feat(aws-s3): add SSE-KMS support for MOVE action in S3 Trigger & Copy #667
+91
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds support for `serverSideEncryption` and `kmsKeyId` in S3 MOVE actions inside the Trigger and Copy operations. This enables workflows to move files into buckets that enforce encryption policies requiring SSE-KMS. Includes schema updates, parameter handling, and correct wiring inside S3Service performAction().
MilosPaunovic
added
area/plugin
Member
|
@idivanshu, could you please add some unit tests for this? Thanks! 🙏 |
…n tests - Removed deprecated @PluginProperty annotations from Copy.CopyObject fields - Added runWithServerSideEncryption and runWithKmsKey tests to CopyTest
Contributor
Author
added tests |
| builder.serverSideEncryption(renderedSse); | ||
|
|
||
| if (renderedSse == ServerSideEncryption.AWS_KMS && this.to.kmsKeyId != null) { | ||
| String renderedKmsKeyId = runContext.render(this.to.kmsKeyId).as(String.class).orElse(null); |
Member
There was a problem hiding this comment.
Suggested change
| String renderedKmsKeyId = runContext.render(this.to.kmsKeyId).as(String.class).orElse(null); | |
| String rKmsKeyId = runContext.render(this.to.kmsKeyId).as(String.class).orElse(null); |
Malaydewangan09
approved these changes
Dec 11, 2025
| title = "Server side encryption to apply to the target object.", | ||
| description = "Example: AES256 or AWS_KMS" | ||
| ) | ||
| private Property<ServerSideEncryption> serverSideEncryption; |
Member
There was a problem hiding this comment.
Lets extract this to our own ENUM.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #628
This PR adds support for configuring AWS KMS server-side encryption (serverSideEncryption, kmsKeyId) when using the MOVE action in S3 Trigger and Copy tasks.
Some S3 buckets enforce encryption with policies that deny uploads missing SSE headers.
This enhancement enables Kestra flows to move files into such buckets without failure.
Summary
Adds serverSideEncryption and kmsKeyId to the moveTo configuration.
Updates Copy task to apply SSE-KMS headers during copy operations.
Updates S3Service.performAction() to support SSE-KMS for MOVE actions triggered by S3 events.
Fully compatible with existing flows (non-breaking).
Validated using real AWS buckets enforcing encryption policies.
Example Flow (Validated)
id: test_s3_kms_move
namespace: local.test
tasks:
id: move
type: io.kestra.plugin.aws.s3.Copy
region: "us-east-1"
accessKeyId: "{{ secret('AWS_KEY') }}"
secretKeyId: "{{ secret('AWS_SECRET') }}"
from:
bucket: "kestra-test-src-bucket"
key: "input/test.txt"
to:
bucket: "kestra-cfn-test-1"
key: "moved/test.txt"
serverSideEncryption: AWS_KMS
kmsKeyId: "{{ secret('KMS_KEY_ARN') }}"
delete: true
This flow successfully writes into a bucket that rejects unencrypted uploads (explicit deny).
Testing
Manually tested using Kestra UI with plugin JAR
MOVE + SSE-KMS verified end-to-end