Does localstack support s3 with kms encryption?

Platform
1

I get the following, even though the bucket I created is encrypted

aws s3api --endpoint-url=http://localhost:4566 get-bucket-encryption --bucket resheftest-encrypted-bucket

An error occurred (ServerSideEncryptionConfigurationNotFoundError) when calling the GetBucketEncryption operation: The server side encryption configuration was not found
2

Hi @reshefsh,

I have performed a quick test, and it works with these basic commands.Could you please provide the full steps, so we can test it more thoroughly? Thanks.

bucket="sample-test-bucket"
awslocal s3api create-bucket --bucket $bucket
keyid=$(awslocal kms create-key --description "sample key" --key-usage ENCRYPT_DECRYPT --origin AWS_KMS --output text --query KeyMetadata.KeyId)
awslocal s3api put-bucket-encryption --bucket $bucket --server-side-encryption-configuration "{\"Rules\":[{\"ApplyServerSideEncryptionByDefault\":{\"SSEAlgorithm\":\"aws:kms\",\"KMSMasterKeyID\":\"$keyid\"},\"BucketKeyEnabled\":true}]}"
awslocal s3api get-bucket-encryption --bucket $bucket

Result

{
    "ServerSideEncryptionConfiguration": {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "SSEAlgorithm": "aws:kms",
                    "KMSMasterKeyID": "6abd8ba6-a6bc-4a83-988b-7b685087b39d"
                },
                "BucketKeyEnabled": true
            }
        ]
    }
}
3

yes, the command works locally.

I am using aws-sdk-go, and am wondering whether GetBucketEncryptionWithContext, the method I use, works?

4

Hi,
I am not certain how this differentiates from what I shared. You can call the operation your preferred way. Please share a simple code that can be used to reproduce your issue, and we will look into it.
Thanks.

5

I was able to narrow the issue.

If I run the above commands, everything works properly.
However, my actual use case is deploing using CloudFormation.
Using cloudformation on a real AWS environment actually works. with LoccalStack it doesn’t.

Stack:

AWSTemplateFormatVersion: 2010-09-09
Parameters:
  Bucket3:
    Type: String
    Default: kaka-encrypted-bucket
  MyKMSKeyID:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /kms-key
Resources:
  Bucket1a:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref Bucket1
  Bucket1b:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref Bucket2
  Bucket1c:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Ref Bucket3
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: aws:kms
              KMSMasterKeyID: !Ref MyKMSKeyID
            BucketKeyEnabled: true
6

Hi,

Thank you for supplying further details.
Unfortunately, S3 bucket encryption is not available via Cloud Formation at the moment.

As a temporary solution, you can create the S3 bucket with encryption using CLI or another method. You can also try using Initialization Hooks | Docs (localstack.cloud) or Cloud Pods | Docs (localstack.cloud) to generate the environment.

We encourage you to submit a feature request on our GitHub page using this link: New Issue · localstack/localstack (github.com).

Thank you.