Package software.amazon.encryption.s3

Class S3EncryptionClient.Builder

  • All Implemented Interfaces:
    software.amazon.awssdk.awscore.client.builder.AwsClientBuilder, software.amazon.awssdk.core.client.builder.SdkClientBuilder, software.amazon.awssdk.utils.builder.Buildable, software.amazon.awssdk.utils.builder.SdkBuilder
    Enclosing class:
    S3EncryptionClient
    public static class S3EncryptionClient.Builder
extends Object
implements software.amazon.awssdk.awscore.client.builder.AwsClientBuilder

    • Method Detail

      • wrappedClient

        public S3EncryptionClient.Builder wrappedClient​(software.amazon.awssdk.services.s3.S3Client _wrappedClient)
        Sets the wrappedClient to be used for non-cryptographic operations.

      • wrappedAsyncClient

        public S3EncryptionClient.Builder wrappedAsyncClient​(software.amazon.awssdk.services.s3.S3AsyncClient _wrappedAsyncClient)
        Sets the wrappedAsyncClient to be used for cryptographic operations.

      • keyring

        public S3EncryptionClient.Builder keyring​(Keyring keyring)
        Specifies the Keyring to use for key wrapping and unwrapping.
        Parameters:
        keyring - the Keyring instance to use
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • aesKey

        public S3EncryptionClient.Builder aesKey​(SecretKey aesKey)
        Specifies a "raw" AES key to use for key wrapping/unwrapping.
        Parameters:
        aesKey - the AES key as a SecretKey instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • rsaKeyPair

        public S3EncryptionClient.Builder rsaKeyPair​(KeyPair rsaKeyPair)
        Specifies a "raw" RSA key pair to use for key wrapping/unwrapping.
        Parameters:
        rsaKeyPair - the RSA key pair as a KeyPair instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • rsaKeyPair

        public S3EncryptionClient.Builder rsaKeyPair​(PartialRsaKeyPair partialRsaKeyPair)
        Specifies a "raw" RSA key pair to use for key wrapping/unwrapping. This option takes a PartialRsaKeyPair instance, which allows either a public key (decryption only) or private key (encryption only) rather than requiring both parts.
        Parameters:
        partialRsaKeyPair - the RSA key pair as a PartialRsaKeyPair instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • kmsKeyId

        public S3EncryptionClient.Builder kmsKeyId​(String kmsKeyId)
        Specifies a KMS key to use for key wrapping/unwrapping. Any valid KMS key identifier (including the full ARN or an alias ARN) is permitted. When decrypting objects, the key referred to by this KMS key identifier is always used.
        Parameters:
        kmsKeyId - the KMS key identifier as a String instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableLegacyWrappingAlgorithms

        public S3EncryptionClient.Builder enableLegacyWrappingAlgorithms​(boolean shouldEnableLegacyWrappingAlgorithms)
        When set to true, decryption of objects using legacy key wrapping modes is enabled.
        Parameters:
        shouldEnableLegacyWrappingAlgorithms - true to enable legacy wrapping algorithms
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableLegacyUnauthenticatedModes

        public S3EncryptionClient.Builder enableLegacyUnauthenticatedModes​(boolean shouldEnableLegacyUnauthenticatedModes)
        When set to true, decryption of content using legacy encryption algorithms is enabled. This includes use of GetObject requests with a range, as this mode is not authenticated.
        Parameters:
        shouldEnableLegacyUnauthenticatedModes - true to enable legacy content algorithms
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableDelayedAuthenticationMode

        public S3EncryptionClient.Builder enableDelayedAuthenticationMode​(boolean shouldEnableDelayedAuthenticationMode)
        When set to true, authentication of streamed objects is delayed until the entire object is read from the stream. When this mode is enabled, the consuming application must support a way to invalidate any data read from the stream as the tag will not be validated until the stream is read to completion, as the integrity of the data cannot be ensured. See the AWS Documentation for more information.
        Parameters:
        shouldEnableDelayedAuthenticationMode - true to enable delayed authentication
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableMultipartPutObject

        public S3EncryptionClient.Builder enableMultipartPutObject​(boolean _enableMultipartPutObject)
        When set to true, the putObject method will use multipart upload to perform the upload. Disabled by default.
        Parameters:
        _enableMultipartPutObject - true enables the multipart upload implementation of putObject
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • setBufferSize

        public S3EncryptionClient.Builder setBufferSize​(long bufferSize)
        Sets the buffer size for safe authentication used when delayed authentication mode is disabled. If buffer size is not given during client configuration, default buffer size is set to 64MiB.
        Parameters:
        bufferSize - the desired buffer size in Bytes.
        Returns:
        Returns a reference to this object so that method calls can be chained together.
        Throws:
        S3EncryptionClientException - if the specified buffer size is outside the allowed bounds

      • cryptoProvider

        public S3EncryptionClient.Builder cryptoProvider​(Provider cryptoProvider)
        Allows the user to pass an instance of Provider to be used for cryptographic operations. By default, the S3 Encryption Client will use the first compatible Provider in the chain. When this option is used, the given provider will be used for all cryptographic operations. If the provider is missing a required algorithm suite, e.g. AES-GCM, then operations may fail. Advanced option. Users who configure a Provider are responsible for the security and correctness of the provider.
        Parameters:
        cryptoProvider - the to always use
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • secureRandom

        public S3EncryptionClient.Builder secureRandom​(SecureRandom secureRandom)
        Allows the user to pass an instance of SecureRandom to be used for generating keys and IVs. Advanced option. Users who provide a SecureRandom are responsible for the security and correctness of the SecureRandom implementation.
        Parameters:
        secureRandom - the SecureRandom instance to use
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • credentialsProvider

        public S3EncryptionClient.Builder credentialsProvider​(software.amazon.awssdk.auth.credentials.AwsCredentialsProvider awsCredentialsProvider)
        The credentials provider to use for all inner clients, including KMS, if a KMS key ID is provided. Note that if a wrapped client is configured, the wrapped client will take precedence over this option.
        Specified by:
        credentialsProvider in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder
        Parameters:
        awsCredentialsProvider -
        Returns:

      • region

        public S3EncryptionClient.Builder region​(software.amazon.awssdk.regions.Region region)
        The AWS region to use for all inner clients, including KMS, if a KMS key ID is provided.
        Specified by:
        region in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder
        Parameters:
        region -
        Returns:

      • dualstackEnabled

        public S3EncryptionClient.Builder dualstackEnabled​(Boolean isDualStackEnabled)
        Configure whether the SDK should use the AWS dualstack endpoint.

        If this is not specified, the SDK will attempt to determine whether the dualstack endpoint should be used automatically using the following logic:

        1. Check the 'aws.useDualstackEndpoint' system property for 'true' or 'false'.
        2. Check the 'AWS_USE_DUALSTACK_ENDPOINT' environment variable for 'true' or 'false'.
        3. Check the {user.home}/.aws/credentials and {user.home}/.aws/config files for the 'use_dualstack_endpoint' property set to 'true' or 'false'.

        If the setting is not found in any of the locations above, 'false' will be used.

        Specified by:
        dualstackEnabled in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder

      • fipsEnabled

        public S3EncryptionClient.Builder fipsEnabled​(Boolean isFipsEnabled)
        Configure whether the wrapped SDK clients should use the AWS FIPS endpoints. Note that this option only enables FIPS for the service endpoints which the SDK clients use, it does not enable FIPS for the S3EC itself. Use a FIPS-enabled CryptoProvider for full FIPS support.

        If this is not specified, the SDK will attempt to determine whether the FIPS endpoint should be used automatically using the following logic:

        1. Check the 'aws.useFipsEndpoint' system property for 'true' or 'false'.
        2. Check the 'AWS_USE_FIPS_ENDPOINT' environment variable for 'true' or 'false'.
        3. Check the {user.home}/.aws/credentials and {user.home}/.aws/config files for the 'use_fips_endpoint' property set to 'true' or 'false'.

        If the setting is not found in any of the locations above, 'false' will be used.

        Specified by:
        fipsEnabled in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder

      • overrideConfiguration

        public S3EncryptionClient.Builder overrideConfiguration​(software.amazon.awssdk.core.client.config.ClientOverrideConfiguration overrideConfiguration)
        Specify overrides to the default SDK configuration that should be used for clients created by this builder.
        Specified by:
        overrideConfiguration in interface software.amazon.awssdk.core.client.builder.SdkClientBuilder

      • overrideConfiguration

        public software.amazon.awssdk.core.client.config.ClientOverrideConfiguration overrideConfiguration()
        Retrieve the current override configuration. This allows further overrides across calls. Can be modified by first converting to a builder with ClientOverrideConfiguration.toBuilder().
        Specified by:
        overrideConfiguration in interface software.amazon.awssdk.core.client.builder.SdkClientBuilder
        Returns:
        The existing override configuration for the builder.

      • endpointOverride

        public S3EncryptionClient.Builder endpointOverride​(URI endpointOverride)
        Configure the endpoint with which the SDK should communicate. NOTE: For the S3EncryptionClient, this ONLY overrides the endpoint for S3 clients. To set the endpointOverride for a KMS client, explicitly configure it and create a KmsKeyring instance for the encryption client to use.

        It is important to know that EndpointProviders and the endpoint override on the client are not mutually exclusive. In all existing cases, the endpoint override is passed as a parameter to the provider and the provider *may* modify it. For example, the S3 provider may add the bucket name as a prefix to the endpoint override for virtual bucket addressing.

        Specified by:
        endpointOverride in interface software.amazon.awssdk.core.client.builder.SdkClientBuilder
        Parameters:
        endpointOverride -

      • build

        public S3EncryptionClient build()
        Validates and builds the S3EncryptionClient according to the configuration options passed to the Builder object.
        Specified by:
        build in interface software.amazon.awssdk.utils.builder.Buildable
        Specified by:
        build in interface software.amazon.awssdk.utils.builder.SdkBuilder
        Returns:
        an instance of the S3EncryptionClient