
|
3498
|
+
# temporary security credentials of the session to the request headers
|
3499
|
+
# and following the SigV4 protocol for authentication. You also apply
|
3500
|
+
# the session token to the `x-amz-s3session-token` request header for
|
3289
3501
|
# authorization. Temporary security credentials are scoped to the bucket
|
3290
3502
|
# and expire after 5 minutes. After the expiration time, any calls that
|
3291
3503
|
# you make with those credentials will fail. You must use IAM
|
@@ -3308,16 +3520,16 @@ module Aws::S3
|
|
3308
3520
|
# [Regional and Zonal endpoints][3] in the *Amazon S3 User Guide*.
|
3309
3521
|
#
|
3310
3522
|
# * <b> <code>CopyObject</code> API operation</b> - Unlike other Zonal
|
3311
|
-
# endpoint
|
3312
|
-
# temporary security credentials returned from the `CreateSession`
|
3313
|
-
# operation for authentication and authorization. For information
|
3523
|
+
# endpoint API operations, the `CopyObject` API operation doesn't use
|
3524
|
+
# the temporary security credentials returned from the `CreateSession`
|
3525
|
+
# API operation for authentication and authorization. For information
|
3314
3526
|
# about authentication and authorization of the `CopyObject` API
|
3315
3527
|
# operation on directory buckets, see [CopyObject][4].
|
3316
3528
|
#
|
3317
3529
|
# * <b> <code>HeadBucket</code> API operation</b> - Unlike other Zonal
|
3318
|
-
# endpoint
|
3319
|
-
# temporary security credentials returned from the `CreateSession`
|
3320
|
-
# operation for authentication and authorization. For information
|
3530
|
+
# endpoint API operations, the `HeadBucket` API operation doesn't use
|
3531
|
+
# the temporary security credentials returned from the `CreateSession`
|
3532
|
+
# API operation for authentication and authorization. For information
|
3321
3533
|
# about authentication and authorization of the `HeadBucket` API
|
3322
3534
|
# operation on directory buckets, see [HeadBucket][5].
|
3323
3535
|
#
|
@@ -3336,9 +3548,71 @@ module Aws::S3
|
|
3336
3548
|
# Identity and Access Management (IAM) identity-based policies for S3
|
3337
3549
|
# Express One Zone][8] in the *Amazon S3 User Guide*.
|
3338
3550
|
#
|
3339
|
-
# To grant cross-account access to Zonal endpoint
|
3340
|
-
# policy should also grant both accounts the
|
3341
|
-
# permission.
|
3551
|
+
# To grant cross-account access to Zonal endpoint API operations, the
|
3552
|
+
# bucket policy should also grant both accounts the
|
3553
|
+
# `s3express:CreateSession` permission.
|
3554
|
+
#
|
3555
|
+
# If you want to encrypt objects with SSE-KMS, you must also have the
|
3556
|
+
# `kms:GenerateDataKey` and the `kms:Decrypt` permissions in IAM
|
3557
|
+
# identity-based policies and KMS key policies for the target KMS key.
|
3558
|
+
#
|
3559
|
+
# Encryption
|
3560
|
+
#
|
3561
|
+
# : For directory buckets, there are only two supported options for
|
3562
|
+
# server-side encryption: server-side encryption with Amazon S3
|
3563
|
+
# managed keys (SSE-S3) (`AES256`) and server-side encryption with KMS
|
3564
|
+
# keys (SSE-KMS) (`aws:kms`). We recommend that the bucket's default
|
3565
|
+
# encryption uses the desired encryption configuration and you don't
|
3566
|
+
# override the bucket default encryption in your `CreateSession`
|
3567
|
+
# requests or `PUT` object requests. Then, new objects are
|
3568
|
+
# automatically encrypted with the desired encryption settings. For
|
3569
|
+
# more information, see [Protecting data with server-side
|
3570
|
+
# encryption][9] in the *Amazon S3 User Guide*. For more information
|
3571
|
+
# about the encryption overriding behaviors in directory buckets, see
|
3572
|
+
# [Specifying server-side encryption with KMS for new object
|
3573
|
+
# uploads][10].
|
3574
|
+
#
|
3575
|
+
# For [Zonal endpoint (object-level) API operations][11] except
|
3576
|
+
# [CopyObject][4] and [UploadPartCopy][12], you authenticate and
|
3577
|
+
# authorize requests through [CreateSession][13] for low latency. To
|
3578
|
+
# encrypt new objects in a directory bucket with SSE-KMS, you must
|
3579
|
+
# specify SSE-KMS as the directory bucket's default encryption
|
3580
|
+
# configuration with a KMS key (specifically, a [customer managed
|
3581
|
+
# key][14]). Then, when a session is created for Zonal endpoint API
|
3582
|
+
# operations, new objects are automatically encrypted and decrypted
|
3583
|
+
# with SSE-KMS and S3 Bucket Keys during the session.
|
3584
|
+
#
|
3585
|
+
# <note markdown="1"> Only 1 [customer managed key][14] is supported per directory bucket
|
3586
|
+
# for the lifetime of the bucket. [Amazon Web Services managed
|
3587
|
+
# key][15] (`aws/s3`) isn't supported. After you specify SSE-KMS as
|
3588
|
+
# your bucket's default encryption configuration with a customer
|
3589
|
+
# managed key, you can't change the customer managed key for the
|
3590
|
+
# bucket's SSE-KMS configuration.
|
3591
|
+
#
|
3592
|
+
# </note>
|
3593
|
+
#
|
3594
|
+
# In the Zonal endpoint API calls (except [CopyObject][4] and
|
3595
|
+
# [UploadPartCopy][12]) using the REST API, you can't override the
|
3596
|
+
# values of the encryption settings (`x-amz-server-side-encryption`,
|
3597
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
3598
|
+
# `x-amz-server-side-encryption-context`, and
|
3599
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) from the
|
3600
|
+
# `CreateSession` request. You don't need to explicitly specify these
|
3601
|
+
# encryption settings values in Zonal endpoint API calls, and Amazon
|
3602
|
+
# S3 will use the encryption settings values from the `CreateSession`
|
3603
|
+
# request to protect new objects in the directory bucket.
|
3604
|
+
#
|
3605
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
3606
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
3607
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
3608
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
3609
|
+
# for the `CreateSession` request. It's not supported to override the
|
3610
|
+
# encryption settings values in the `CreateSession` request. Also, in
|
3611
|
+
# the Zonal endpoint API calls (except [CopyObject][4] and
|
3612
|
+
# [UploadPartCopy][12]), it's not supported to override the values of
|
3613
|
+
# the encryption settings from the `CreateSession` request.
|
3614
|
+
#
|
3615
|
+
# </note>
|
3342
3616
|
#
|
3343
3617
|
# HTTP Host header syntax
|
3344
3618
|
#
|
@@ -3355,21 +3629,110 @@ module Aws::S3
|
|
3355
3629
|
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters
|
3356
3630
|
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
|
3357
3631
|
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
|
3632
|
+
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
3633
|
+
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
3634
|
+
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-differences.html#s3-express-differences-api-operations
|
3635
|
+
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3636
|
+
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
|
3637
|
+
# [14]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
3638
|
+
# [15]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
3358
3639
|
#
|
3359
3640
|
# @option params [String] :session_mode
|
3360
3641
|
# Specifies the mode of the session that will be created, either
|
3361
3642
|
# `ReadWrite` or `ReadOnly`. By default, a `ReadWrite` session is
|
3362
3643
|
# created. A `ReadWrite` session is capable of executing all the Zonal
|
3363
|
-
# endpoint
|
3364
|
-
# constrained to execute the following Zonal endpoint
|
3365
|
-
# `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
|
3366
|
-
# `ListMultipartUploads`.
|
3644
|
+
# endpoint API operations on a directory bucket. A `ReadOnly` session is
|
3645
|
+
# constrained to execute the following Zonal endpoint API operations:
|
3646
|
+
# `GetObject`, `HeadObject`, `ListObjectsV2`, `GetObjectAttributes`,
|
3647
|
+
# `ListParts`, and `ListMultipartUploads`.
|
3367
3648
|
#
|
3368
3649
|
# @option params [required, String] :bucket
|
3369
3650
|
# The name of the bucket that you create a session for.
|
3370
3651
|
#
|
3652
|
+
# @option params [String] :server_side_encryption
|
3653
|
+
# The server-side encryption algorithm to use when you store objects in
|
3654
|
+
# the directory bucket.
|
3655
|
+
#
|
3656
|
+
# For directory buckets, there are only two supported options for
|
3657
|
+
# server-side encryption: server-side encryption with Amazon S3 managed
|
3658
|
+
# keys (SSE-S3) (`AES256`) and server-side encryption with KMS keys
|
3659
|
+
# (SSE-KMS) (`aws:kms`). By default, Amazon S3 encrypts data with
|
3660
|
+
# SSE-S3. For more information, see [Protecting data with server-side
|
3661
|
+
# encryption][1] in the *Amazon S3 User Guide*.
|
3662
|
+
#
|
3663
|
+
#
|
3664
|
+
#
|
3665
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
3666
|
+
#
|
3667
|
+
# @option params [String] :ssekms_key_id
|
3668
|
+
# If you specify `x-amz-server-side-encryption` with `aws:kms`, you must
|
3669
|
+
# specify the ` x-amz-server-side-encryption-aws-kms-key-id` header with
|
3670
|
+
# the ID (Key ID or Key ARN) of the KMS symmetric encryption customer
|
3671
|
+
# managed key to use. Otherwise, you get an HTTP `400 Bad Request`
|
3672
|
+
# error. Only use the key ID or key ARN. The key alias format of the KMS
|
3673
|
+
# key isn't supported. Also, if the KMS key doesn't exist in the same
|
3674
|
+
# account that't issuing the command, you must use the full Key ARN not
|
3675
|
+
# the Key ID.
|
3676
|
+
#
|
3677
|
+
# Your SSE-KMS configuration can only support 1 [customer managed
|
3678
|
+
# key][1] per directory bucket for the lifetime of the bucket. [Amazon
|
3679
|
+
# Web Services managed key][2] (`aws/s3`) isn't supported.
|
3680
|
+
#
|
3681
|
+
#
|
3682
|
+
#
|
3683
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
3684
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
3685
|
+
#
|
3686
|
+
# @option params [String] :ssekms_encryption_context
|
3687
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
3688
|
+
# additional encryption context to use for object encryption. The value
|
3689
|
+
# of this header is a Base64-encoded string of a UTF-8 encoded JSON,
|
3690
|
+
# which contains the encryption context as key-value pairs. This value
|
3691
|
+
# is stored as object metadata and automatically gets passed on to
|
3692
|
+
# Amazon Web Services KMS for future `GetObject` operations on this
|
3693
|
+
# object.
|
3694
|
+
#
|
3695
|
+
# **General purpose buckets** - This value must be explicitly added
|
3696
|
+
# during `CopyObject` operations if you want an additional encryption
|
3697
|
+
# context for your object. For more information, see [Encryption
|
3698
|
+
# context][1] in the *Amazon S3 User Guide*.
|
3699
|
+
#
|
3700
|
+
# **Directory buckets** - You can optionally provide an explicit
|
3701
|
+
# encryption context value. The value must match the default encryption
|
3702
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
3703
|
+
# encryption context value is not supported.
|
3704
|
+
#
|
3705
|
+
#
|
3706
|
+
#
|
3707
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
3708
|
+
#
|
3709
|
+
# @option params [Boolean] :bucket_key_enabled
|
3710
|
+
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
3711
|
+
# encryption with server-side encryption using KMS keys (SSE-KMS).
|
3712
|
+
#
|
3713
|
+
# S3 Bucket Keys are always enabled for `GET` and `PUT` operations in a
|
3714
|
+
# directory bucket and can’t be disabled. S3 Bucket Keys aren't
|
3715
|
+
# supported, when you copy SSE-KMS encrypted objects from general
|
3716
|
+
# purpose buckets to directory buckets, from directory buckets to
|
3717
|
+
# general purpose buckets, or between directory buckets, through
|
3718
|
+
# [CopyObject][1], [UploadPartCopy][2], [the Copy operation in Batch
|
3719
|
+
# Operations][3], or [the import jobs][4]. In this case, Amazon S3 makes
|
3720
|
+
# a call to KMS every time a copy request is made for a KMS-encrypted
|
3721
|
+
# object.
|
3722
|
+
#
|
3723
|
+
#
|
3724
|
+
#
|
3725
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
3726
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
3727
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
3728
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
3729
|
+
#
|
3371
3730
|
# @return [Types::CreateSessionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
3372
3731
|
#
|
3732
|
+
# * {Types::CreateSessionOutput#server_side_encryption #server_side_encryption} => String
|
3733
|
+
# * {Types::CreateSessionOutput#ssekms_key_id #ssekms_key_id} => String
|
3734
|
+
# * {Types::CreateSessionOutput#ssekms_encryption_context #ssekms_encryption_context} => String
|
3735
|
+
# * {Types::CreateSessionOutput#bucket_key_enabled #bucket_key_enabled} => Boolean
|
3373
3736
|
# * {Types::CreateSessionOutput#credentials #credentials} => Types::SessionCredentials
|
3374
3737
|
#
|
3375
3738
|
# @example Request syntax with placeholder values
|
@@ -3377,10 +3740,18 @@ module Aws::S3
|
|
3377
3740
|
# resp = client.create_session({
|
3378
3741
|
# session_mode: "ReadOnly", # accepts ReadOnly, ReadWrite
|
3379
3742
|
# bucket: "BucketName", # required
|
3743
|
+
# server_side_encryption: "AES256", # accepts AES256, aws:kms, aws:kms:dsse
|
3744
|
+
# ssekms_key_id: "SSEKMSKeyId",
|
3745
|
+
# ssekms_encryption_context: "SSEKMSEncryptionContext",
|
3746
|
+
# bucket_key_enabled: false,
|
3380
3747
|
# })
|
3381
3748
|
#
|
3382
3749
|
# @example Response structure
|
3383
3750
|
#
|
3751
|
+
# resp.server_side_encryption #=> String, one of "AES256", "aws:kms", "aws:kms:dsse"
|
3752
|
+
# resp.ssekms_key_id #=> String
|
3753
|
+
# resp.ssekms_encryption_context #=> String
|
3754
|
+
# resp.bucket_key_enabled #=> Boolean
|
3384
3755
|
# resp.credentials.access_key_id #=> String
|
3385
3756
|
# resp.credentials.secret_access_key #=> String
|
3386
3757
|
# resp.credentials.session_token #=> String
|
@@ -3626,47 +3997,92 @@ module Aws::S3
|
|
3626
3997
|
req.send_request(options)
|
3627
3998
|
end
|
3628
3999
|
|
3629
|
-
#
|
4000
|
+
# This implementation of the DELETE action resets the default encryption
|
4001
|
+
# for the bucket as server-side encryption with Amazon S3 managed keys
|
4002
|
+
# (SSE-S3).
|
4003
|
+
#
|
4004
|
+
# <note markdown="1"> * **General purpose buckets** - For information about the bucket
|
4005
|
+
# default encryption feature, see [Amazon S3 Bucket Default
|
4006
|
+
# Encryption][1] in the *Amazon S3 User Guide*.
|
4007
|
+
#
|
4008
|
+
# * **Directory buckets** - For directory buckets, there are only two
|
4009
|
+
# supported options for server-side encryption: SSE-S3 and SSE-KMS.
|
4010
|
+
# For information about the default encryption configuration in
|
4011
|
+
# directory buckets, see [Setting default server-side encryption
|
4012
|
+
# behavior for directory buckets][2].
|
3630
4013
|
#
|
3631
4014
|
# </note>
|
3632
4015
|
#
|
3633
|
-
#
|
3634
|
-
#
|
3635
|
-
#
|
3636
|
-
#
|
3637
|
-
#
|
4016
|
+
# Permissions
|
4017
|
+
# : * **General purpose bucket permissions** - The
|
4018
|
+
# `s3:PutEncryptionConfiguration` permission is required in a
|
4019
|
+
# policy. The bucket owner has this permission by default. The
|
4020
|
+
# bucket owner can grant this permission to others. For more
|
4021
|
+
# information about permissions, see [Permissions Related to Bucket
|
4022
|
+
# Operations][3] and [Managing Access Permissions to Your Amazon S3
|
4023
|
+
# Resources][4].
|
3638
4024
|
#
|
3639
|
-
#
|
3640
|
-
#
|
3641
|
-
# permission
|
3642
|
-
#
|
3643
|
-
#
|
3644
|
-
#
|
3645
|
-
#
|
4025
|
+
# * **Directory bucket permissions** - To grant access to this API
|
4026
|
+
# operation, you must have the
|
4027
|
+
# `s3express:PutEncryptionConfiguration` permission in an IAM
|
4028
|
+
# identity-based policy instead of a bucket policy. Cross-account
|
4029
|
+
# access to this API operation isn't supported. This operation can
|
4030
|
+
# only be performed by the Amazon Web Services account that owns the
|
4031
|
+
# resource. For more information about directory bucket policies and
|
4032
|
+
# permissions, see [Amazon Web Services Identity and Access
|
4033
|
+
# Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
|
4034
|
+
# User Guide*.
|
4035
|
+
#
|
4036
|
+
# HTTP Host header syntax
|
4037
|
+
#
|
4038
|
+
# : <b>Directory buckets </b> - The HTTP Host header syntax is
|
4039
|
+
# `s3express-control.region.amazonaws.com`.
|
3646
4040
|
#
|
3647
4041
|
# The following operations are related to `DeleteBucketEncryption`:
|
3648
4042
|
#
|
3649
|
-
# * [PutBucketEncryption][
|
4043
|
+
# * [PutBucketEncryption][6]
|
3650
4044
|
#
|
3651
|
-
# * [GetBucketEncryption][
|
4045
|
+
# * [GetBucketEncryption][7]
|
3652
4046
|
#
|
3653
4047
|
#
|
3654
4048
|
#
|
3655
4049
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
|
3656
|
-
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/
|
3657
|
-
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-
|
3658
|
-
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/
|
3659
|
-
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/
|
4050
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
|
4051
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
|
4052
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
|
4053
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
|
4054
|
+
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
|
4055
|
+
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
|
3660
4056
|
#
|
3661
4057
|
# @option params [required, String] :bucket
|
3662
4058
|
# The name of the bucket containing the server-side encryption
|
3663
4059
|
# configuration to delete.
|
3664
4060
|
#
|
4061
|
+
# <b>Directory buckets </b> - When you use this operation with a
|
4062
|
+
# directory bucket, you must use path-style requests in the format
|
4063
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
4064
|
+
# Virtual-hosted-style requests aren't supported. Directory bucket
|
4065
|
+
# names must be unique in the chosen Availability Zone. Bucket names
|
4066
|
+
# must also follow the format ` bucket_base_name--az_id--x-s3` (for
|
4067
|
+
# example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
|
4068
|
+
# bucket naming restrictions, see [Directory bucket naming rules][1] in
|
4069
|
+
# the *Amazon S3 User Guide*
|
4070
|
+
#
|
4071
|
+
#
|
4072
|
+
#
|
4073
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
|
4074
|
+
#
|
3665
4075
|
# @option params [String] :expected_bucket_owner
|
3666
4076
|
# The account ID of the expected bucket owner. If the account ID that
|
3667
4077
|
# you provide does not match the actual owner of the bucket, the request
|
3668
4078
|
# fails with the HTTP status code `403 Forbidden` (access denied).
|
3669
4079
|
#
|
4080
|
+
# <note markdown="1"> For directory buckets, this header is not supported in this API
|
4081
|
+
# operation. If you specify this header, the request fails with the HTTP
|
4082
|
+
# status code `501 Not Implemented`.
|
4083
|
+
#
|
4084
|
+
# </note>
|
4085
|
+
#
|
3670
4086
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
3671
4087
|
#
|
3672
4088
|
# @example Request syntax with placeholder values
|
@@ -4660,35 +5076,35 @@ module Aws::S3
|
|
4660
5076
|
# * {Types::DeleteObjectTaggingOutput#version_id #version_id} => String
|
4661
5077
|
#
|
4662
5078
|
#
|
4663
|
-
# @example Example: To remove tag set from an object
|
5079
|
+
# @example Example: To remove tag set from an object
|
4664
5080
|
#
|
4665
|
-
# # The following example removes tag set associated with the specified object
|
4666
|
-
# #
|
5081
|
+
# # The following example removes tag set associated with the specified object. If the bucket is versioning enabled, the
|
5082
|
+
# # operation removes tag set from the latest object version.
|
4667
5083
|
#
|
4668
5084
|
# resp = client.delete_object_tagging({
|
4669
5085
|
# bucket: "examplebucket",
|
4670
5086
|
# key: "HappyFace.jpg",
|
4671
|
-
# version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
|
4672
5087
|
# })
|
4673
5088
|
#
|
4674
5089
|
# resp.to_h outputs the following:
|
4675
5090
|
# {
|
4676
|
-
# version_id: "
|
5091
|
+
# version_id: "null",
|
4677
5092
|
# }
|
4678
5093
|
#
|
4679
|
-
# @example Example: To remove tag set from an object
|
5094
|
+
# @example Example: To remove tag set from an object version
|
4680
5095
|
#
|
4681
|
-
# # The following example removes tag set associated with the specified object.
|
4682
|
-
# #
|
5096
|
+
# # The following example removes tag set associated with the specified object version. The request specifies both the
|
5097
|
+
# # object key and object version.
|
4683
5098
|
#
|
4684
5099
|
# resp = client.delete_object_tagging({
|
4685
5100
|
# bucket: "examplebucket",
|
4686
5101
|
# key: "HappyFace.jpg",
|
5102
|
+
# version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
|
4687
5103
|
# })
|
4688
5104
|
#
|
4689
5105
|
# resp.to_h outputs the following:
|
4690
5106
|
# {
|
4691
|
-
# version_id: "
|
5107
|
+
# version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
|
4692
5108
|
# }
|
4693
5109
|
#
|
4694
5110
|
# @example Request syntax with placeholder values
|
@@ -4971,20 +5387,22 @@ module Aws::S3
|
|
4971
5387
|
# * {Types::DeleteObjectsOutput#errors #errors} => Array<Types::Error>
|
4972
5388
|
#
|
4973
5389
|
#
|
4974
|
-
# @example Example: To delete multiple
|
5390
|
+
# @example Example: To delete multiple object versions from a versioned bucket
|
4975
5391
|
#
|
4976
|
-
# # The following example deletes objects from a bucket. The
|
4977
|
-
# #
|
5392
|
+
# # The following example deletes objects from a bucket. The request specifies object versions. S3 deletes specific object
|
5393
|
+
# # versions and returns the key and versions of deleted objects in the response.
|
4978
5394
|
#
|
4979
5395
|
# resp = client.delete_objects({
|
4980
5396
|
# bucket: "examplebucket",
|
4981
5397
|
# delete: {
|
4982
5398
|
# objects: [
|
4983
5399
|
# {
|
4984
|
-
# key: "
|
5400
|
+
# key: "HappyFace.jpg",
|
5401
|
+
# version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
|
4985
5402
|
# },
|
4986
5403
|
# {
|
4987
|
-
# key: "
|
5404
|
+
# key: "HappyFace.jpg",
|
5405
|
+
# version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
|
4988
5406
|
# },
|
4989
5407
|
# ],
|
4990
5408
|
# quiet: false,
|
@@ -4995,34 +5413,30 @@ module Aws::S3
|
|
4995
5413
|
# {
|
4996
5414
|
# deleted: [
|
4997
5415
|
# {
|
4998
|
-
#
|
4999
|
-
#
|
5000
|
-
# key: "objectkey1",
|
5416
|
+
# key: "HappyFace.jpg",
|
5417
|
+
# version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
|
5001
5418
|
# },
|
5002
5419
|
# {
|
5003
|
-
#
|
5004
|
-
#
|
5005
|
-
# key: "objectkey2",
|
5420
|
+
# key: "HappyFace.jpg",
|
5421
|
+
# version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
|
5006
5422
|
# },
|
5007
5423
|
# ],
|
5008
5424
|
# }
|
5009
5425
|
#
|
5010
|
-
# @example Example: To delete multiple
|
5426
|
+
# @example Example: To delete multiple objects from a versioned bucket
|
5011
5427
|
#
|
5012
|
-
# # The following example deletes objects from a bucket. The
|
5013
|
-
# #
|
5428
|
+
# # The following example deletes objects from a bucket. The bucket is versioned, and the request does not specify the
|
5429
|
+
# # object version to delete. In this case, all versions remain in the bucket and S3 adds a delete marker.
|
5014
5430
|
#
|
5015
5431
|
# resp = client.delete_objects({
|
5016
5432
|
# bucket: "examplebucket",
|
5017
5433
|
# delete: {
|
5018
5434
|
# objects: [
|
5019
5435
|
# {
|
5020
|
-
# key: "
|
5021
|
-
# version_id: "2LWg7lQLnY41.maGB5Z6SWW.dcq0vx7b",
|
5436
|
+
# key: "objectkey1",
|
5022
5437
|
# },
|
5023
5438
|
# {
|
5024
|
-
# key: "
|
5025
|
-
# version_id: "yoz3HB.ZhCS_tKVEmIOr7qYyyAaZSKVd",
|
5439
|
+
# key: "objectkey2",
|
5026
5440
|
# },
|
5027
5441
|
# ],
|
5028
5442
|
# quiet: false,
|
@@ -5033,12 +5447,14 @@ module Aws::S3
|
|
5033
5447
|
# {
|
5034
5448
|
# deleted: [
|
5035
5449
|
# {
|
5036
|
-
#
|
5037
|
-
#
|
5450
|
+
# delete_marker: true,
|
5451
|
+
# delete_marker_version_id: "A._w1z6EFiCF5uhtQMDal9JDkID9tQ7F",
|
5452
|
+
# key: "objectkey1",
|
5038
5453
|
# },
|
5039
5454
|
# {
|
5040
|
-
#
|
5041
|
-
#
|
5455
|
+
# delete_marker: true,
|
5456
|
+
# delete_marker_version_id: "iOd_ORxhkKe_e8G8_oSGxt2PjsCZKlkt",
|
5457
|
+
# key: "objectkey2",
|
5042
5458
|
# },
|
5043
5459
|
# ],
|
5044
5460
|
# }
|
@@ -5541,46 +5957,92 @@ module Aws::S3
|
|
5541
5957
|
req.send_request(options)
|
5542
5958
|
end
|
5543
5959
|
|
5544
|
-
#
|
5960
|
+
# Returns the default encryption configuration for an Amazon S3 bucket.
|
5961
|
+
# By default, all buckets have a default encryption configuration that
|
5962
|
+
# uses server-side encryption with Amazon S3 managed keys (SSE-S3).
|
5963
|
+
#
|
5964
|
+
# <note markdown="1"> * **General purpose buckets** - For information about the bucket
|
5965
|
+
# default encryption feature, see [Amazon S3 Bucket Default
|
5966
|
+
# Encryption][1] in the *Amazon S3 User Guide*.
|
5967
|
+
#
|
5968
|
+
# * **Directory buckets** - For directory buckets, there are only two
|
5969
|
+
# supported options for server-side encryption: SSE-S3 and SSE-KMS.
|
5970
|
+
# For information about the default encryption configuration in
|
5971
|
+
# directory buckets, see [Setting default server-side encryption
|
5972
|
+
# behavior for directory buckets][2].
|
5545
5973
|
#
|
5546
5974
|
# </note>
|
5547
5975
|
#
|
5548
|
-
#
|
5549
|
-
#
|
5550
|
-
#
|
5551
|
-
#
|
5552
|
-
#
|
5976
|
+
# Permissions
|
5977
|
+
# : * **General purpose bucket permissions** - The
|
5978
|
+
# `s3:GetEncryptionConfiguration` permission is required in a
|
5979
|
+
# policy. The bucket owner has this permission by default. The
|
5980
|
+
# bucket owner can grant this permission to others. For more
|
5981
|
+
# information about permissions, see [Permissions Related to Bucket
|
5982
|
+
# Operations][3] and [Managing Access Permissions to Your Amazon S3
|
5983
|
+
# Resources][4].
|
5553
5984
|
#
|
5554
|
-
#
|
5555
|
-
#
|
5556
|
-
# permission
|
5557
|
-
#
|
5558
|
-
#
|
5559
|
-
#
|
5985
|
+
# * **Directory bucket permissions** - To grant access to this API
|
5986
|
+
# operation, you must have the
|
5987
|
+
# `s3express:GetEncryptionConfiguration` permission in an IAM
|
5988
|
+
# identity-based policy instead of a bucket policy. Cross-account
|
5989
|
+
# access to this API operation isn't supported. This operation can
|
5990
|
+
# only be performed by the Amazon Web Services account that owns the
|
5991
|
+
# resource. For more information about directory bucket policies and
|
5992
|
+
# permissions, see [Amazon Web Services Identity and Access
|
5993
|
+
# Management (IAM) for S3 Express One Zone][5] in the *Amazon S3
|
5994
|
+
# User Guide*.
|
5995
|
+
#
|
5996
|
+
# HTTP Host header syntax
|
5997
|
+
#
|
5998
|
+
# : <b>Directory buckets </b> - The HTTP Host header syntax is
|
5999
|
+
# `s3express-control.region.amazonaws.com`.
|
5560
6000
|
#
|
5561
6001
|
# The following operations are related to `GetBucketEncryption`:
|
5562
6002
|
#
|
5563
|
-
# * [PutBucketEncryption][
|
6003
|
+
# * [PutBucketEncryption][6]
|
5564
6004
|
#
|
5565
|
-
# * [DeleteBucketEncryption][
|
6005
|
+
# * [DeleteBucketEncryption][7]
|
5566
6006
|
#
|
5567
6007
|
#
|
5568
6008
|
#
|
5569
6009
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
|
5570
|
-
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/
|
5571
|
-
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-
|
5572
|
-
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/
|
5573
|
-
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/
|
6010
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-bucket-encryption.html
|
6011
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
|
6012
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
|
6013
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
|
6014
|
+
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
|
6015
|
+
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
|
6016
|
+
#
|
6017
|
+
# @option params [required, String] :bucket
|
6018
|
+
# The name of the bucket from which the server-side encryption
|
6019
|
+
# configuration is retrieved.
|
6020
|
+
#
|
6021
|
+
# <b>Directory buckets </b> - When you use this operation with a
|
6022
|
+
# directory bucket, you must use path-style requests in the format
|
6023
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
6024
|
+
# Virtual-hosted-style requests aren't supported. Directory bucket
|
6025
|
+
# names must be unique in the chosen Availability Zone. Bucket names
|
6026
|
+
# must also follow the format ` bucket_base_name--az_id--x-s3` (for
|
6027
|
+
# example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
|
6028
|
+
# bucket naming restrictions, see [Directory bucket naming rules][1] in
|
6029
|
+
# the *Amazon S3 User Guide*
|
6030
|
+
#
|
5574
6031
|
#
|
5575
|
-
#
|
5576
|
-
#
|
5577
|
-
# configuration is retrieved.
|
6032
|
+
#
|
6033
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
|
5578
6034
|
#
|
5579
6035
|
# @option params [String] :expected_bucket_owner
|
5580
6036
|
# The account ID of the expected bucket owner. If the account ID that
|
5581
6037
|
# you provide does not match the actual owner of the bucket, the request
|
5582
6038
|
# fails with the HTTP status code `403 Forbidden` (access denied).
|
5583
6039
|
#
|
6040
|
+
# <note markdown="1"> For directory buckets, this header is not supported in this API
|
6041
|
+
# operation. If you specify this header, the request fails with the HTTP
|
6042
|
+
# status code `501 Not Implemented`.
|
6043
|
+
#
|
6044
|
+
# </note>
|
6045
|
+
#
|
5584
6046
|
# @return [Types::GetBucketEncryptionOutput] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
5585
6047
|
#
|
5586
6048
|
# * {Types::GetBucketEncryptionOutput#server_side_encryption_configuration #server_side_encryption_configuration} => Types::ServerSideEncryptionConfiguration
|
@@ -7320,6 +7782,10 @@ module Aws::S3
|
|
7320
7782
|
# interruptions when a session expires. For more information about
|
7321
7783
|
# authorization, see [ `CreateSession` ][4].
|
7322
7784
|
#
|
7785
|
+
# If the object is encrypted using SSE-KMS, you must also have the
|
7786
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
7787
|
+
# identity-based policies and KMS key policies for the KMS key.
|
7788
|
+
#
|
7323
7789
|
# Storage classes
|
7324
7790
|
#
|
7325
7791
|
# : If the object you are retrieving is stored in the S3 Glacier
|
@@ -7348,6 +7814,11 @@ module Aws::S3
|
|
7348
7814
|
# `GetObject` requests for the object that uses these types of keys,
|
7349
7815
|
# you’ll get an HTTP `400 Bad Request` error.
|
7350
7816
|
#
|
7817
|
+
# **Directory buckets** - For directory buckets, there are only two
|
7818
|
+
# supported options for server-side encryption: SSE-S3 and SSE-KMS.
|
7819
|
+
# SSE-C isn't supported. For more information, see [Protecting data
|
7820
|
+
# with server-side encryption][7] in the *Amazon S3 User Guide*.
|
7821
|
+
#
|
7351
7822
|
# Overriding response header values through the request
|
7352
7823
|
#
|
7353
7824
|
# : There are times when you want to override certain response header
|
@@ -7395,9 +7866,9 @@ module Aws::S3
|
|
7395
7866
|
#
|
7396
7867
|
# The following operations are related to `GetObject`:
|
7397
7868
|
#
|
7398
|
-
# * [ListBuckets][
|
7869
|
+
# * [ListBuckets][8]
|
7399
7870
|
#
|
7400
|
-
# * [GetObjectAcl][
|
7871
|
+
# * [GetObjectAcl][9]
|
7401
7872
|
#
|
7402
7873
|
#
|
7403
7874
|
#
|
@@ -7407,8 +7878,9 @@ module Aws::S3
|
|
7407
7878
|
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
|
7408
7879
|
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
|
7409
7880
|
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html
|
7410
|
-
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/
|
7411
|
-
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
7881
|
+
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
7882
|
+
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
|
7883
|
+
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
|
7412
7884
|
#
|
7413
7885
|
# @option params [String, IO] :response_target
|
7414
7886
|
# Where to write response data, file path, or IO object.
|
@@ -7705,10 +8177,10 @@ module Aws::S3
|
|
7705
8177
|
# @option params [String] :checksum_mode
|
7706
8178
|
# To retrieve the checksum, this mode must be enabled.
|
7707
8179
|
#
|
7708
|
-
# In addition, if you enable checksum mode
|
7709
|
-
# with a [checksum][1] and encrypted with an
|
7710
|
-
# (KMS) key, you must have permission to use the
|
7711
|
-
# retrieve the checksum.
|
8180
|
+
# **General purpose buckets** - In addition, if you enable checksum mode
|
8181
|
+
# and the object is uploaded with a [checksum][1] and encrypted with an
|
8182
|
+
# Key Management Service (KMS) key, you must have permission to use the
|
8183
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
7712
8184
|
#
|
7713
8185
|
#
|
7714
8186
|
#
|
@@ -8110,7 +8582,7 @@ module Aws::S3
|
|
8110
8582
|
# Permissions
|
8111
8583
|
# : * **General purpose bucket permissions** - To use
|
8112
8584
|
# `GetObjectAttributes`, you must have READ access to the object.
|
8113
|
-
# The permissions that you need to use this operation
|
8585
|
+
# The permissions that you need to use this operation depend on
|
8114
8586
|
# whether the bucket is versioned. If the bucket is versioned, you
|
8115
8587
|
# need both the `s3:GetObjectVersion` and
|
8116
8588
|
# `s3:GetObjectVersionAttributes` permissions for this operation. If
|
@@ -8144,6 +8616,10 @@ module Aws::S3
|
|
8144
8616
|
# interruptions when a session expires. For more information about
|
8145
8617
|
# authorization, see [ `CreateSession` ][3].
|
8146
8618
|
#
|
8619
|
+
# If the object is encrypted with SSE-KMS, you must also have the
|
8620
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
8621
|
+
# identity-based policies and KMS key policies for the KMS key.
|
8622
|
+
#
|
8147
8623
|
# Encryption
|
8148
8624
|
# : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
|
8149
8625
|
# should not be sent for `HEAD` requests if your object uses
|
@@ -8177,9 +8653,19 @@ module Aws::S3
|
|
8177
8653
|
# Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
|
8178
8654
|
# Guide*.
|
8179
8655
|
#
|
8180
|
-
# <note markdown="1"> **Directory bucket permissions** - For directory buckets,
|
8181
|
-
#
|
8182
|
-
# (`AES256`)
|
8656
|
+
# <note markdown="1"> **Directory bucket permissions** - For directory buckets, there are
|
8657
|
+
# only two supported options for server-side encryption: server-side
|
8658
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
8659
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
8660
|
+
# recommend that the bucket's default encryption uses the desired
|
8661
|
+
# encryption configuration and you don't override the bucket default
|
8662
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
8663
|
+
# requests. Then, new objects are automatically encrypted with the
|
8664
|
+
# desired encryption settings. For more information, see [Protecting
|
8665
|
+
# data with server-side encryption][5] in the *Amazon S3 User Guide*.
|
8666
|
+
# For more information about the encryption overriding behaviors in
|
8667
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
8668
|
+
# for new object uploads][6].
|
8183
8669
|
#
|
8184
8670
|
# </note>
|
8185
8671
|
#
|
@@ -8203,7 +8689,7 @@ module Aws::S3
|
|
8203
8689
|
# * `If-Unmodified-Since` condition evaluates to `false`.
|
8204
8690
|
#
|
8205
8691
|
# For more information about conditional requests, see [RFC
|
8206
|
-
# 7232][
|
8692
|
+
# 7232][7].
|
8207
8693
|
#
|
8208
8694
|
# * If both of the `If-None-Match` and `If-Modified-Since` headers are
|
8209
8695
|
# present in the request as follows, then Amazon S3 returns the HTTP
|
@@ -8214,7 +8700,7 @@ module Aws::S3
|
|
8214
8700
|
# * `If-Modified-Since` condition evaluates to `true`.
|
8215
8701
|
#
|
8216
8702
|
# For more information about conditional requests, see [RFC
|
8217
|
-
# 7232][
|
8703
|
+
# 7232][7].
|
8218
8704
|
#
|
8219
8705
|
# HTTP Host header syntax
|
8220
8706
|
#
|
@@ -8223,21 +8709,21 @@ module Aws::S3
|
|
8223
8709
|
#
|
8224
8710
|
# The following actions are related to `GetObjectAttributes`:
|
8225
8711
|
#
|
8226
|
-
# * [GetObject][
|
8712
|
+
# * [GetObject][8]
|
8227
8713
|
#
|
8228
|
-
# * [GetObjectAcl][
|
8714
|
+
# * [GetObjectAcl][9]
|
8229
8715
|
#
|
8230
|
-
# * [GetObjectLegalHold][
|
8716
|
+
# * [GetObjectLegalHold][10]
|
8231
8717
|
#
|
8232
|
-
# * [GetObjectLockConfiguration][
|
8718
|
+
# * [GetObjectLockConfiguration][11]
|
8233
8719
|
#
|
8234
|
-
# * [GetObjectRetention][
|
8720
|
+
# * [GetObjectRetention][12]
|
8235
8721
|
#
|
8236
|
-
# * [GetObjectTagging][
|
8722
|
+
# * [GetObjectTagging][13]
|
8237
8723
|
#
|
8238
|
-
# * [HeadObject][
|
8724
|
+
# * [HeadObject][14]
|
8239
8725
|
#
|
8240
|
-
# * [ListParts][
|
8726
|
+
# * [ListParts][15]
|
8241
8727
|
#
|
8242
8728
|
#
|
8243
8729
|
#
|
@@ -8245,15 +8731,17 @@ module Aws::S3
|
|
8245
8731
|
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
|
8246
8732
|
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
|
8247
8733
|
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
|
8248
|
-
# [5]: https://
|
8249
|
-
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/
|
8250
|
-
# [7]: https://
|
8251
|
-
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
8252
|
-
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
8253
|
-
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
8254
|
-
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
8255
|
-
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
8256
|
-
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
8734
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
8735
|
+
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
8736
|
+
# [7]: https://tools.ietf.org/html/rfc7232
|
8737
|
+
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
|
8738
|
+
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAcl.html
|
8739
|
+
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLegalHold.html
|
8740
|
+
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectLockConfiguration.html
|
8741
|
+
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectRetention.html
|
8742
|
+
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectTagging.html
|
8743
|
+
# [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html
|
8744
|
+
# [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
|
8257
8745
|
#
|
8258
8746
|
# @option params [required, String] :bucket
|
8259
8747
|
# The name of the bucket that contains the object.
|
@@ -8797,49 +9285,49 @@ module Aws::S3
|
|
8797
9285
|
# * {Types::GetObjectTaggingOutput#tag_set #tag_set} => Array<Types::Tag>
|
8798
9286
|
#
|
8799
9287
|
#
|
8800
|
-
# @example Example: To retrieve tag set of
|
9288
|
+
# @example Example: To retrieve tag set of a specific object version
|
8801
9289
|
#
|
8802
|
-
# # The following example retrieves tag set of an object.
|
9290
|
+
# # The following example retrieves tag set of an object. The request specifies object version.
|
8803
9291
|
#
|
8804
9292
|
# resp = client.get_object_tagging({
|
8805
9293
|
# bucket: "examplebucket",
|
8806
|
-
# key: "
|
9294
|
+
# key: "exampleobject",
|
9295
|
+
# version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
|
8807
9296
|
# })
|
8808
9297
|
#
|
8809
9298
|
# resp.to_h outputs the following:
|
8810
9299
|
# {
|
8811
9300
|
# tag_set: [
|
8812
9301
|
# {
|
8813
|
-
# key: "
|
8814
|
-
# value: "
|
8815
|
-
# },
|
8816
|
-
# {
|
8817
|
-
# key: "Key3",
|
8818
|
-
# value: "Value3",
|
9302
|
+
# key: "Key1",
|
9303
|
+
# value: "Value1",
|
8819
9304
|
# },
|
8820
9305
|
# ],
|
8821
|
-
# version_id: "
|
9306
|
+
# version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
|
8822
9307
|
# }
|
8823
9308
|
#
|
8824
|
-
# @example Example: To retrieve tag set of
|
9309
|
+
# @example Example: To retrieve tag set of an object
|
8825
9310
|
#
|
8826
|
-
# # The following example retrieves tag set of an object.
|
9311
|
+
# # The following example retrieves tag set of an object.
|
8827
9312
|
#
|
8828
9313
|
# resp = client.get_object_tagging({
|
8829
9314
|
# bucket: "examplebucket",
|
8830
|
-
# key: "
|
8831
|
-
# version_id: "ydlaNkwWm0SfKJR.T1b1fIdPRbldTYRI",
|
9315
|
+
# key: "HappyFace.jpg",
|
8832
9316
|
# })
|
8833
9317
|
#
|
8834
9318
|
# resp.to_h outputs the following:
|
8835
9319
|
# {
|
8836
9320
|
# tag_set: [
|
8837
9321
|
# {
|
8838
|
-
# key: "
|
8839
|
-
# value: "
|
9322
|
+
# key: "Key4",
|
9323
|
+
# value: "Value4",
|
9324
|
+
# },
|
9325
|
+
# {
|
9326
|
+
# key: "Key3",
|
9327
|
+
# value: "Value3",
|
8840
9328
|
# },
|
8841
9329
|
# ],
|
8842
|
-
# version_id: "
|
9330
|
+
# version_id: "null",
|
8843
9331
|
# }
|
8844
9332
|
#
|
8845
9333
|
# @example Request syntax with placeholder values
|
@@ -9272,6 +9760,13 @@ module Aws::S3
|
|
9272
9760
|
# interruptions when a session expires. For more information about
|
9273
9761
|
# authorization, see [ `CreateSession` ][3].
|
9274
9762
|
#
|
9763
|
+
# If you enable `x-amz-checksum-mode` in the request and the object
|
9764
|
+
# is encrypted with Amazon Web Services Key Management Service
|
9765
|
+
# (Amazon Web Services KMS), you must also have the
|
9766
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
9767
|
+
# identity-based policies and KMS key policies for the KMS key to
|
9768
|
+
# retrieve the checksum of the object.
|
9769
|
+
#
|
9275
9770
|
# Encryption
|
9276
9771
|
# : <note markdown="1"> Encryption request headers, like `x-amz-server-side-encryption`,
|
9277
9772
|
# should not be sent for `HEAD` requests if your object uses
|
@@ -9305,9 +9800,10 @@ module Aws::S3
|
|
9305
9800
|
# Customer-Provided Encryption Keys)][4] in the *Amazon S3 User
|
9306
9801
|
# Guide*.
|
9307
9802
|
#
|
9308
|
-
# <note markdown="1">
|
9309
|
-
# server-side encryption
|
9310
|
-
#
|
9803
|
+
# <note markdown="1"> <b>Directory bucket </b> - For directory buckets, there are only two
|
9804
|
+
# supported options for server-side encryption: SSE-S3 and SSE-KMS.
|
9805
|
+
# SSE-C isn't supported. For more information, see [Protecting data
|
9806
|
+
# with server-side encryption][5] in the *Amazon S3 User Guide*.
|
9311
9807
|
#
|
9312
9808
|
# </note>
|
9313
9809
|
#
|
@@ -9341,15 +9837,15 @@ module Aws::S3
|
|
9341
9837
|
# requests in the format
|
9342
9838
|
# `https://bucket_name.s3express-az_id.region.amazonaws.com/key-name
|
9343
9839
|
# `. Path-style requests are not supported. For more information, see
|
9344
|
-
# [Regional and Zonal endpoints][
|
9840
|
+
# [Regional and Zonal endpoints][6] in the *Amazon S3 User Guide*.
|
9345
9841
|
#
|
9346
9842
|
# </note>
|
9347
9843
|
#
|
9348
9844
|
# The following actions are related to `HeadObject`:
|
9349
9845
|
#
|
9350
|
-
# * [GetObject][
|
9846
|
+
# * [GetObject][7]
|
9351
9847
|
#
|
9352
|
-
# * [GetObjectAttributes][
|
9848
|
+
# * [GetObjectAttributes][8]
|
9353
9849
|
#
|
9354
9850
|
#
|
9355
9851
|
#
|
@@ -9357,9 +9853,10 @@ module Aws::S3
|
|
9357
9853
|
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html
|
9358
9854
|
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html
|
9359
9855
|
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html
|
9360
|
-
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-
|
9361
|
-
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/
|
9362
|
-
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
9856
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
9857
|
+
# [6]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
|
9858
|
+
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html
|
9859
|
+
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObjectAttributes.html
|
9363
9860
|
#
|
9364
9861
|
# @option params [required, String] :bucket
|
9365
9862
|
# The name of the bucket that contains the object.
|
@@ -9575,10 +10072,16 @@ module Aws::S3
|
|
9575
10072
|
# @option params [String] :checksum_mode
|
9576
10073
|
# To retrieve the checksum, this parameter must be enabled.
|
9577
10074
|
#
|
9578
|
-
#
|
9579
|
-
# with a [checksum][1] and encrypted with an Key
|
9580
|
-
# (KMS) key, you must have permission to use the
|
9581
|
-
# retrieve the checksum.
|
10075
|
+
# **General purpose buckets** - If you enable checksum mode and the
|
10076
|
+
# object is uploaded with a [checksum][1] and encrypted with an Key
|
10077
|
+
# Management Service (KMS) key, you must have permission to use the
|
10078
|
+
# `kms:Decrypt` action to retrieve the checksum.
|
10079
|
+
#
|
10080
|
+
# **Directory buckets** - If you enable `ChecksumMode` and the object is
|
10081
|
+
# encrypted with Amazon Web Services Key Management Service (Amazon Web
|
10082
|
+
# Services KMS), you must also have the `kms:GenerateDataKey` and
|
10083
|
+
# `kms:Decrypt` permissions in IAM identity-based policies and KMS key
|
10084
|
+
# policies for the KMS key to retrieve the checksum of the object.
|
9582
10085
|
#
|
9583
10086
|
#
|
9584
10087
|
#
|
@@ -12574,24 +13077,73 @@ module Aws::S3
|
|
12574
13077
|
req.send_request(options)
|
12575
13078
|
end
|
12576
13079
|
|
12577
|
-
#
|
13080
|
+
# This operation configures default encryption and Amazon S3 Bucket Keys
|
13081
|
+
# for an existing bucket.
|
12578
13082
|
#
|
12579
|
-
#
|
13083
|
+
# <note markdown="1"> <b>Directory buckets </b> - For directory buckets, you must make
|
13084
|
+
# requests for this API operation to the Regional endpoint. These
|
13085
|
+
# endpoints support path-style requests in the format
|
13086
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
13087
|
+
# Virtual-hosted-style requests aren't supported. For more information,
|
13088
|
+
# see [Regional and Zonal endpoints][1] in the *Amazon S3 User Guide*.
|
12580
13089
|
#
|
12581
|
-
#
|
12582
|
-
# encryption and Amazon S3 Bucket Keys for an existing bucket.
|
13090
|
+
# </note>
|
12583
13091
|
#
|
12584
13092
|
# By default, all buckets have a default encryption configuration that
|
12585
|
-
# uses server-side encryption with Amazon S3 managed keys (SSE-S3).
|
12586
|
-
#
|
12587
|
-
#
|
12588
|
-
#
|
12589
|
-
#
|
12590
|
-
#
|
12591
|
-
#
|
12592
|
-
#
|
12593
|
-
#
|
12594
|
-
#
|
13093
|
+
# uses server-side encryption with Amazon S3 managed keys (SSE-S3).
|
13094
|
+
#
|
13095
|
+
# <note markdown="1"> * **General purpose buckets**
|
13096
|
+
#
|
13097
|
+
# * You can optionally configure default encryption for a bucket by
|
13098
|
+
# using server-side encryption with Key Management Service (KMS)
|
13099
|
+
# keys (SSE-KMS) or dual-layer server-side encryption with Amazon
|
13100
|
+
# Web Services KMS keys (DSSE-KMS). If you specify default
|
13101
|
+
# encryption by using SSE-KMS, you can also configure [Amazon S3
|
13102
|
+
# Bucket Keys][2]. For information about the bucket default
|
13103
|
+
# encryption feature, see [Amazon S3 Bucket Default Encryption][3]
|
13104
|
+
# in the *Amazon S3 User Guide*.
|
13105
|
+
#
|
13106
|
+
# * If you use PutBucketEncryption to set your [default bucket
|
13107
|
+
# encryption][3] to SSE-KMS, you should verify that your KMS key ID
|
13108
|
+
# is correct. Amazon S3 doesn't validate the KMS key ID provided in
|
13109
|
+
# PutBucketEncryption requests.
|
13110
|
+
#
|
13111
|
+
# * <b>Directory buckets </b> - You can optionally configure default
|
13112
|
+
# encryption for a bucket by using server-side encryption with Key
|
13113
|
+
# Management Service (KMS) keys (SSE-KMS).
|
13114
|
+
#
|
13115
|
+
# * We recommend that the bucket's default encryption uses the
|
13116
|
+
# desired encryption configuration and you don't override the
|
13117
|
+
# bucket default encryption in your `CreateSession` requests or
|
13118
|
+
# `PUT` object requests. Then, new objects are automatically
|
13119
|
+
# encrypted with the desired encryption settings. For more
|
13120
|
+
# information about the encryption overriding behaviors in directory
|
13121
|
+
# buckets, see [Specifying server-side encryption with KMS for new
|
13122
|
+
# object uploads][4].
|
13123
|
+
#
|
13124
|
+
# * Your SSE-KMS configuration can only support 1 [customer managed
|
13125
|
+
# key][5] per directory bucket for the lifetime of the bucket.
|
13126
|
+
# [Amazon Web Services managed key][6] (`aws/s3`) isn't supported.
|
13127
|
+
#
|
13128
|
+
# * S3 Bucket Keys are always enabled for `GET` and `PUT` operations
|
13129
|
+
# in a directory bucket and can’t be disabled. S3 Bucket Keys
|
13130
|
+
# aren't supported, when you copy SSE-KMS encrypted objects from
|
13131
|
+
# general purpose buckets to directory buckets, from directory
|
13132
|
+
# buckets to general purpose buckets, or between directory buckets,
|
13133
|
+
# through [CopyObject][7], [UploadPartCopy][8], [the Copy operation
|
13134
|
+
# in Batch Operations][9], or [the import jobs][10]. In this case,
|
13135
|
+
# Amazon S3 makes a call to KMS every time a copy request is made
|
13136
|
+
# for a KMS-encrypted object.
|
13137
|
+
#
|
13138
|
+
# * When you specify an [KMS customer managed key][5] for encryption
|
13139
|
+
# in your directory bucket, only use the key ID or key ARN. The key
|
13140
|
+
# alias format of the KMS key isn't supported.
|
13141
|
+
#
|
13142
|
+
# * For directory buckets, if you use PutBucketEncryption to set your
|
13143
|
+
# [default bucket encryption][3] to SSE-KMS, Amazon S3 validates the
|
13144
|
+
# KMS key ID provided in PutBucketEncryption requests.
|
13145
|
+
#
|
13146
|
+
# </note>
|
12595
13147
|
#
|
12596
13148
|
# If you're specifying a customer managed KMS key, we recommend using a
|
12597
13149
|
# fully qualified KMS key ARN. If you use a KMS key alias instead, then
|
@@ -12601,45 +13153,80 @@ module Aws::S3
|
|
12601
13153
|
#
|
12602
13154
|
# Also, this action requires Amazon Web Services Signature Version 4.
|
12603
13155
|
# For more information, see [ Authenticating Requests (Amazon Web
|
12604
|
-
# Services Signature Version 4)][
|
13156
|
+
# Services Signature Version 4)][11].
|
12605
13157
|
#
|
12606
|
-
#
|
12607
|
-
#
|
12608
|
-
# permission
|
12609
|
-
#
|
12610
|
-
#
|
12611
|
-
#
|
12612
|
-
#
|
13158
|
+
# Permissions
|
13159
|
+
# : * **General purpose bucket permissions** - The
|
13160
|
+
# `s3:PutEncryptionConfiguration` permission is required in a
|
13161
|
+
# policy. The bucket owner has this permission by default. The
|
13162
|
+
# bucket owner can grant this permission to others. For more
|
13163
|
+
# information about permissions, see [Permissions Related to Bucket
|
13164
|
+
# Operations][12] and [Managing Access Permissions to Your Amazon S3
|
13165
|
+
# Resources][13] in the *Amazon S3 User Guide*.
|
13166
|
+
#
|
13167
|
+
# * **Directory bucket permissions** - To grant access to this API
|
13168
|
+
# operation, you must have the
|
13169
|
+
# `s3express:PutEncryptionConfiguration` permission in an IAM
|
13170
|
+
# identity-based policy instead of a bucket policy. Cross-account
|
13171
|
+
# access to this API operation isn't supported. This operation can
|
13172
|
+
# only be performed by the Amazon Web Services account that owns the
|
13173
|
+
# resource. For more information about directory bucket policies and
|
13174
|
+
# permissions, see [Amazon Web Services Identity and Access
|
13175
|
+
# Management (IAM) for S3 Express One Zone][14] in the *Amazon S3
|
13176
|
+
# User Guide*.
|
13177
|
+
#
|
13178
|
+
# To set a directory bucket default encryption with SSE-KMS, you
|
13179
|
+
# must also have the `kms:GenerateDataKey` and the `kms:Decrypt`
|
13180
|
+
# permissions in IAM identity-based policies and KMS key policies
|
13181
|
+
# for the target KMS key.
|
13182
|
+
#
|
13183
|
+
# HTTP Host header syntax
|
13184
|
+
#
|
13185
|
+
# : <b>Directory buckets </b> - The HTTP Host header syntax is
|
13186
|
+
# `s3express-control.region.amazonaws.com`.
|
12613
13187
|
#
|
12614
13188
|
# The following operations are related to `PutBucketEncryption`:
|
12615
13189
|
#
|
12616
|
-
# * [GetBucketEncryption][
|
13190
|
+
# * [GetBucketEncryption][15]
|
12617
13191
|
#
|
12618
|
-
# * [DeleteBucketEncryption][
|
13192
|
+
# * [DeleteBucketEncryption][16]
|
12619
13193
|
#
|
12620
13194
|
#
|
12621
13195
|
#
|
12622
|
-
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/
|
12623
|
-
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-
|
12624
|
-
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/
|
12625
|
-
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/
|
12626
|
-
# [5]: https://docs.aws.amazon.com/
|
12627
|
-
# [6]: https://docs.aws.amazon.com/
|
12628
|
-
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
13196
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html
|
13197
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html
|
13198
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
|
13199
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
13200
|
+
# [5]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
13201
|
+
# [6]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
13202
|
+
# [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
13203
|
+
# [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
13204
|
+
# [9]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
13205
|
+
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
13206
|
+
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
|
13207
|
+
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html#using-with-s3-actions-related-to-bucket-subresources
|
13208
|
+
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html
|
13209
|
+
# [14]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam.html
|
13210
|
+
# [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketEncryption.html
|
13211
|
+
# [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html
|
12629
13212
|
#
|
12630
13213
|
# @option params [required, String] :bucket
|
12631
13214
|
# Specifies default encryption for a bucket using server-side encryption
|
12632
|
-
# with different key options.
|
12633
|
-
#
|
12634
|
-
#
|
12635
|
-
#
|
12636
|
-
#
|
12637
|
-
#
|
12638
|
-
#
|
13215
|
+
# with different key options.
|
13216
|
+
#
|
13217
|
+
# <b>Directory buckets </b> - When you use this operation with a
|
13218
|
+
# directory bucket, you must use path-style requests in the format
|
13219
|
+
# `https://s3express-control.region_code.amazonaws.com/bucket-name `.
|
13220
|
+
# Virtual-hosted-style requests aren't supported. Directory bucket
|
13221
|
+
# names must be unique in the chosen Availability Zone. Bucket names
|
13222
|
+
# must also follow the format ` bucket_base_name--az_id--x-s3` (for
|
13223
|
+
# example, ` DOC-EXAMPLE-BUCKET--usw2-az1--x-s3`). For information about
|
13224
|
+
# bucket naming restrictions, see [Directory bucket naming rules][1] in
|
13225
|
+
# the *Amazon S3 User Guide*
|
12639
13226
|
#
|
12640
13227
|
#
|
12641
13228
|
#
|
12642
|
-
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/
|
13229
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-bucket-naming-rules.html
|
12643
13230
|
#
|
12644
13231
|
# @option params [String] :content_md5
|
12645
13232
|
# The base64-encoded 128-bit MD5 digest of the server-side encryption
|
@@ -12649,6 +13236,10 @@ module Aws::S3
|
|
12649
13236
|
# (CLI) or Amazon Web Services SDKs, this field is calculated
|
12650
13237
|
# automatically.
|
12651
13238
|
#
|
13239
|
+
# <note markdown="1"> This functionality is not supported for directory buckets.
|
13240
|
+
#
|
13241
|
+
# </note>
|
13242
|
+
#
|
12652
13243
|
# @option params [String] :checksum_algorithm
|
12653
13244
|
# Indicates the algorithm used to create the checksum for the object
|
12654
13245
|
# when you use the SDK. This header will not provide any additional
|
@@ -12661,6 +13252,11 @@ module Aws::S3
|
|
12661
13252
|
# If you provide an individual checksum, Amazon S3 ignores any provided
|
12662
13253
|
# `ChecksumAlgorithm` parameter.
|
12663
13254
|
#
|
13255
|
+
# <note markdown="1"> For directory buckets, when you use Amazon Web Services SDKs, `CRC32`
|
13256
|
+
# is the default checksum algorithm that's used for performance.
|
13257
|
+
#
|
13258
|
+
# </note>
|
13259
|
+
#
|
12664
13260
|
#
|
12665
13261
|
#
|
12666
13262
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
|
@@ -12673,6 +13269,12 @@ module Aws::S3
|
|
12673
13269
|
# you provide does not match the actual owner of the bucket, the request
|
12674
13270
|
# fails with the HTTP status code `403 Forbidden` (access denied).
|
12675
13271
|
#
|
13272
|
+
# <note markdown="1"> For directory buckets, this header is not supported in this API
|
13273
|
+
# operation. If you specify this header, the request fails with the HTTP
|
13274
|
+
# status code `501 Not Implemented`.
|
13275
|
+
#
|
13276
|
+
# </note>
|
13277
|
+
#
|
12676
13278
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
12677
13279
|
#
|
12678
13280
|
# @example Request syntax with placeholder values
|
@@ -15070,6 +15672,10 @@ module Aws::S3
|
|
15070
15672
|
# interruptions when a session expires. For more information about
|
15071
15673
|
# authorization, see [ `CreateSession` ][5].
|
15072
15674
|
#
|
15675
|
+
# If the object is encrypted with SSE-KMS, you must also have the
|
15676
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
15677
|
+
# identity-based policies and KMS key policies for the KMS key.
|
15678
|
+
#
|
15073
15679
|
# Data integrity with Content-MD5
|
15074
15680
|
# : * **General purpose bucket** - To ensure that data is not corrupted
|
15075
15681
|
# traversing the network, use the `Content-MD5` header. When you use
|
@@ -15419,25 +16025,65 @@ module Aws::S3
|
|
15419
16025
|
# object in Amazon S3 (for example, `AES256`, `aws:kms`,
|
15420
16026
|
# `aws:kms:dsse`).
|
15421
16027
|
#
|
15422
|
-
# <b>General purpose buckets </b> - You have four mutually exclusive
|
15423
|
-
#
|
15424
|
-
#
|
15425
|
-
#
|
15426
|
-
#
|
15427
|
-
#
|
15428
|
-
#
|
15429
|
-
#
|
15430
|
-
#
|
15431
|
-
#
|
15432
|
-
#
|
16028
|
+
# * <b>General purpose buckets </b> - You have four mutually exclusive
|
16029
|
+
# options to protect data using server-side encryption in Amazon S3,
|
16030
|
+
# depending on how you choose to manage the encryption keys.
|
16031
|
+
# Specifically, the encryption key options are Amazon S3 managed keys
|
16032
|
+
# (SSE-S3), Amazon Web Services KMS keys (SSE-KMS or DSSE-KMS), and
|
16033
|
+
# customer-provided keys (SSE-C). Amazon S3 encrypts data with
|
16034
|
+
# server-side encryption by using Amazon S3 managed keys (SSE-S3) by
|
16035
|
+
# default. You can optionally tell Amazon S3 to encrypt data at rest
|
16036
|
+
# by using server-side encryption with other key options. For more
|
16037
|
+
# information, see [Using Server-Side Encryption][1] in the *Amazon S3
|
16038
|
+
# User Guide*.
|
15433
16039
|
#
|
15434
|
-
# <b>Directory buckets </b> - For directory buckets, only
|
15435
|
-
#
|
15436
|
-
#
|
16040
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
16041
|
+
# two supported options for server-side encryption: server-side
|
16042
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
16043
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). We
|
16044
|
+
# recommend that the bucket's default encryption uses the desired
|
16045
|
+
# encryption configuration and you don't override the bucket default
|
16046
|
+
# encryption in your `CreateSession` requests or `PUT` object
|
16047
|
+
# requests. Then, new objects are automatically encrypted with the
|
16048
|
+
# desired encryption settings. For more information, see [Protecting
|
16049
|
+
# data with server-side encryption][2] in the *Amazon S3 User Guide*.
|
16050
|
+
# For more information about the encryption overriding behaviors in
|
16051
|
+
# directory buckets, see [Specifying server-side encryption with KMS
|
16052
|
+
# for new object uploads][3].
|
16053
|
+
#
|
16054
|
+
# In the Zonal endpoint API calls (except [CopyObject][4] and
|
16055
|
+
# [UploadPartCopy][5]) using the REST API, the encryption request
|
16056
|
+
# headers must match the encryption settings that are specified in the
|
16057
|
+
# `CreateSession` request. You can't override the values of the
|
16058
|
+
# encryption settings (`x-amz-server-side-encryption`,
|
16059
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`,
|
16060
|
+
# `x-amz-server-side-encryption-context`, and
|
16061
|
+
# `x-amz-server-side-encryption-bucket-key-enabled`) that are
|
16062
|
+
# specified in the `CreateSession` request. You don't need to
|
16063
|
+
# explicitly specify these encryption settings values in Zonal
|
16064
|
+
# endpoint API calls, and Amazon S3 will use the encryption settings
|
16065
|
+
# values from the `CreateSession` request to protect new objects in
|
16066
|
+
# the directory bucket.
|
16067
|
+
#
|
16068
|
+
# <note markdown="1"> When you use the CLI or the Amazon Web Services SDKs, for
|
16069
|
+
# `CreateSession`, the session token refreshes automatically to avoid
|
16070
|
+
# service interruptions when a session expires. The CLI or the Amazon
|
16071
|
+
# Web Services SDKs use the bucket's default encryption configuration
|
16072
|
+
# for the `CreateSession` request. It's not supported to override the
|
16073
|
+
# encryption settings values in the `CreateSession` request. So in the
|
16074
|
+
# Zonal endpoint API calls (except [CopyObject][4] and
|
16075
|
+
# [UploadPartCopy][5]), the encryption request headers must match the
|
16076
|
+
# default encryption configuration of the directory bucket.
|
16077
|
+
#
|
16078
|
+
# </note>
|
15437
16079
|
#
|
15438
16080
|
#
|
15439
16081
|
#
|
15440
16082
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
|
16083
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
16084
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-specifying-kms-encryption.html
|
16085
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
16086
|
+
# [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
15441
16087
|
#
|
15442
16088
|
# @option params [String] :storage_class
|
15443
16089
|
# By default, Amazon S3 uses the STANDARD Storage Class to store newly
|
@@ -15517,46 +16163,83 @@ module Aws::S3
|
|
15517
16163
|
# </note>
|
15518
16164
|
#
|
15519
16165
|
# @option params [String] :ssekms_key_id
|
15520
|
-
#
|
15521
|
-
#
|
15522
|
-
#
|
15523
|
-
#
|
15524
|
-
#
|
15525
|
-
#
|
15526
|
-
# x-amz-server-side-encryption
|
15527
|
-
#
|
15528
|
-
#
|
15529
|
-
#
|
16166
|
+
# Specifies the KMS key ID (Key ID, Key ARN, or Key Alias) to use for
|
16167
|
+
# object encryption. If the KMS key doesn't exist in the same account
|
16168
|
+
# that's issuing the command, you must use the full Key ARN not the Key
|
16169
|
+
# ID.
|
16170
|
+
#
|
16171
|
+
# **General purpose buckets** - If you specify
|
16172
|
+
# `x-amz-server-side-encryption` with `aws:kms` or `aws:kms:dsse`, this
|
16173
|
+
# header specifies the ID (Key ID, Key ARN, or Key Alias) of the KMS key
|
16174
|
+
# to use. If you specify `x-amz-server-side-encryption:aws:kms` or
|
16175
|
+
# `x-amz-server-side-encryption:aws:kms:dsse`, but do not provide
|
16176
|
+
# `x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
16177
|
+
# Amazon Web Services managed key (`aws/s3`) to protect the data.
|
16178
|
+
#
|
16179
|
+
# **Directory buckets** - If you specify `x-amz-server-side-encryption`
|
16180
|
+
# with `aws:kms`, you must specify the `
|
16181
|
+
# x-amz-server-side-encryption-aws-kms-key-id` header with the ID (Key
|
16182
|
+
# ID or Key ARN) of the KMS symmetric encryption customer managed key to
|
16183
|
+
# use. Otherwise, you get an HTTP `400 Bad Request` error. Only use the
|
16184
|
+
# key ID or key ARN. The key alias format of the KMS key isn't
|
16185
|
+
# supported. Your SSE-KMS configuration can only support 1 [customer
|
16186
|
+
# managed key][1] per directory bucket for the lifetime of the bucket.
|
16187
|
+
# [Amazon Web Services managed key][2] (`aws/s3`) isn't supported.
|
16188
|
+
#
|
16189
|
+
#
|
16190
|
+
#
|
16191
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk
|
16192
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk
|
15530
16193
|
#
|
15531
|
-
#
|
16194
|
+
# @option params [String] :ssekms_encryption_context
|
16195
|
+
# Specifies the Amazon Web Services KMS Encryption Context as an
|
16196
|
+
# additional encryption context to use for object encryption. The value
|
16197
|
+
# of this header is a Base64-encoded string of a UTF-8 encoded JSON,
|
16198
|
+
# which contains the encryption context as key-value pairs. This value
|
16199
|
+
# is stored as object metadata and automatically gets passed on to
|
16200
|
+
# Amazon Web Services KMS for future `GetObject` operations on this
|
16201
|
+
# object.
|
15532
16202
|
#
|
15533
|
-
#
|
16203
|
+
# **General purpose buckets** - This value must be explicitly added
|
16204
|
+
# during `CopyObject` operations if you want an additional encryption
|
16205
|
+
# context for your object. For more information, see [Encryption
|
16206
|
+
# context][1] in the *Amazon S3 User Guide*.
|
15534
16207
|
#
|
15535
|
-
#
|
15536
|
-
#
|
15537
|
-
#
|
15538
|
-
#
|
15539
|
-
# value is stored as object metadata and automatically gets passed on to
|
15540
|
-
# Amazon Web Services KMS for future `GetObject` or `CopyObject`
|
15541
|
-
# operations on this object. This value must be explicitly added during
|
15542
|
-
# `CopyObject` operations.
|
16208
|
+
# **Directory buckets** - You can optionally provide an explicit
|
16209
|
+
# encryption context value. The value must match the default encryption
|
16210
|
+
# context - the bucket Amazon Resource Name (ARN). An additional
|
16211
|
+
# encryption context value is not supported.
|
15543
16212
|
#
|
15544
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
15545
16213
|
#
|
15546
|
-
#
|
16214
|
+
#
|
16215
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html#encryption-context
|
15547
16216
|
#
|
15548
16217
|
# @option params [Boolean] :bucket_key_enabled
|
15549
16218
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
15550
16219
|
# encryption with server-side encryption using Key Management Service
|
15551
|
-
# (KMS) keys (SSE-KMS).
|
15552
|
-
#
|
16220
|
+
# (KMS) keys (SSE-KMS).
|
16221
|
+
#
|
16222
|
+
# **General purpose buckets** - Setting this header to `true` causes
|
16223
|
+
# Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
|
16224
|
+
# Also, specifying this header with a PUT action doesn't affect
|
16225
|
+
# bucket-level settings for S3 Bucket Key.
|
15553
16226
|
#
|
15554
|
-
#
|
15555
|
-
#
|
16227
|
+
# **Directory buckets** - S3 Bucket Keys are always enabled for `GET`
|
16228
|
+
# and `PUT` operations in a directory bucket and can’t be disabled. S3
|
16229
|
+
# Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects
|
16230
|
+
# from general purpose buckets to directory buckets, from directory
|
16231
|
+
# buckets to general purpose buckets, or between directory buckets,
|
16232
|
+
# through [CopyObject][1], [UploadPartCopy][2], [the Copy operation in
|
16233
|
+
# Batch Operations][3], or [the import jobs][4]. In this case, Amazon S3
|
16234
|
+
# makes a call to KMS every time a copy request is made for a
|
16235
|
+
# KMS-encrypted object.
|
15556
16236
|
#
|
15557
|
-
# <note markdown="1"> This functionality is not supported for directory buckets.
|
15558
16237
|
#
|
15559
|
-
#
|
16238
|
+
#
|
16239
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
16240
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
16241
|
+
# [3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-objects-Batch-Ops
|
16242
|
+
# [4]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-import-job
|
15560
16243
|
#
|
15561
16244
|
# @option params [String] :request_payer
|
15562
16245
|
# Confirms that the requester knows that they will be charged for the
|
@@ -15634,24 +16317,22 @@ module Aws::S3
|
|
15634
16317
|
# * {Types::PutObjectOutput#request_charged #request_charged} => String
|
15635
16318
|
#
|
15636
16319
|
#
|
15637
|
-
# @example Example: To upload an object
|
16320
|
+
# @example Example: To upload an object and specify optional tags
|
15638
16321
|
#
|
15639
|
-
# # The following example uploads an object. The request specifies optional
|
15640
|
-
# #
|
16322
|
+
# # The following example uploads an object. The request specifies optional object tags. The bucket is versioned, therefore
|
16323
|
+
# # S3 returns version ID of the newly created object.
|
15641
16324
|
#
|
15642
16325
|
# resp = client.put_object({
|
15643
|
-
# body: "HappyFace.jpg",
|
16326
|
+
# body: "c:\\HappyFace.jpg",
|
15644
16327
|
# bucket: "examplebucket",
|
15645
16328
|
# key: "HappyFace.jpg",
|
15646
|
-
#
|
15647
|
-
# storage_class: "STANDARD_IA",
|
16329
|
+
# tagging: "key1=value1&key2=value2",
|
15648
16330
|
# })
|
15649
16331
|
#
|
15650
16332
|
# resp.to_h outputs the following:
|
15651
16333
|
# {
|
15652
16334
|
# etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
|
15653
|
-
#
|
15654
|
-
# version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
|
16335
|
+
# version_id: "psM2sYY4.o1501dSx8wMvnkOzSBB.V4a",
|
15655
16336
|
# }
|
15656
16337
|
#
|
15657
16338
|
# @example Example: To create an object.
|
@@ -15670,98 +16351,100 @@ module Aws::S3
|
|
15670
16351
|
# version_id: "Bvq0EDKxOcXLJXNo_Lkz37eM3R4pfzyQ",
|
15671
16352
|
# }
|
15672
16353
|
#
|
15673
|
-
# @example Example: To upload
|
16354
|
+
# @example Example: To upload object and specify user-defined metadata
|
15674
16355
|
#
|
15675
|
-
# # The following example
|
15676
|
-
# #
|
16356
|
+
# # The following example creates an object. The request also specifies optional metadata. If the bucket is versioning
|
16357
|
+
# # enabled, S3 returns version ID in response.
|
15677
16358
|
#
|
15678
16359
|
# resp = client.put_object({
|
15679
|
-
# body: "
|
16360
|
+
# body: "filetoupload",
|
15680
16361
|
# bucket: "examplebucket",
|
15681
|
-
# key: "
|
16362
|
+
# key: "exampleobject",
|
16363
|
+
# metadata: {
|
16364
|
+
# "metadata1" => "value1",
|
16365
|
+
# "metadata2" => "value2",
|
16366
|
+
# },
|
15682
16367
|
# })
|
15683
16368
|
#
|
15684
16369
|
# resp.to_h outputs the following:
|
15685
16370
|
# {
|
15686
16371
|
# etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
|
15687
|
-
# version_id: "
|
16372
|
+
# version_id: "pSKidl4pHBiNwukdbcPXAIs.sshFFOc0",
|
15688
16373
|
# }
|
15689
16374
|
#
|
15690
|
-
# @example Example: To upload an object
|
16375
|
+
# @example Example: To upload an object
|
15691
16376
|
#
|
15692
|
-
# # The following example uploads an object
|
15693
|
-
# # S3 returns
|
16377
|
+
# # The following example uploads an object to a versioning-enabled bucket. The source file is specified using Windows file
|
16378
|
+
# # syntax. S3 returns VersionId of the newly created object.
|
15694
16379
|
#
|
15695
16380
|
# resp = client.put_object({
|
15696
|
-
# body: "
|
16381
|
+
# body: "HappyFace.jpg",
|
15697
16382
|
# bucket: "examplebucket",
|
15698
16383
|
# key: "HappyFace.jpg",
|
15699
|
-
# tagging: "key1=value1&key2=value2",
|
15700
16384
|
# })
|
15701
16385
|
#
|
15702
16386
|
# resp.to_h outputs the following:
|
15703
16387
|
# {
|
15704
16388
|
# etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
|
15705
|
-
# version_id: "
|
16389
|
+
# version_id: "tpf3zF08nBplQK1XLOefGskR7mGDwcDk",
|
15706
16390
|
# }
|
15707
16391
|
#
|
15708
|
-
# @example Example: To upload an object and specify
|
16392
|
+
# @example Example: To upload an object and specify server-side encryption and object tags
|
15709
16393
|
#
|
15710
|
-
# # The following example uploads
|
15711
|
-
# #
|
16394
|
+
# # The following example uploads an object. The request specifies the optional server-side encryption option. The request
|
16395
|
+
# # also specifies optional object tags. If the bucket is versioning enabled, S3 returns version ID in response.
|
15712
16396
|
#
|
15713
16397
|
# resp = client.put_object({
|
15714
|
-
# acl: "authenticated-read",
|
15715
16398
|
# body: "filetoupload",
|
15716
16399
|
# bucket: "examplebucket",
|
15717
16400
|
# key: "exampleobject",
|
16401
|
+
# server_side_encryption: "AES256",
|
16402
|
+
# tagging: "key1=value1&key2=value2",
|
15718
16403
|
# })
|
15719
16404
|
#
|
15720
16405
|
# resp.to_h outputs the following:
|
15721
16406
|
# {
|
15722
16407
|
# etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
|
15723
|
-
#
|
16408
|
+
# server_side_encryption: "AES256",
|
16409
|
+
# version_id: "Ri.vC6qVlA4dEnjgRV4ZHsHoFIjqEMNt",
|
15724
16410
|
# }
|
15725
16411
|
#
|
15726
|
-
# @example Example: To upload object and specify
|
16412
|
+
# @example Example: To upload an object and specify canned ACL.
|
15727
16413
|
#
|
15728
|
-
# # The following example
|
15729
|
-
# # enabled, S3 returns version ID in response.
|
16414
|
+
# # The following example uploads and object. The request specifies optional canned ACL (access control list) to all READ
|
16415
|
+
# # access to authenticated users. If the bucket is versioning enabled, S3 returns version ID in response.
|
15730
16416
|
#
|
15731
16417
|
# resp = client.put_object({
|
16418
|
+
# acl: "authenticated-read",
|
15732
16419
|
# body: "filetoupload",
|
15733
16420
|
# bucket: "examplebucket",
|
15734
16421
|
# key: "exampleobject",
|
15735
|
-
# metadata: {
|
15736
|
-
# "metadata1" => "value1",
|
15737
|
-
# "metadata2" => "value2",
|
15738
|
-
# },
|
15739
16422
|
# })
|
15740
16423
|
#
|
15741
16424
|
# resp.to_h outputs the following:
|
15742
16425
|
# {
|
15743
16426
|
# etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
|
15744
|
-
# version_id: "
|
16427
|
+
# version_id: "Kirh.unyZwjQ69YxcQLA8z4F5j3kJJKr",
|
15745
16428
|
# }
|
15746
16429
|
#
|
15747
|
-
# @example Example: To upload an object
|
16430
|
+
# @example Example: To upload an object (specify optional headers)
|
15748
16431
|
#
|
15749
|
-
# # The following example uploads an object. The request specifies
|
15750
|
-
# #
|
16432
|
+
# # The following example uploads an object. The request specifies optional request headers to directs S3 to use specific
|
16433
|
+
# # storage class and use server-side encryption.
|
15751
16434
|
#
|
15752
16435
|
# resp = client.put_object({
|
15753
|
-
# body: "
|
16436
|
+
# body: "HappyFace.jpg",
|
15754
16437
|
# bucket: "examplebucket",
|
15755
|
-
# key: "
|
16438
|
+
# key: "HappyFace.jpg",
|
15756
16439
|
# server_side_encryption: "AES256",
|
15757
|
-
#
|
16440
|
+
# storage_class: "STANDARD_IA",
|
15758
16441
|
# })
|
15759
16442
|
#
|
15760
16443
|
# resp.to_h outputs the following:
|
15761
16444
|
# {
|
15762
16445
|
# etag: "\"6805f2cfc46c0f04559748bb039d69ae\"",
|
15763
16446
|
# server_side_encryption: "AES256",
|
15764
|
-
# version_id: "
|
16447
|
+
# version_id: "CG612hodqujkf8FaaNfp8U..FIhLROcp",
|
15765
16448
|
# }
|
15766
16449
|
#
|
15767
16450
|
# @example Streaming a file from disk
|
@@ -17774,6 +18457,10 @@ module Aws::S3
|
|
17774
18457
|
# interruptions when a session expires. For more information about
|
17775
18458
|
# authorization, see [ `CreateSession` ][9].
|
17776
18459
|
#
|
18460
|
+
# If the object is encrypted with SSE-KMS, you must also have the
|
18461
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
18462
|
+
# identity-based policies and KMS key policies for the KMS key.
|
18463
|
+
#
|
17777
18464
|
# Data integrity
|
17778
18465
|
#
|
17779
18466
|
# : **General purpose bucket** - To ensure that data is not corrupted
|
@@ -17825,12 +18512,13 @@ module Aws::S3
|
|
17825
18512
|
#
|
17826
18513
|
# * x-amz-server-side-encryption-customer-key-MD5
|
17827
18514
|
#
|
17828
|
-
#
|
17829
|
-
#
|
17830
|
-
# supported.
|
18515
|
+
# For more information, see [Using Server-Side Encryption][11] in
|
18516
|
+
# the *Amazon S3 User Guide*.
|
17831
18517
|
#
|
17832
|
-
#
|
17833
|
-
#
|
18518
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
18519
|
+
# two supported options for server-side encryption: server-side
|
18520
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
18521
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`).
|
17834
18522
|
#
|
17835
18523
|
# Special errors
|
17836
18524
|
# : * Error Code: `NoSuchUpload`
|
@@ -18243,6 +18931,10 @@ module Aws::S3
|
|
18243
18931
|
# destination. The `s3express:SessionMode` condition key cannot be
|
18244
18932
|
# set to `ReadOnly` on the copy destination.
|
18245
18933
|
#
|
18934
|
+
# If the object is encrypted with SSE-KMS, you must also have the
|
18935
|
+
# `kms:GenerateDataKey` and `kms:Decrypt` permissions in IAM
|
18936
|
+
# identity-based policies and KMS key policies for the KMS key.
|
18937
|
+
#
|
18246
18938
|
# For example policies, see [Example bucket policies for S3 Express
|
18247
18939
|
# One Zone][10] and [Amazon Web Services Identity and Access
|
18248
18940
|
# Management (IAM) identity-based policies for S3 Express One
|
@@ -18254,9 +18946,26 @@ module Aws::S3
|
|
18254
18946
|
# the `UploadPartCopy` operation, see [CopyObject][12] and
|
18255
18947
|
# [UploadPart][2].
|
18256
18948
|
#
|
18257
|
-
# * <b>Directory buckets </b> - For directory buckets, only
|
18258
|
-
# server-side encryption
|
18259
|
-
# (`AES256`)
|
18949
|
+
# * <b>Directory buckets </b> - For directory buckets, there are only
|
18950
|
+
# two supported options for server-side encryption: server-side
|
18951
|
+
# encryption with Amazon S3 managed keys (SSE-S3) (`AES256`) and
|
18952
|
+
# server-side encryption with KMS keys (SSE-KMS) (`aws:kms`). For
|
18953
|
+
# more information, see [Protecting data with server-side
|
18954
|
+
# encryption][13] in the *Amazon S3 User Guide*.
|
18955
|
+
#
|
18956
|
+
# <note markdown="1"> For directory buckets, when you perform a `CreateMultipartUpload`
|
18957
|
+
# operation and an `UploadPartCopy` operation, the request headers
|
18958
|
+
# you provide in the `CreateMultipartUpload` request must match the
|
18959
|
+
# default encryption configuration of the destination bucket.
|
18960
|
+
#
|
18961
|
+
# </note>
|
18962
|
+
#
|
18963
|
+
# S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted
|
18964
|
+
# objects from general purpose buckets to directory buckets, from
|
18965
|
+
# directory buckets to general purpose buckets, or between directory
|
18966
|
+
# buckets, through [UploadPartCopy][14]. In this case, Amazon S3
|
18967
|
+
# makes a call to KMS every time a copy request is made for a
|
18968
|
+
# KMS-encrypted object.
|
18260
18969
|
#
|
18261
18970
|
# Special errors
|
18262
18971
|
# : * Error Code: `NoSuchUpload`
|
@@ -18281,17 +18990,17 @@ module Aws::S3
|
|
18281
18990
|
#
|
18282
18991
|
# The following operations are related to `UploadPartCopy`:
|
18283
18992
|
#
|
18284
|
-
# * [CreateMultipartUpload][
|
18993
|
+
# * [CreateMultipartUpload][15]
|
18285
18994
|
#
|
18286
18995
|
# * [UploadPart][2]
|
18287
18996
|
#
|
18288
|
-
# * [CompleteMultipartUpload][
|
18997
|
+
# * [CompleteMultipartUpload][16]
|
18289
18998
|
#
|
18290
|
-
# * [AbortMultipartUpload][
|
18999
|
+
# * [AbortMultipartUpload][17]
|
18291
19000
|
#
|
18292
|
-
# * [ListParts][
|
19001
|
+
# * [ListParts][18]
|
18293
19002
|
#
|
18294
|
-
# * [ListMultipartUploads][
|
19003
|
+
# * [ListMultipartUploads][19]
|
18295
19004
|
#
|
18296
19005
|
#
|
18297
19006
|
#
|
@@ -18307,11 +19016,13 @@ module Aws::S3
|
|
18307
19016
|
# [10]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
|
18308
19017
|
# [11]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html
|
18309
19018
|
# [12]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html
|
18310
|
-
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/
|
18311
|
-
# [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
18312
|
-
# [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
18313
|
-
# [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
18314
|
-
# [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/
|
19019
|
+
# [13]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-serv-side-encryption.html
|
19020
|
+
# [14]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_UploadPartCopy.html
|
19021
|
+
# [15]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html
|
19022
|
+
# [16]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
|
19023
|
+
# [17]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_AbortMultipartUpload.html
|
19024
|
+
# [18]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListParts.html
|
19025
|
+
# [19]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListMultipartUploads.html
|
18315
19026
|
#
|
18316
19027
|
# @option params [required, String] :bucket
|
18317
19028
|
# The bucket name.
|
@@ -18597,45 +19308,45 @@ module Aws::S3
|
|
18597
19308
|
# * {Types::UploadPartCopyOutput#request_charged #request_charged} => String
|
18598
19309
|
#
|
18599
19310
|
#
|
18600
|
-
# @example Example: To upload a part by copying
|
19311
|
+
# @example Example: To upload a part by copying byte range from an existing object as data source
|
18601
19312
|
#
|
18602
|
-
# # The following example uploads a part of a multipart upload by copying
|
19313
|
+
# # The following example uploads a part of a multipart upload by copying a specified byte range from an existing object as
|
19314
|
+
# # data source.
|
18603
19315
|
#
|
18604
19316
|
# resp = client.upload_part_copy({
|
18605
19317
|
# bucket: "examplebucket",
|
18606
19318
|
# copy_source: "/bucketname/sourceobjectkey",
|
19319
|
+
# copy_source_range: "bytes=1-100000",
|
18607
19320
|
# key: "examplelargeobject",
|
18608
|
-
# part_number:
|
19321
|
+
# part_number: 2,
|
18609
19322
|
# upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
|
18610
19323
|
# })
|
18611
19324
|
#
|
18612
19325
|
# resp.to_h outputs the following:
|
18613
19326
|
# {
|
18614
19327
|
# copy_part_result: {
|
18615
|
-
# etag: "\"
|
18616
|
-
# last_modified: Time.parse("2016-12-29T21:
|
19328
|
+
# etag: "\"65d16d19e65a7508a51f043180edcc36\"",
|
19329
|
+
# last_modified: Time.parse("2016-12-29T21:44:28.000Z"),
|
18617
19330
|
# },
|
18618
19331
|
# }
|
18619
19332
|
#
|
18620
|
-
# @example Example: To upload a part by copying
|
19333
|
+
# @example Example: To upload a part by copying data from an existing object as data source
|
18621
19334
|
#
|
18622
|
-
# # The following example uploads a part of a multipart upload by copying
|
18623
|
-
# # data source.
|
19335
|
+
# # The following example uploads a part of a multipart upload by copying data from an existing object as data source.
|
18624
19336
|
#
|
18625
19337
|
# resp = client.upload_part_copy({
|
18626
19338
|
# bucket: "examplebucket",
|
18627
19339
|
# copy_source: "/bucketname/sourceobjectkey",
|
18628
|
-
# copy_source_range: "bytes=1-100000",
|
18629
19340
|
# key: "examplelargeobject",
|
18630
|
-
# part_number:
|
19341
|
+
# part_number: 1,
|
18631
19342
|
# upload_id: "exampleuoh_10OhKhT7YukE9bjzTPRiuaCotmZM_pFngJFir9OZNrSr5cWa3cq3LZSUsfjI4FI7PkP91We7Nrw--",
|
18632
19343
|
# })
|
18633
19344
|
#
|
18634
19345
|
# resp.to_h outputs the following:
|
18635
19346
|
# {
|
18636
19347
|
# copy_part_result: {
|
18637
|
-
# etag: "\"
|
18638
|
-
# last_modified: Time.parse("2016-12-29T21:
|
19348
|
+
# etag: "\"b0c6f0e7e054ab8fa2536a2677f8734d\"",
|
19349
|
+
# last_modified: Time.parse("2016-12-29T21:24:43.000Z"),
|
18639
19350
|
# },
|
18640
19351
|
# }
|
18641
19352
|
#
|
@@ -19085,14 +19796,19 @@ module Aws::S3
|
|
19085
19796
|
# @api private
|
19086
19797
|
def build_request(operation_name, params = {})
|
19087
19798
|
handlers = @handlers.for(operation_name)
|
19799
|
+
tracer = config.telemetry_provider.tracer_provider.tracer(
|
19800
|
+
Aws::Telemetry.module_to_tracer_name('Aws::S3')
|
19801
|
+
)
|
19088
19802
|
context = Seahorse::Client::RequestContext.new(
|
19089
19803
|
operation_name: operation_name,
|
19090
19804
|
operation: config.api.operation(operation_name),
|
19091
19805
|
client: self,
|
19092
19806
|
params: params,
|
19093
|
-
config: config
|
19807
|
+
config: config,
|
19808
|
+
tracer: tracer
|
19809
|
+
)
|
19094
19810
|
context[:gem_name] = 'aws-sdk-s3'
|
19095
|
-
context[:gem_version] = '1.
|
19811
|
+
context[:gem_version] = '1.163.0'
|
19096
19812
|
Seahorse::Client::Request.new(handlers, context)
|
19097
19813
|
end
|
19098
19814
|
|