Package software.amazon.encryption.s3

Class S3EncryptionClient.Builder

    • Method Detail

      • wrappedClient

        public S3EncryptionClient.Builder wrappedClient​(software.amazon.awssdk.services.s3.S3Client _wrappedClient)
        Sets the wrappedClient to be used for non-cryptographic operations.

      • wrappedAsyncClient

        public S3EncryptionClient.Builder wrappedAsyncClient​(software.amazon.awssdk.services.s3.S3AsyncClient _wrappedAsyncClient)
        Sets the wrappedAsyncClient to be used for cryptographic operations.

      • keyring

        public S3EncryptionClient.Builder keyring​(Keyring keyring)
        Specifies the Keyring to use for key wrapping and unwrapping.
        Parameters:
        keyring - the Keyring instance to use
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • aesKey

        public S3EncryptionClient.Builder aesKey​(SecretKey aesKey)
        Specifies a "raw" AES key to use for key wrapping/unwrapping.
        Parameters:
        aesKey - the AES key as a SecretKey instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • rsaKeyPair

        public S3EncryptionClient.Builder rsaKeyPair​(KeyPair rsaKeyPair)
        Specifies a "raw" RSA key pair to use for key wrapping/unwrapping.
        Parameters:
        rsaKeyPair - the RSA key pair as a KeyPair instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • rsaKeyPair

        public S3EncryptionClient.Builder rsaKeyPair​(PartialRsaKeyPair partialRsaKeyPair)
        Specifies a "raw" RSA key pair to use for key wrapping/unwrapping. This option takes a PartialRsaKeyPair instance, which allows either a public key (decryption only) or private key (encryption only) rather than requiring both parts.
        Parameters:
        partialRsaKeyPair - the RSA key pair as a PartialRsaKeyPair instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • kmsKeyId

        public S3EncryptionClient.Builder kmsKeyId​(String kmsKeyId)
        Specifies a KMS key to use for key wrapping/unwrapping. Any valid KMS key identifier (including the full ARN or an alias ARN) is permitted. When decrypting objects, the key referred to by this KMS key identifier is always used.
        Parameters:
        kmsKeyId - the KMS key identifier as a String instance
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableLegacyWrappingAlgorithms

        public S3EncryptionClient.Builder enableLegacyWrappingAlgorithms​(boolean shouldEnableLegacyWrappingAlgorithms)
        When set to true, decryption of objects using legacy key wrapping modes is enabled.
        Parameters:
        shouldEnableLegacyWrappingAlgorithms - true to enable legacy wrapping algorithms
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableLegacyUnauthenticatedModes

        public S3EncryptionClient.Builder enableLegacyUnauthenticatedModes​(boolean shouldEnableLegacyUnauthenticatedModes)
        When set to true, decryption of content using legacy encryption algorithms is enabled. This includes use of GetObject requests with a range, as this mode is not authenticated.
        Parameters:
        shouldEnableLegacyUnauthenticatedModes - true to enable legacy content algorithms
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableDelayedAuthenticationMode

        public S3EncryptionClient.Builder enableDelayedAuthenticationMode​(boolean shouldEnableDelayedAuthenticationMode)
        When set to true, authentication of streamed objects is delayed until the entire object is read from the stream. When this mode is enabled, the consuming application must support a way to invalidate any data read from the stream as the tag will not be validated until the stream is read to completion, as the integrity of the data cannot be ensured. See the AWS Documentation for more information.
        Parameters:
        shouldEnableDelayedAuthenticationMode - true to enable delayed authentication
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • enableMultipartPutObject

        public S3EncryptionClient.Builder enableMultipartPutObject​(boolean _enableMultipartPutObject)
        When set to true, the putObject method will use multipart upload to perform the upload. Disabled by default.
        Parameters:
        _enableMultipartPutObject - true enables the multipart upload implementation of putObject
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • setBufferSize

        public S3EncryptionClient.Builder setBufferSize​(long bufferSize)
        Sets the buffer size for safe authentication used when delayed authentication mode is disabled. If buffer size is not given during client configuration, default buffer size is set to 64MiB.
        Parameters:
        bufferSize - the desired buffer size in Bytes.
        Returns:
        Returns a reference to this object so that method calls can be chained together.
        Throws:
        S3EncryptionClientException - if the specified buffer size is outside the allowed bounds

      • cryptoProvider

        public S3EncryptionClient.Builder cryptoProvider​(Provider cryptoProvider)
        Allows the user to pass an instance of Provider to be used for cryptographic operations. By default, the S3 Encryption Client will use the first compatible Provider in the chain. When this option is used, the given provider will be used for all cryptographic operations. If the provider is missing a required algorithm suite, e.g. AES-GCM, then operations may fail. Advanced option. Users who configure a Provider are responsible for the security and correctness of the provider.
        Parameters:
        cryptoProvider - the to always use
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • secureRandom

        public S3EncryptionClient.Builder secureRandom​(SecureRandom secureRandom)
        Allows the user to pass an instance of SecureRandom to be used for generating keys and IVs. Advanced option. Users who provide a SecureRandom are responsible for the security and correctness of the SecureRandom implementation.
        Parameters:
        secureRandom - the SecureRandom instance to use
        Returns:
        Returns a reference to this object so that method calls can be chained together.

      • instructionFileConfig

        public S3EncryptionClient.Builder instructionFileConfig​(InstructionFileConfig instructionFileConfig)
        Sets the Instruction File configuration for the S3 Encryption Client. The InstructionFileConfig can be used to specify an S3 client to use for retrieval of Instruction files, or to disable GetObject requests for the instruction file.
        Parameters:
        instructionFileConfig -
        Returns:

      • credentialsProvider

        public S3EncryptionClient.Builder credentialsProvider​(software.amazon.awssdk.auth.credentials.AwsCredentialsProvider awsCredentialsProvider)
        The credentials provider to use for all inner clients, including KMS, if a KMS key ID is provided. Note that if a wrapped client is configured, the wrapped client will take precedence over this option.
        Specified by:
        credentialsProvider in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        awsCredentialsProvider -
        Returns:

      • region

        public S3EncryptionClient.Builder region​(software.amazon.awssdk.regions.Region region)
        The AWS region to use for all inner clients, including KMS, if a KMS key ID is provided.
        Specified by:
        region in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        region -
        Returns:

      • dualstackEnabled

        public S3EncryptionClient.Builder dualstackEnabled​(Boolean isDualStackEnabled)
        Configure whether the SDK should use the AWS dualstack endpoint.

        If this is not specified, the SDK will attempt to determine whether the dualstack endpoint should be used automatically using the following logic:

        1. Check the 'aws.useDualstackEndpoint' system property for 'true' or 'false'.
        2. Check the 'AWS_USE_DUALSTACK_ENDPOINT' environment variable for 'true' or 'false'.
        3. Check the {user.home}/.aws/credentials and {user.home}/.aws/config files for the 'use_dualstack_endpoint' property set to 'true' or 'false'.

        If the setting is not found in any of the locations above, 'false' will be used.

        Specified by:
        dualstackEnabled in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>

      • fipsEnabled

        public S3EncryptionClient.Builder fipsEnabled​(Boolean isFipsEnabled)
        Configure whether the wrapped SDK clients should use the AWS FIPS endpoints. Note that this option only enables FIPS for the service endpoints which the SDK clients use, it does not enable FIPS for the S3EC itself. Use a FIPS-enabled CryptoProvider for full FIPS support.

        If this is not specified, the SDK will attempt to determine whether the FIPS endpoint should be used automatically using the following logic:

        1. Check the 'aws.useFipsEndpoint' system property for 'true' or 'false'.
        2. Check the 'AWS_USE_FIPS_ENDPOINT' environment variable for 'true' or 'false'.
        3. Check the {user.home}/.aws/credentials and {user.home}/.aws/config files for the 'use_fips_endpoint' property set to 'true' or 'false'.

        If the setting is not found in any of the locations above, 'false' will be used.

        Specified by:
        fipsEnabled in interface software.amazon.awssdk.awscore.client.builder.AwsClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>

      • overrideConfiguration

        public S3EncryptionClient.Builder overrideConfiguration​(software.amazon.awssdk.core.client.config.ClientOverrideConfiguration overrideConfiguration)
        Specify overrides to the default SDK configuration that should be used for clients created by this builder.
        Specified by:
        overrideConfiguration in interface software.amazon.awssdk.core.client.builder.SdkClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>

      • overrideConfiguration

        public software.amazon.awssdk.core.client.config.ClientOverrideConfiguration overrideConfiguration()
        Retrieve the current override configuration. This allows further overrides across calls. Can be modified by first converting to a builder with ClientOverrideConfiguration.toBuilder().
        Specified by:
        overrideConfiguration in interface software.amazon.awssdk.core.client.builder.SdkClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Returns:
        The existing override configuration for the builder.

      • endpointOverride

        public S3EncryptionClient.Builder endpointOverride​(URI endpointOverride)
        Configure the endpoint with which the SDK should communicate. NOTE: For the S3EncryptionClient, this ONLY overrides the endpoint for S3 clients. To set the endpointOverride for a KMS client, explicitly configure it and create a KmsKeyring instance for the encryption client to use.

        It is important to know that EndpointProviders and the endpoint override on the client are not mutually exclusive. In all existing cases, the endpoint override is passed as a parameter to the provider and the provider *may* modify it. For example, the S3 provider may add the bucket name as a prefix to the endpoint override for virtual bucket addressing.

        Specified by:
        endpointOverride in interface software.amazon.awssdk.core.client.builder.SdkClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        endpointOverride -

      • disableMultiRegionAccessPoints

        public S3EncryptionClient.Builder disableMultiRegionAccessPoints​(Boolean disableMultiRegionAccessPoints)
        Disables this client's usage of Multi-Region Access Points.
        Specified by:
        disableMultiRegionAccessPoints in interface software.amazon.awssdk.services.s3.S3BaseClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        disableMultiRegionAccessPoints -

      • disableS3ExpressSessionAuth

        public S3EncryptionClient.Builder disableS3ExpressSessionAuth​(Boolean disableS3ExpressSessionAuth)
        Disables this client's usage of Session Auth for S3Express buckets and reverts to using conventional SigV4 for those.
        Specified by:
        disableS3ExpressSessionAuth in interface software.amazon.awssdk.services.s3.S3BaseClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        disableS3ExpressSessionAuth -

      • httpClient

        public S3EncryptionClient.Builder httpClient​(software.amazon.awssdk.http.SdkHttpClient httpClient)
        Sets the SdkHttpClient that the SDK service client will use to make HTTP calls. This HTTP client may be shared between multiple SDK service clients to share a common connection pool. To create a client you must use an implementation-specific builder. Note that this method is only recommended when you wish to share an HTTP client across multiple SDK service clients. If you do not wish to share HTTP clients, it is recommended to use httpClientBuilder(SdkHttpClient.Builder) so that service-specific default configuration may be applied.

        This client must be closed by the user when it is ready to be disposed. The SDK will not close the HTTP client when the service client is closed.

        Specified by:
        httpClient in interface software.amazon.awssdk.core.client.builder.SdkSyncClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        httpClient -

      • httpClientBuilder

        public S3EncryptionClient.Builder httpClientBuilder​(software.amazon.awssdk.http.SdkHttpClient.Builder httpClientBuilder)
        Sets a SdkHttpClient.Builder that will be used to obtain a configured instance of SdkHttpClient. Any service-specific HTTP configuration will be merged with the builder's configuration prior to creating the client. When there is no desire to share HTTP clients across multiple service clients, the client builder is the preferred way to customize the HTTP client as it benefits from service-specific default configuration.

        Clients created by the builder are managed by the SDK and will be closed when the service client is closed.

        Specified by:
        httpClientBuilder in interface software.amazon.awssdk.core.client.builder.SdkSyncClientBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Parameters:
        httpClientBuilder -

      • asyncHttpClient

        public S3EncryptionClient.Builder asyncHttpClient​(software.amazon.awssdk.http.async.SdkAsyncHttpClient asyncHttpClient)
        Sets the SdkAsyncHttpClient that the SDK service client will use to make HTTP calls. This HTTP client may be shared between multiple SDK service clients to share a common connection pool. To create a client you must use an implementation specific builder. Note that this method is only recommended when you wish to share an HTTP client across multiple SDK service clients. If you do not wish to share HTTP clients, it is recommended to use asyncHttpClientBuilder(SdkAsyncHttpClient.Builder) so that service specific default configuration may be applied. In the S3 Encryption Client, this configuration is applied to the inner async client.

        This client must be closed by the caller when it is ready to be disposed. The SDK will not close the HTTP client when the service client is closed.

        Parameters:
        asyncHttpClient -
        Returns:
        This builder for method chaining.

      • asyncHttpClientBuilder

        public S3EncryptionClient.Builder asyncHttpClientBuilder​(software.amazon.awssdk.http.async.SdkAsyncHttpClient.Builder asyncHttpClientBuilder)
        Sets a custom HTTP client builder that will be used to obtain a configured instance of SdkAsyncHttpClient. Any service specific HTTP configuration will be merged with the builder's configuration prior to creating the client. When there is no desire to share HTTP clients across multiple service clients, the client builder is the preferred way to customize the HTTP client as it benefits from service specific defaults. In the S3 Encryption Client, this configuration is applied to the inner async client.

        Clients created by the builder are managed by the SDK and will be closed when the service client is closed.

        Parameters:
        asyncHttpClientBuilder -
        Returns:
        This builder for method chaining.

      • build

        public S3EncryptionClient build()
        Validates and builds the S3EncryptionClient according to the configuration options passed to the Builder object.
        Specified by:
        build in interface software.amazon.awssdk.utils.builder.Buildable
        Specified by:
        build in interface software.amazon.awssdk.utils.builder.SdkBuilder<S3EncryptionClient.Builder,​S3EncryptionClient>
        Returns:
        an instance of the S3EncryptionClient