Menu
AWS SDK for Go
Developer Guide

Decrypting an Amazon S3 Bucket Object with a User-Supplied AWS KMS Key

The following example uses the GetObject method to get the object myObject from the bucket myBucket.

Choose Copy to save the code locally.

Create the file decrypt_object.go.

Import the required packages.

import ( "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/s3" "github.com/aws/aws-sdk-go/service/s3/s3crypto" "fmt" "os" "bytes" )

Get the AWS KMS key from the command line, where key is an AWS KMS key ID as created in the Creating a CMK in AWS Key Management Service example and must be the same value you used to encrypt the object, and set the name of the bucket and object.

if len(os.Args) != 2 { fmt.Println("You must supply a key") os.Exit(1) } key := os.Args[1] bucket := "myBucket" object := "myObject"

Create a session an Amazon S3 encryption client.

sess := session.Must(session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, })) svc := s3crypto.NewDecryptionClient(sess)

Create input for and call get_object to get the object.

input := &s3.GetObjectInput{ Bucket: aws.String(bucket), Key: aws.String(object), } resp, err := svc.GetObject(input)

Save the object and display a success message.

outFile, err := os.Create(obj) defer outFile.Close() _, err = io.Copy(outFile, resp.Body) fmt.Println("Saved " + obj + " from bucket " + bucket + ":")

See the complete example on GitHub.