We are testing Nexus-3 PRO 3.12.1-01 & S3 Integration and hit a road block w.r.t creating the S3 based Blob store.. We use the Bring your own key i.e aws-kms and not the default aws provided kms key as part of Server side encryption on the S3 buckets for obvious security reasons in our organisation.
Current policy mandates that the request header should have the Server side encryption kms-keyId for the PUT’s to succeed and when I am trying to create a blobstore by specifying the existing bucket details it throws Access denied error because of the missing kms keyId in the request.
I don’t see any field exposed to provide this configuration details i.e listed below on the Nexus-3 PRO 3.12.1-01 or on 3.13 version and was suggested to raise a enhancement request by the support team as this is preventing us to use the s3 for HA configuration.
a. SSE Alogirthm type (Example : aws:kms)
b. SSE KMS key Id (Example : 6fxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
c. Storage Class (Example : Standard)
Example arg params i.e sent from the aws Cli to upload any objects to s3:
--sse aws:kms --storage-class STANDARD --sse-kms-key-id : 6fxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx