S3 Uploads to KMS-Encrypted Buckets

cduffettamino · August 28, 2023, 4:59pm

Hi team, I'm trying to use the s3 resource "upload data" action to upload sensitive data files to s3. I have several s3 buckets that all require server-side encryption at-rest. We are using a non-default AWS KMS key to encrypt all files in those buckets.

I've successfully used Retool to read encrypted files from those s3 buckets, but I have not been able to write files to any KMS-encrypted s3 buckets via the Retool app. Normally when uploading files to a KMS-encrypted S3 bucket, the AWS CLI requires extra options like:

aws s3 cp <local_path> <s3_path> --sse aws:kms

I don't see any existing config options that would allow me to change the server-side encryption (--sse) setting when uploading files. Can you help me figure out how to upload files to KMS-encrypted S3 buckets?

Thank you!
~ Carlton

joeBumbaca · September 18, 2023, 6:20pm

Hey @cduffettamino! Welcome to the Retool forum!

This isn't possible using only the default S3 resource integration currently. We do have a feature request logged to allow the passing of the required headers in the upload requests, and I can update you here when I get any additional information on the status of that request.

In the meantime, you can generate a pre-signed url to put the object in the bucket with the required encryption headers.

Generate pre-signed url: with the file Key you want assigned to the object, the ServerSideEncryption option, and the SSEKMSKeyId for the key you are using.

You can then use a generic REST query and the presigned url obtained in that step to upload the object:

Hope this helps!