I have an S3 bucket that is used to store files via Laravel. I have updated the bucket policy to use a Customer-Managed CMK and I cannot figure out or find what configuration to use in Laravel

This is what I have in config/filesystems and it works fine with a standard bucket policy and AWS-Managed CMK

    's3' => [
        'driver'   => 's3',
        'key'      => env('AWS_ACCESS_KEY_ID'),
        'secret'   => env('AWS_SECRET_ACCESS_KEY'),
        'region'   => env('AWS_DEFAULT_REGION'),
        'bucket'   => env('AWS_BUCKET'),
        'url'      => env('AWS_URL'),
        'endpoint' => env('AWS_ENDPOINT'),
        'options'  => [
            'ServerSideEncryption' => env('AWS_SERVER_SIDE_ENCRYPTION'),

        ],
    ],

What changes do I have to make to be able to use a Customer-Managed CMK?

CodePudding user response：

It's not clear what exactly you are passing as ServerSideEncryption as you are getting it from an env var, but this are the options available in the PHP SDK for PutObject:

    'SSEKMSKeyId' => '<string>',
    'ServerSideEncryption' => 'AES256|aws:kms',

Based on that I believe that your configuration should look like this:

    's3' => [
        'driver'   => 's3',
        'key'      => env('AWS_ACCESS_KEY_ID'),
        'secret'   => env('AWS_SECRET_ACCESS_KEY'),
        'region'   => env('AWS_DEFAULT_REGION'),
        'bucket'   => env('AWS_BUCKET'),
        'url'      => env('AWS_URL'),
        'endpoint' => env('AWS_ENDPOINT'),
        'options'  => [
            'ServerSideEncryption' => 'aws:kms',
            'SSEKMSKeyId' => env('SSE_KMS_KEY_ARN')
        ],
    ],

where SSE_KMS_KEY_ARN is the ARN of the KMS CMK key with which you want to encrypt.