<mazgi.github.io 移行済>SSE-KMSで暗号化したS3バケットをs3fsでmountする

移動しました=> mazgi.log :: SSE-KMSで暗号化したS3バケットをs3fsでmountする

タイトルの通り「AWS Key Management Service (AWS KMS) 」を使って暗号化したAmazon S3バケットをs3fsでUbuntu 16上でmountした。
KMSについては以下のドキュメントが詳しいが要は暗号化の際に煩雑な鍵の管理をAWSにお願いできる仕組み。

docs.aws.amazon.com

S3バケットの準備

S3バケットを作り、画像のように Default encryptionAWS-KMS に設定する。
なおこのS3バケットは記事公開時点で削除済み。

f:id:mazgi:20180301035936p:plain

s3fsの設定

Install

GitHubからアーカイブをダウンロードして

$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

する。

github.com

mount

以下のようにAWSのcredentialを .secret というファイルに ACCESS_KEY:SECRET_KEY というフォーマットで書く。
またKMSの鍵IDを環境変数に設定した。

$ cat .secret
****ACCESS_KEY****:****SECRET_KEY****
$ export AWSSSEKMSID='********'

そしてmountする。
endpoint, uid, gid , umask あたりをきちんと設定しないと読み書きできない、ハマった。
なお鍵IDは環境変数使わなくても use_sse=kmsid:"${AWSSSEKMSID}" でいける模様。

また -d はdebug、 -f はフォアグラウンド実行。

$ s3fs mazgi-s3-sse-kms-test-01-bucket-01 bucket -o passwd_file=.secret,use_sse=kmsid,endpoint=ap-northeast-1,allow_other,uid=1234,gid=1234,umask=227 -d -f
[CRT] s3fs.cpp:set_s3fs_log_level(271): change debug level from [CRT] to [INF] 
[INF]     s3fs.cpp:set_mountpoint_attribute(4206): PROC(uid=4600, gid=4600) - MountPoint(uid=4600, gid=4600, mode=40775)
[INF] s3fs.cpp:s3fs_init(3371): init v1.83(commit:unknown) with OpenSSL
[INF] s3fs.cpp:s3fs_check_service(3747): check services.
[INF]       curl.cpp:CheckBucket(3068): check a bucket.
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200

ファイル操作

ls してみる。

なおS3バケットに入っているJPEG画像はこれ。かわいい。
ぱくたそ」からお借りした。

f:id:mazgi:20180301042415j:plain

$ ls -l bucket
total 179
-r-xr-x--- 1 user group 96870 Feb  1 07:10 cat.jpg*
-r-xr-x--- 1 user group 84999 Feb  1 07:13 cat_plain.jpg*

その時のコンソールログ。

[INF] s3fs.cpp:s3fs_getattr(841): [path=/]
[INF] s3fs.cpp:s3fs_opendir(2281): [path=/][flags=100352]
[INF] s3fs.cpp:s3fs_readdir(2432): [path=/]
[INF]   s3fs.cpp:list_bucket(2477): [path=/]
[INF]       curl.cpp:ListBucketRequest(3103): [tpath=/]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01?delimiter=/&max-keys=1000&prefix=
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com?delimiter=/&max-keys=1000&prefix=
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/] [delimiter=/&max-keys=1000&prefix=] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[INF]   s3fs.cpp:readdir_multi_head(2346): [path=/][list=0]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/cat.jpg][bpath=cat.jpg][save=/cat.jpg][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/cat.jpg
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/cat.jpg
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/cat.jpg] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/cat_plain.jpg][bpath=cat_plain.jpg][save=/cat_plain.jpg][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/cat_plain.jpg
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/cat_plain.jpg
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/cat_plain.jpg] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:Request(3999): [count=2]
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       cache.cpp:AddStat(356): add stat cache entry[path=/cat_plain.jpg]
[INF]       cache.cpp:AddStat(356): add stat cache entry[path=/cat.jpg]
[INF] s3fs.cpp:s3fs_getattr(841): [path=/cat.jpg]
[INF] s3fs.cpp:s3fs_getattr(841): [path=/cat_plain.jpg]

アップロード前のチェックサムがこれ。

$ shasum -a 1 cat.jpg
fb9f3c47ad3d91ced2e62c82f0ae753330351b32  cat.jpg

mountしたS3バケットから読み取りテスト兼ねてチェックサムを取得してみる。
一致しているので正しく読み取れていることがわかる。

$ sha1sum bucket/cat.jpg
fb9f3c47ad3d91ced2e62c82f0ae753330351b32  bucket/cat.jpg

ファイル読み取り時のコンソールログ。

[INF] s3fs.cpp:s3fs_getattr(841): [path=/cat.jpg]
[INF] s3fs.cpp:s3fs_open(2063): [path=/cat.jpg][flags=32768]
[INF]       cache.cpp:DelStat(565): delete stat cache entry[path=/cat.jpg]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/cat.jpg]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/cat.jpg][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/cat.jpg
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/cat.jpg
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/cat.jpg] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       cache.cpp:AddStat(356): add stat cache entry[path=/cat.jpg]
[INF]       fdcache.cpp:SetMtime(1019): [path=/cat.jpg][fd=7][time=1517436613]
[INF]       curl.cpp:GetObjectRequest(3043): [tpath=/cat.jpg][start=0][size=96870]
[INF]       curl.cpp:PreGetObjectRequest(2983): [tpath=/cat.jpg][start=0][size=96870]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/cat.jpg
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/cat.jpg
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/cat.jpg] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:GetObjectRequest(3058): downloading... [path=/cat.jpg][fd=7]
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 206
[INF] s3fs.cpp:s3fs_getattr(841): [path=/cat.jpg]
[INF] s3fs.cpp:s3fs_flush(2185): [path=/cat.jpg][fd=7]
[INF]       fdcache.cpp:RowFlush(1434): [tpath=][path=/cat.jpg][fd=7]
[INF] s3fs.cpp:s3fs_release(2238): [path=/cat.jpg][fd=7]
[INF]       fdcache.cpp:GetFdEntity(1995): [path=/cat.jpg][fd=7]

今度はS3バケットにファイルを書き込んでみる。
適当にファイルを作りチェックサムを取得。

$ head -1 /dev/urandom|od -x > rand.txt
$ sha1sum rand.txt
bb02ee0d5fc5b459ca1978fcc0e53649d144554c  rand.txt

マウントポイントにコピーする。
コピー後のチェックサムが一致しているので正しくコピーできたことがわかる。

$ cp rand.txt bucket/
$ sha1sum bucket/rand.txt
bb02ee0d5fc5b459ca1978fcc0e53649d144554c  bucket/rand.txt

書き込み時のコンソールログ。

[INF] s3fs.cpp:s3fs_getattr(841): [path=/]
[INF] s3fs.cpp:s3fs_getattr(841): [path=/rand.txt]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt/]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt/][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt/] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt_$folder$]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt_$folder$][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt_%24folder%24
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt_%24folder%24
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt_$folder$] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]   s3fs.cpp:list_bucket(2477): [path=/rand.txt]
[INF]       curl.cpp:ListBucketRequest(3103): [tpath=/rand.txt]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01?delimiter=/&max-keys=2&prefix=rand.txt/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com?delimiter=/&max-keys=2&prefix=rand.txt/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=rand.txt/] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[INF] s3fs.cpp:s3fs_getattr(841): [path=/rand.txt]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt/]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt/][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt/] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt_$folder$]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt_$folder$][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt_%24folder%24
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt_%24folder%24
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt_$folder$] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]   s3fs.cpp:list_bucket(2477): [path=/rand.txt]
[INF]       curl.cpp:ListBucketRequest(3103): [tpath=/rand.txt]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01?delimiter=/&max-keys=2&prefix=rand.txt/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com?delimiter=/&max-keys=2&prefix=rand.txt/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=rand.txt/] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[INF] s3fs.cpp:s3fs_create(999): [path=/rand.txt][mode=100664][flags=32961]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt/]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt/][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt/] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt_$folder$]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt_$folder$][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt_%24folder%24
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt_%24folder%24
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt_$folder$] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2073): HTTP response code 404 was returned, returning ENOENT
[INF]   s3fs.cpp:list_bucket(2477): [path=/rand.txt]
[INF]       curl.cpp:ListBucketRequest(3103): [tpath=/rand.txt]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01?delimiter=/&max-keys=2&prefix=rand.txt/
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com?delimiter=/&max-keys=2&prefix=rand.txt/
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/] [delimiter=/&max-keys=2&prefix=rand.txt/] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[WAN] s3fs.cpp:append_objects_from_xml_ex(2575): contents_xp->nodesetval is empty.
[INF]     s3fs.cpp:create_file_object(960): [path=/rand.txt][mode=100664]
[INF]       curl.cpp:PutRequest(2872): [tpath=/rand.txt]
[INF]       curl.cpp:PutRequest(2889): create zero byte file object.
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [PUT] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:PutRequest(2969): uploading... [path=/rand.txt][fd=-1][size=0]
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       cache.cpp:DelStat(565): delete stat cache entry[path=/rand.txt]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       cache.cpp:AddStat(356): add stat cache entry[path=/rand.txt]
[INF] s3fs.cpp:s3fs_getattr(841): [path=/rand.txt]
[INF] s3fs.cpp:s3fs_flush(2185): [path=/rand.txt][fd=7]
[INF]       fdcache.cpp:RowFlush(1434): [tpath=][path=/rand.txt][fd=7]
[INF]       curl.cpp:PutRequest(2872): [tpath=/rand.txt]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [PUT] [/rand.txt] [] [2a5b392dff6867a115948ff04fbec762a6f007cffebf40544c62308ec9eab099]
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:PutRequest(2969): uploading... [path=/rand.txt][fd=7][size=996]
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF] s3fs.cpp:s3fs_release(2238): [path=/rand.txt][fd=7]
[INF]       cache.cpp:DelStat(565): delete stat cache entry[path=/rand.txt]
[INF]       fdcache.cpp:GetFdEntity(1995): [path=/rand.txt][fd=7]

こちらはチェックサム取得時のコンソールログ。

[INF] s3fs.cpp:s3fs_getattr(841): [path=/rand.txt]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       cache.cpp:AddStat(356): add stat cache entry[path=/rand.txt]
[INF] s3fs.cpp:s3fs_open(2063): [path=/rand.txt][flags=32768]
[INF]       cache.cpp:DelStat(565): delete stat cache entry[path=/rand.txt]
[INF]       curl.cpp:HeadRequest(2708): [tpath=/rand.txt]
[INF]       curl.cpp:PreHeadRequest(2657): [tpath=/rand.txt][bpath=][save=][sseckeypos=-1]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [HEAD] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 200
[INF]       cache.cpp:AddStat(356): add stat cache entry[path=/rand.txt]
[INF]       fdcache.cpp:SetMtime(1019): [path=/rand.txt][fd=7][time=1517862525]
[INF]       curl.cpp:GetObjectRequest(3043): [tpath=/rand.txt][start=0][size=996]
[INF]       curl.cpp:PreGetObjectRequest(2983): [tpath=/rand.txt][start=0][size=996]
[INF]       curl.cpp:prepare_url(4253): URL is https://s3.amazonaws.com/mazgi-s3-sse-kms-test-01-bucket-01/rand.txt
[INF]       curl.cpp:prepare_url(4285): URL changed is https://mazgi-s3-sse-kms-test-01-bucket-01.s3.amazonaws.com/rand.txt
[INF]       curl.cpp:insertV4Headers(2400): computing signature [GET] [/rand.txt] [] []
[INF]       curl.cpp:url_to_host(101): url is https://s3.amazonaws.com
[INF]       curl.cpp:GetObjectRequest(3058): downloading... [path=/rand.txt][fd=7]
[INF]       curl.cpp:RequestPerform(2051): HTTP response code 206
[INF] s3fs.cpp:s3fs_getattr(841): [path=/rand.txt]
[INF] s3fs.cpp:s3fs_flush(2185): [path=/rand.txt][fd=7]
[INF]       fdcache.cpp:RowFlush(1434): [tpath=][path=/rand.txt][fd=7]
[INF] s3fs.cpp:s3fs_release(2238): [path=/rand.txt][fd=7]
[INF]       fdcache.cpp:GetFdEntity(1995): [path=/rand.txt][fd=7]

以上、ちょっとハマったができてみるとあっさり暗号化したS3バケットが扱えた。

で、「これをprovisioningするの時間がないなー」とか思ってたら斜め後ろのベテランエンジニアがサクッとitamaeのrecipeにしてくれた。感謝。