Class AmazonS3EncryptionClient
- All Implemented Interfaces:
AmazonS3
,AmazonS3Encryption
,com.amazonaws.services.s3.internal.S3DirectSpi
The encryption materials specified in the constructor will be used to protect the CEK which is then stored along side with the S3 object.
-
Field Summary
FieldsFields inherited from class com.amazonaws.services.s3.AmazonS3Client
awsCredentialsProvider, configFactory, errorResponseHandler, S3_SERVICE_NAME
Fields inherited from class com.amazonaws.AmazonWebServiceClient
client, clientConfiguration, endpoint, LOGGING_AWS_REQUEST_METRIC, requestHandler2s, timeOffset
-
Constructor Summary
ConstructorsConstructorDescriptionAmazonS3EncryptionClient
(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3.AmazonS3EncryptionClient
(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) AmazonS3EncryptionClient
(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) AmazonS3EncryptionClient
(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3.AmazonS3EncryptionClient
(AWSCredentials credentials, EncryptionMaterials encryptionMaterials) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3.AmazonS3EncryptionClient
(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3.AmazonS3EncryptionClient
(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) AmazonS3EncryptionClient
(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3.AmazonS3EncryptionClient
(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials and client configuration to access Amazon S3.AmazonS3EncryptionClient
(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3.AmazonS3EncryptionClient
(AWSKMSClient kms, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) AmazonS3EncryptionClient
(EncryptionMaterials encryptionMaterials) Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3.AmazonS3EncryptionClient
(EncryptionMaterialsProvider encryptionMaterialsProvider) Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3.AmazonS3EncryptionClient
(EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3.AmazonS3EncryptionClient
(EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. -
Method Summary
Modifier and TypeMethodDescriptionvoid
Aborts a multipart upload.Completes a multipart upload by assembling previously uploaded parts.copyPart
(CopyPartRequest copyPartRequest) Copies a source object to a part of a multipart upload.void
Deletes the specified object in the specified bucket.Gets the object stored in Amazon S3 under the specified bucket and key.getObject
(GetObjectRequest req, File dest) Gets the object metadata for the object stored in Amazon S3 under the specified bucket and key, and saves the object contents to the specified file.Initiates a multipart upload and returns an InitiateMultipartUploadResult which contains an upload ID.Creates a new crypto instruction file by re-encrypting the CEK of an existing encrypted S3 object with a new encryption material identifiable via a new set of material description.Uploads a new object to the specified Amazon S3 bucket.void
shutdown()
Shuts down this client object, releasing any resources that might be held open.Used to encrypt data first to disk with pipelined concurrent multi-part uploads to S3.uploadPart
(UploadPartRequest uploadPartRequest) Uploads a part in a multipart upload.Methods inherited from class com.amazonaws.services.s3.AmazonS3Client
changeObjectStorageClass, copyObject, copyObject, createBucket, createBucket, createBucket, createBucket, createExecutionContext, createRequest, createRequest, createSigner, deleteBucket, deleteBucket, deleteBucketCrossOriginConfiguration, deleteBucketCrossOriginConfiguration, deleteBucketLifecycleConfiguration, deleteBucketLifecycleConfiguration, deleteBucketPolicy, deleteBucketPolicy, deleteBucketReplicationConfiguration, deleteBucketReplicationConfiguration, deleteBucketTaggingConfiguration, deleteBucketTaggingConfiguration, deleteBucketWebsiteConfiguration, deleteBucketWebsiteConfiguration, deleteObject, deleteObjects, deleteVersion, deleteVersion, disableRequesterPays, doesBucketExist, doesObjectExist, enableRequesterPays, generatePresignedUrl, generatePresignedUrl, generatePresignedUrl, getBucketAccelerateConfiguration, getBucketAccelerateConfiguration, getBucketAcl, getBucketAcl, getBucketCrossOriginConfiguration, getBucketCrossOriginConfiguration, getBucketLifecycleConfiguration, getBucketLifecycleConfiguration, getBucketLocation, getBucketLocation, getBucketLoggingConfiguration, getBucketLoggingConfiguration, getBucketNotificationConfiguration, getBucketNotificationConfiguration, getBucketPolicy, getBucketPolicy, getBucketReplicationConfiguration, getBucketReplicationConfiguration, getBucketTaggingConfiguration, getBucketTaggingConfiguration, getBucketVersioningConfiguration, getBucketVersioningConfiguration, getBucketWebsiteConfiguration, getBucketWebsiteConfiguration, getCachedResponseMetadata, getObject, getObjectAcl, getObjectAcl, getObjectAcl, getObjectMetadata, getObjectMetadata, getRegion, getResourceUrl, getS3AccountOwner, getS3AccountOwner, getUrl, headBucket, isRequesterPaysEnabled, listBuckets, listBuckets, listMultipartUploads, listNextBatchOfObjects, listNextBatchOfObjects, listNextBatchOfVersions, listNextBatchOfVersions, listObjects, listObjects, listObjects, listObjectsV2, listObjectsV2, listObjectsV2, listParts, listVersions, listVersions, listVersions, newInitiateMultipartUploadRequest, populateRequesterPaysHeader, populateRequestMetadata, presignRequest, putObject, putObject, restoreObject, restoreObject, setBucketAccelerateConfiguration, setBucketAccelerateConfiguration, setBucketAcl, setBucketAcl, setBucketAcl, setBucketAcl, setBucketAcl, setBucketCrossOriginConfiguration, setBucketCrossOriginConfiguration, setBucketLifecycleConfiguration, setBucketLifecycleConfiguration, setBucketLoggingConfiguration, setBucketNotificationConfiguration, setBucketNotificationConfiguration, setBucketPolicy, setBucketPolicy, setBucketReplicationConfiguration, setBucketReplicationConfiguration, setBucketTaggingConfiguration, setBucketTaggingConfiguration, setBucketVersioningConfiguration, setBucketWebsiteConfiguration, setBucketWebsiteConfiguration, setEndpoint, setObjectAcl, setObjectAcl, setObjectAcl, setObjectAcl, setObjectAcl, setObjectAcl, setObjectAcl, setObjectRedirectLocation, setRegion, setS3ClientOptions
Methods inherited from class com.amazonaws.AmazonWebServiceClient
addRequestHandler, addRequestHandler, beforeMarshalling, configureRegion, createExecutionContext, createExecutionContext, endClientExecution, endClientExecution, findRequestMetricCollector, getEndpointPrefix, getRequestMetricsCollector, getServiceAbbreviation, getServiceName, getServiceNameIntern, getSigner, getSignerByURI, getSignerRegionOverride, getTimeOffset, isProfilingEnabled, isRequestMetricsEnabled, removeRequestHandler, removeRequestHandler, requestMetricCollector, setEndpointPrefix, setServiceNameIntern, setSignerRegionOverride, setTimeOffset, withEndpoint, withRegion, withRegion, withTimeOffset
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface com.amazonaws.services.s3.AmazonS3
changeObjectStorageClass, copyObject, copyObject, createBucket, createBucket, createBucket, createBucket, deleteBucket, deleteBucket, deleteBucketCrossOriginConfiguration, deleteBucketCrossOriginConfiguration, deleteBucketLifecycleConfiguration, deleteBucketLifecycleConfiguration, deleteBucketPolicy, deleteBucketPolicy, deleteBucketReplicationConfiguration, deleteBucketReplicationConfiguration, deleteBucketTaggingConfiguration, deleteBucketTaggingConfiguration, deleteBucketWebsiteConfiguration, deleteBucketWebsiteConfiguration, deleteObject, deleteObjects, deleteVersion, deleteVersion, disableRequesterPays, doesBucketExist, doesObjectExist, enableRequesterPays, generatePresignedUrl, generatePresignedUrl, generatePresignedUrl, getBucketAccelerateConfiguration, getBucketAccelerateConfiguration, getBucketAcl, getBucketAcl, getBucketCrossOriginConfiguration, getBucketCrossOriginConfiguration, getBucketLifecycleConfiguration, getBucketLifecycleConfiguration, getBucketLocation, getBucketLocation, getBucketLoggingConfiguration, getBucketLoggingConfiguration, getBucketNotificationConfiguration, getBucketNotificationConfiguration, getBucketPolicy, getBucketPolicy, getBucketReplicationConfiguration, getBucketReplicationConfiguration, getBucketTaggingConfiguration, getBucketTaggingConfiguration, getBucketVersioningConfiguration, getBucketVersioningConfiguration, getBucketWebsiteConfiguration, getBucketWebsiteConfiguration, getCachedResponseMetadata, getObject, getObjectAcl, getObjectAcl, getObjectAcl, getObjectMetadata, getObjectMetadata, getRegion, getS3AccountOwner, getS3AccountOwner, getUrl, headBucket, isRequesterPaysEnabled, listBuckets, listBuckets, listMultipartUploads, listNextBatchOfObjects, listNextBatchOfObjects, listNextBatchOfVersions, listNextBatchOfVersions, listObjects, listObjects, listObjects, listObjectsV2, listObjectsV2, listObjectsV2, listParts, listVersions, listVersions, listVersions, putObject, putObject, restoreObject, restoreObject, setBucketAccelerateConfiguration, setBucketAccelerateConfiguration, setBucketAcl, setBucketAcl, setBucketAcl, setBucketCrossOriginConfiguration, setBucketCrossOriginConfiguration, setBucketLifecycleConfiguration, setBucketLifecycleConfiguration, setBucketLoggingConfiguration, setBucketNotificationConfiguration, setBucketNotificationConfiguration, setBucketPolicy, setBucketPolicy, setBucketReplicationConfiguration, setBucketReplicationConfiguration, setBucketTaggingConfiguration, setBucketTaggingConfiguration, setBucketVersioningConfiguration, setBucketWebsiteConfiguration, setBucketWebsiteConfiguration, setEndpoint, setObjectAcl, setObjectAcl, setObjectAcl, setObjectAcl, setObjectAcl, setObjectRedirectLocation, setRegion, setS3ClientOptions
-
Field Details
-
USER_AGENT
-
-
Constructor Details
-
AmazonS3EncryptionClient
Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If
AmazonS3Client.getObject(String, String)
is called, the object contents will be decrypted with the encryption materials provided.Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:
- If an Amazon S3 bucket has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.listObjects(String)
to see what objects are stored in a bucket. - If an object has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.getObject(String, String)
andAmazonS3Client.getObjectMetadata(String, String)
to pull object content and metadata. - If a bucket has
Permission.Write
permission for theGroupGrantee.AllUsers
group, anonymous clients can upload objects to the bucket.
- Parameters:
encryptionMaterials
- The encryption materials to be used to encrypt and decrypt data.
- If an Amazon S3 bucket has
-
AmazonS3EncryptionClient
Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If
AmazonS3Client.getObject(String, String)
is called, the object contents will be decrypted with the encryption materials provided.Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:
- If an Amazon S3 bucket has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.listObjects(String)
to see what objects are stored in a bucket. - If an object has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.getObject(String, String)
andAmazonS3Client.getObjectMetadata(String, String)
to pull object content and metadata. - If a bucket has
Permission.Write
permission for theGroupGrantee.AllUsers
group, anonymous clients can upload objects to the bucket.
- Parameters:
encryptionMaterialsProvider
- A provider for the encryption materials to be used to encrypt and decrypt data.
- If an Amazon S3 bucket has
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If
AmazonS3Client.getObject(String, String)
is called, the object contents will be decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:
- If an Amazon S3 bucket has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.listObjects(String)
to see what objects are stored in a bucket. - If an object has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.getObject(String, String)
andAmazonS3Client.getObjectMetadata(String, String)
to pull object content and metadata. - If a bucket has
Permission.Write
permission for theGroupGrantee.AllUsers
group, anonymous clients can upload objects to the bucket.
- Parameters:
encryptionMaterials
- The encryption materials to be used to encrypt and decrypt data.cryptoConfig
- The crypto configuration whose parameters will be used to encrypt and decrypt data.
- If an Amazon S3 bucket has
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client that will make anonymous requests to Amazon S3. If
AmazonS3Client.getObject(String, String)
is called, the object contents will be decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.Only a subset of the Amazon S3 API will work with anonymous (i.e. unsigned) requests, but this can prove useful in some situations. For example:
- If an Amazon S3 bucket has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.listObjects(String)
to see what objects are stored in a bucket. - If an object has
Permission.Read
permission for theGroupGrantee.AllUsers
group, anonymous clients can callAmazonS3Client.getObject(String, String)
andAmazonS3Client.getObjectMetadata(String, String)
to pull object content and metadata. - If a bucket has
Permission.Write
permission for theGroupGrantee.AllUsers
group, anonymous clients can upload objects to the bucket.
- Parameters:
encryptionMaterialsProvider
- A provider for the encryption materials to be used to encrypt and decrypt data.cryptoConfig
- The crypto configuration whose parameters will be used to encrypt and decrypt data.
- If an Amazon S3 bucket has
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided.
- Parameters:
credentials
- The AWS credentials to use when making requests to Amazon S3 with this client.encryptionMaterials
- The encryption materials to be used to encrypt and decrypt data.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided.
- Parameters:
credentials
- The AWS credentials to use when making requests to Amazon S3 with this client.encryptionMaterialsProvider
- A provider for the encryption materials to be used to encrypt and decrypt data.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided.
- Parameters:
credentialsProvider
- The AWS credentials provider which will provide credentials to authenticate requests with AWS services.encryptionMaterialsProvider
- A provider for the encryption materials to be used to encrypt and decrypt data.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.
- Parameters:
credentials
- The AWS credentials to use when making requests to Amazon S3 with this client.encryptionMaterials
- The encryption materials to be used to encrypt and decrypt data.cryptoConfig
- The crypto configuration whose parameters will be used to encrypt and decrypt data.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.
- Parameters:
credentials
- The AWS credentials to use when making requests to Amazon S3 with this client.encryptionMaterialsProvider
- A provider for the encryption materials to be used to encrypt and decrypt data.cryptoConfig
- The crypto configuration whose parameters will be used to encrypt and decrypt data.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider encryptionMaterialsProvider, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The encryption implementation of the provided crypto provider will be used to encrypt and decrypt data.
- Parameters:
credentialsProvider
- The AWS credentials provider which will provide credentials to authenticate requests with AWS services.encryptionMaterialsProvider
- A provider for the encryption materials to be used to encrypt and decrypt data.cryptoConfig
- The crypto configuration whose parameters will be used to encrypt and decrypt data.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterials encryptionMaterials, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) Constructs a new Amazon S3 Encryption client using the specified AWS credentials and client configuration to access Amazon S3. Object contents will be encrypted and decrypted with the encryption materials provided. The crypto provider and storage mode denoted in the specified crypto configuration will be used to encrypt and decrypt data.
- Parameters:
credentials
- The AWS credentials to use when making requests to Amazon S3 with this client.encryptionMaterials
- The encryption materials to be used to encrypt and decrypt data.clientConfig
- The client configuration options controlling how this client connects to Amazon S3 (ex: proxy settings, retry counts, etc).cryptoConfig
- The crypto configuration whose parameters will be used to encrypt and decrypt data.- Throws:
IllegalArgumentException
- If either of the encryption materials or crypto configuration parameters are null.
-
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentials credentials, EncryptionMaterialsProvider encryptionMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) -
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig) -
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector) -
AmazonS3EncryptionClient
public AmazonS3EncryptionClient(AWSKMSClient kms, AWSCredentialsProvider credentialsProvider, EncryptionMaterialsProvider kekMaterialsProvider, ClientConfiguration clientConfig, CryptoConfiguration cryptoConfig, RequestMetricCollector requestMetricCollector)
-
-
Method Details
-
putObject
Uploads a new object to the specified Amazon S3 bucket. The
PutObjectRequest
contains all the details of the request, including the bucket to upload to, the key the object will be uploaded under, and the file or input stream containing the data to upload.Amazon S3 never stores partial objects; if during this call an exception wasn't thrown, the entire object was stored.
If you are uploading or accessing AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version
Depending on whether a file or input stream is being uploaded, this method has slightly different behavior.
When uploading a file:
- The client automatically computes a checksum of the file. Amazon S3 uses checksums to validate the data in each file.
- Using the file extension, Amazon S3 attempts to determine the correct content type and content disposition to use for the object.
When uploading directly from an input stream:
- Be careful to set the correct content type in the metadata object before directly sending a stream. Unlike file uploads, content types from input streams cannot be automatically determined. If the caller doesn't explicitly set the content type, it will not be set in Amazon S3.
- Content length must be specified before data can be uploaded to Amazon S3. Amazon S3 explicitly requires that the content length be sent in the request headers before it will accept any of the data. If the caller doesn't provide the length, the library must buffer the contents of the input stream in order to calculate it.
If versioning is enabled for the specified bucket, this operation will never overwrite an existing object with the same key, but will keep the existing object as an older version until that version is explicitly deleted (see
AmazonS3.deleteVersion(String, String, String)
.If versioning is not enabled, this operation will overwrite an existing object with the same key; Amazon S3 will store the last write request. Amazon S3 does not provide object locking. If Amazon S3 receives multiple write requests for the same object nearly simultaneously, all of the objects might be stored. However, a single object will be stored with the final write request.
When specifying a location constraint when creating a bucket, all objects added to the bucket are stored in the bucket's region. For example, if specifying a Europe (EU) region constraint for a bucket, all of that bucket's objects are stored in the EU region.
The specified bucket must already exist and the caller must have
Permission.Write
permission to the bucket to upload an object.Use
EncryptedPutObjectRequest
to specify materialsDescription for the EncryptionMaterials to be used for this request.AmazonS3EncryptionClient would useEncryptionMaterialsAccessor.getEncryptionMaterials(java.util.Map)
to retrieve encryption materials corresponding to the materialsDescription specified in the current request.- Specified by:
putObject
in interfaceAmazonS3
- Specified by:
putObject
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
putObject
in classAmazonS3Client
- Parameters:
req
- The request object containing all the parameters to upload a new object to Amazon S3.- Returns:
- A
PutObjectResult
object containing the information returned by Amazon S3 for the newly created object. - See Also:
-
getObject
Description copied from interface:AmazonS3
Gets the object stored in Amazon S3 under the specified bucket and key. Returns
null
if the specified constraints weren't met.Callers should be very careful when using this method; the returned Amazon S3 object contains a direct stream of data from the HTTP connection. The underlying HTTP connection cannot be closed until the user finishes reading the data and closes the stream. Callers should therefore:
- Use the data from the input stream in Amazon S3 object as soon as possible,
- Close the input stream in Amazon S3 object as soon as possible.
If callers do not follow those rules, then the client can run out of resources if allocating too many open, but unused, HTTP connections.
To get an object from Amazon S3, the caller must have
Permission.Read
access to the object.If the object fetched is publicly readable, it can also read it by pasting its URL into a browser.
When specifying constraints in the request object, the client needs to be prepared to handle this method returning
null
if the provided constraints aren't met when Amazon S3 receives the request.If the advanced options provided in
GetObjectRequest
aren't needed, use the simplerAmazonS3.getObject(String bucketName, String key)
method.If you are accessing AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version
- Specified by:
getObject
in interfaceAmazonS3
- Specified by:
getObject
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
getObject
in classAmazonS3Client
- Parameters:
req
- The request object containing all the options on how to download the object.- Returns:
- The object stored in Amazon S3 in the specified bucket and key.
Returns
null
if constraints were specified but not met. - See Also:
-
getObject
Description copied from interface:AmazonS3
Gets the object metadata for the object stored in Amazon S3 under the specified bucket and key, and saves the object contents to the specified file. Returns
null
if the specified constraints weren't met.Instead of using
AmazonS3.getObject(GetObjectRequest)
, use this method to ensure that the underlying HTTP stream resources are automatically closed as soon as possible. The Amazon S3 clients handles immediate storage of the object contents to the specified file.To get an object from Amazon S3, the caller must have
Permission.Read
access to the object.If the object fetched is publicly readable, it can also read it by pasting its URL into a browser.
When specifying constraints in the request object, the client needs to be prepared to handle this method returning
null
if the provided constraints aren't met when Amazon S3 receives the request.If you are accessing AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version
- Specified by:
getObject
in interfaceAmazonS3
- Specified by:
getObject
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
getObject
in classAmazonS3Client
- Parameters:
req
- The request object containing all the options on how to download the Amazon S3 object content.dest
- Indicates the file (which might already exist) where to save the object content being downloading from Amazon S3.- Returns:
- All S3 object metadata for the specified object.
Returns
null
if constraints were specified but not met. - See Also:
-
deleteObject
Description copied from interface:AmazonS3
Deletes the specified object in the specified bucket. Once deleted, the object can only be restored if versioning was enabled when the object was deleted.
If attempting to delete an object that does not exist, Amazon S3 will return a success message instead of an error message.
- Specified by:
deleteObject
in interfaceAmazonS3
- Overrides:
deleteObject
in classAmazonS3Client
- Parameters:
req
- The request object containing all options for deleting an Amazon S3 object.- See Also:
-
completeMultipartUpload
Description copied from interface:AmazonS3
Completes a multipart upload by assembling previously uploaded parts.You first upload all parts using the
AmazonS3.uploadPart(UploadPartRequest)
method. After successfully uploading all individual parts of an upload, you call this operation to complete the upload. Upon receiving this request, Amazon S3 concatenates all the parts in ascending order by part number to create a new object. In the CompleteMultipartUpload request, you must provide the parts list. For each part in the list, you provide the part number and the ETag header value, returned after that part was uploaded.Processing of a CompleteMultipartUpload request may take several minutes to complete.
If you are perfoming a complete multipart upload for AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version
- Specified by:
completeMultipartUpload
in interfaceAmazonS3
- Specified by:
completeMultipartUpload
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
completeMultipartUpload
in classAmazonS3Client
- Parameters:
req
- The CompleteMultipartUploadRequest object that specifies all the parameters of this operation.- Returns:
- A CompleteMultipartUploadResult from S3 containing the ETag for the new object composed of the individual parts.
-
initiateMultipartUpload
Initiates a multipart upload and returns an InitiateMultipartUploadResult which contains an upload ID. This upload ID associates all the parts in the specific upload and is used in each of your subsequentAmazonS3.uploadPart(UploadPartRequest)
requests. You also include this upload ID in the final request to either complete, or abort the multipart upload request.Note: After you initiate a multipart upload and upload one or more parts, you must either complete or abort the multipart upload in order to stop getting charged for storage of the uploaded parts. Once you complete or abort the multipart upload Amazon S3 will release the stored parts and stop charging you for their storage.
If you are initiating a multipart upload for AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version
Use
EncryptedInitiateMultipartUploadRequest
to specify materialsDescription for the EncryptionMaterials to be used for this request. AmazonS3EncryptionClient would useEncryptionMaterialsAccessor.getEncryptionMaterials(java.util.Map)
to retrieve encryption materials corresponding to the materialsDescription specified in the current request.- Specified by:
initiateMultipartUpload
in interfaceAmazonS3
- Specified by:
initiateMultipartUpload
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
initiateMultipartUpload
in classAmazonS3Client
- Parameters:
req
- The InitiateMultipartUploadRequest object that specifies all the parameters of this operation.- Returns:
- An InitiateMultipartUploadResult from Amazon S3.
-
uploadPart
public UploadPartResult uploadPart(UploadPartRequest uploadPartRequest) throws AmazonClientException, AmazonServiceException Uploads a part in a multipart upload. You must initiate a multipart upload before you can upload any part.Your UploadPart request must include an upload ID and a part number. The upload ID is the ID returned by Amazon S3 in response to your Initiate Multipart Upload request. Part number can be any number between 1 and 10,000, inclusive. A part number uniquely identifies a part and also defines its position within the object being uploaded. If you upload a new part using the same part number that was specified in uploading a previous part, the previously uploaded part is overwritten.
To ensure data is not corrupted traversing the network, specify the Content-MD5 header in the Upload Part request. Amazon S3 checks the part data against the provided MD5 value. If they do not match, Amazon S3 returns an error.
When you upload a part, the returned UploadPartResult contains an ETag property. You should record this ETag property value and the part number. After uploading all parts, you must send a CompleteMultipartUpload request. At that time Amazon S3 constructs a complete object by concatenating all the parts you uploaded, in ascending order based on the part numbers. The CompleteMultipartUpload request requires you to send all the part numbers and the corresponding ETag values.
Note: After you initiate a multipart upload and upload one or more parts, you must either complete or abort the multipart upload in order to stop getting charged for storage of the uploaded parts. Once you complete or abort the multipart upload Amazon S3 will release the stored parts and stop charging you for their storage.
If you are performing upload part for AWS KMS-encrypted objects, you need to specify the correct region of the bucket on your client and configure AWS Signature Version 4 for added security. For more information on how to do this, see http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html# specify-signature-version
NOTE: Because the encryption process requires context from block N-1 in order to encrypt block N, parts uploaded with the AmazonS3EncryptionClient (as opposed to the normal AmazonS3Client) must be uploaded serially, and in order. Otherwise, the previous encryption context isn't available to use when encrypting the current part.
- Specified by:
uploadPart
in interfaceAmazonS3
- Specified by:
uploadPart
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
uploadPart
in classAmazonS3Client
- Parameters:
uploadPartRequest
- The UploadPartRequest object that specifies all the parameters of this operation.- Returns:
- An UploadPartResult from Amazon S3 containing the part number and ETag of the new part.
- Throws:
AmazonClientException
- If any errors are encountered in the client while making the request or handling the response.AmazonServiceException
- If any errors occurred in Amazon S3 while processing the request.
-
copyPart
Description copied from class:AmazonS3Client
Copies a source object to a part of a multipart upload. To copy an object, the caller's account must have read access to the source object and write access to the destination bucket.If constraints are specified in the
CopyPartRequest
(e.g.CopyPartRequest.setMatchingETagConstraints(List)
) and are not satisfied when Amazon S3 receives the request, this method returnsnull
. This method returns a non-null result under all other circumstances.- Specified by:
copyPart
in interfaceAmazonS3
- Specified by:
copyPart
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
copyPart
in classAmazonS3Client
- Parameters:
copyPartRequest
- The request object containing all the options for copying an Amazon S3 object.- Returns:
- A
CopyPartResult
object containing the information returned by Amazon S3 about the newly created object, ornull
if constraints were specified that weren't met when Amazon S3 attempted to copy the object. - See Also:
-
abortMultipartUpload
Description copied from interface:AmazonS3
Aborts a multipart upload. After a multipart upload is aborted, no additional parts can be uploaded using that upload ID. The storage consumed by any previously uploaded parts will be freed. However, if any part uploads are currently in progress, those part uploads may or may not succeed. As a result, it may be necessary to abort a given multipart upload multiple times in order to completely free all storage consumed by all parts.- Specified by:
abortMultipartUpload
in interfaceAmazonS3
- Specified by:
abortMultipartUpload
in interfacecom.amazonaws.services.s3.internal.S3DirectSpi
- Overrides:
abortMultipartUpload
in classAmazonS3Client
- Parameters:
req
- The AbortMultipartUploadRequest object that specifies all the parameters of this operation.
-
putInstructionFile
Creates a new crypto instruction file by re-encrypting the CEK of an existing encrypted S3 object with a new encryption material identifiable via a new set of material description.User of this method is responsible for explicitly deleting/updating the instruction file so created should the corresponding S3 object is deleted/created.
- Returns:
- the result of the put (instruction file) operation.
-
shutdown
public void shutdown()Shuts down this client object, releasing any resources that might be held open. This is an optional method, and callers are not expected to call it, but can if they want to explicitly release any open resources. Once a client has been shutdown, it should not be used to make any more requests.If the a default internal KMS client has been constructed, it will also be shut down by calling this method. Otherwise, users who provided the KMS client would be responsible to shut down the KMS client extrinsic to this method.
- Overrides:
shutdown
in classAmazonWebServiceClient
-
uploadObject
public CompleteMultipartUploadResult uploadObject(UploadObjectRequest req) throws IOException, InterruptedException, ExecutionException Used to encrypt data first to disk with pipelined concurrent multi-part uploads to S3. This method enables significant speed-up of encrypting and uploading large payloads to Amazon S3 via pipelining and parallel uploads by consuming temporary disk space.There are many ways you can customize the behavior of this method, including
- the configuration of your own custom thread pool
- the part size of each multi-part upload request; By default, a temporary ciphertext file is generated per part and gets uploaded immediately to S3
- the maximum temporary disk space that must not be exceeded by execution of this request; By default, the encryption will block upon hitting the limit and will only resume when the in-flight uploads catch up by releasing the temporary disk space upon successful uploads of the completed parts
- the configuration of your own
MultiFileOutputStream
for custom pipeline behavior - the configuration of your own
UploadObjectObserver
for custom multi-part upload behavior
A request is handled with the following life cycle, calling the necessary Service Provider Interface:
- A thread pool is constructed (or retrieved from the request) for the
execution of concurrent upload tasks to be submitted by the
UploadObjectObserver
- An
UploadObjectObserver
is constructed (or retrieved from the request) for execution of concurrent uploads to S3 - Initialize the
UploadObjectObserver
- Initialize a multi-part upload request to S3 by calling
UploadObjectObserver.onUploadInitiation(UploadObjectRequest)
- A
MultiFileOutputStream
is constructed (or retrieved from the request) which serves as the pipeline for incremental (but serial) encryption to disk with concurrent multipart uploads to S3 whenever the parts on the disk are ready - Initialize the
MultiFileOutputStream
- Kicks off the pipeline for incremental encryption to disk with pipelined concurrent multi-part uploads to S3
- For every part encrypted into a temporary file on disk, it is
uploaded by calling
UploadObjectObserver.onPartCreate(PartCreationEvent)
- Finally, clean up and complete the multi-part upload by calling
UploadObjectObserver.onCompletion(List)
.
- Returns:
- the result of the completed muti-part uploads
- Throws:
IOException
- if the encryption to disk failedInterruptedException
- if the current thread was interrupted while waitingExecutionException
- if the concurrent uploads threw an exception
-