1. 首页
  2. 问答
  3. 从AWS S3中提取KMS加密的ZIP文件

从AWS S3中提取KMS加密的ZIP文件

2017-10-08 224 views
0

我想使用Lambda函数从AWS S3检索特定的ZIP文件,将其解密并解压缩。从AWS S3中提取KMS加密的ZIP文件

这里是我的代码:

const AWS = require('aws-sdk'); 
const zlib = require('zlib'); 
const fs = require('fs'); 
const stream = require('stream'); 

exports.handler = function (event, context) { 
    const jobInfo = event['CodePipeline.job'].data; 
    const artifactsInfo = jobInfo.inputArtifacts[0].location; 
    const bucket = artifactsInfo.s3Location.bucketName; 
    const key = artifactsInfo.s3Location.objectKey; 

    const credentials = jobInfo.artifactCredentials; 
    const s3 = new AWS.S3({ 
    credentials: credentials, 
    }); 
    const kms = new AWS.KMS({ 
    credentials: credentials, 
    region: 'eu-central-1', 
    }); 

    s3.getObject({ 
    Bucket: bucket, 
    Key: key, 
    }, function(err, data) { 
    if (err) { 
     // context.done(err); 
     console.error(err); 
     return; 
    } 

    console.log('Received file', key); 

    const buff = new stream.PassThrough(); 

    kms.decrypt({CiphertextBlob: data.Body}, function(err, decryptData) { 
     if (err) { 
     console.error(err); 
     return; 
     } 

     buff.end(decryptData.Plaintext); 

     console.log('Decoded S3 object encrypted with KMS ID', decryptData.KeyId); 

     buff 
     .pipe(zlib.createGunzip()) 
     .on('error', console.error) 
     .on('entry', function(entry) { 
     console.log(entry); 
     }); 
    }); 

    }); 
};

然而,ZIP文件就像5MiB,我从KMS请求得到以下错误:

ValidationException: 1 validation error detected: Value 'java.nio.HeapByteBuffer[pos=0 lim=128011 cap=128011]' at 'ciphertextBlob' failed to satisfy constraint: Member must have length less than or equal to 6144 
    at Request.extractError (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/protocol/json.js:48:27) 
    at Request.callListeners (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/sequential_executor.js:105:20) 
    at Request.emit (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/sequential_executor.js:77:10) 
    at Request.emit (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/request.js:683:14) 
    at Request.transition (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/request.js:22:10) 
    at AcceptorStateMachine.runTo (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/state_machine.js:14:12) 
    at /home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/state_machine.js:26:10 
    at Request.<anonymous> (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/request.js:38:9) 
    at Request.<anonymous> (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/request.js:685:12) 
    at Request.callListeners (/home/victor/dev/s3-zip-extract/node_modules/aws-sdk/lib/sequential_executor.js:115:18) 
    message: '1 validation error detected: Value \'java.nio.HeapByteBuffer[pos=0 lim=128011 cap=128011]\' at \'ciphertextBlob\' failed to satisfy constraint: Member must have length less than or equal to 6144'

我怎么能解决这个问题?谢谢!

来源

2017-10-08 Victor

+2

您的S3对象在上传时是否加密了客户端?或者,您是否使用带有KMS密钥的服务器端S3加密? –

+0

我正在使用SSE-KMS,所以没有进行客户端加密。 – Victor

+0

@MattHouser请看我的编辑!我已经更新了我的情况! – Victor

回答

0

在深入了解文档之后,我发现我不需要解密对象,因为它向客户端发送了明文。我删除了解密步骤,我得到了一个地步,我的代码是这样的:

buff.end(data.Body); 
buff 
    .pipe(zlib.createGunzip()) 
    .on('error', console.error) 
    .on('entry', function(entry) { 
    console.log(entry); 
    });

注意(我声明这本指出,因为我花了一些时间才能体现出来)。亚马逊将其.zip文件输出为PKZIP格式,其中zlib无法使用。

来源

2017-10-10 19:26:44 Victor

相关问题

 相关问题