[Feat] Add optional SSE-KMS support for S3 uploads in Companion

[dsantanu]

Summary

This PR adds optional SSE-KMS support for Companion S3 uploads.

When enabled, Companion includes ServerSideEncryption: 'aws:kms' in the S3 upload params, and optionally SSEKMSKeyId when a specific KMS key is configured.

Why

Some AWS environments enforce encryption requirements through Service Control Policies (SCPs) and deny s3:PutObject unless the request explicitly uses SSE-KMS.

In those environments, remote provider uploads handled by Companion can fail with AccessDenied unless the S3 upload request includes the required SSE-KMS parameters.

This change makes that behavior configurable without affecting existing users by default.

Changes

In packages/@uppy/companion/src/server/Uploader.js:

• add optional ServerSideEncryption: 'aws:kms'
• add optional SSEKMSKeyId

using environment variables:

• COMPANION_ENABLE_AWS_SSE_KMS=true
• COMPANION_AWS_SSE_KMS_KEY_ID=<kms-key-id-or-arn> (optional)

Behavior

• default behavior is unchanged
• when COMPANION_ENABLE_AWS_SSE_KMS=true, Companion sends SSE-KMS on S3 uploads
• when COMPANION_AWS_SSE_KMS_KEY_ID is also set, Companion includes the explicit KMS key id/ARN

Example

COMPANION_ENABLE_AWS_SSE_KMS=true
COMPANION_AWS_SSE_KMS_KEY_ID=arn:aws:kms:eu-west-2:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

COMPANION_AWS_SSE_KMS_KEY_ID is optional. If it is omitted, S3 bucket default SSE-KMS configuration can still be used.

Notes

This PR only adds optional SSE-KMS support for the Companion S3 upload path. It does not change key-generation behavior or any app-specific upload routing.

[changeset-bot]

🦋 Changeset detected

Latest commit: 2603292

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@uppy/companion	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[mifi]

Thanks for your PR!

Similar to the acl option, I think this should be implemented also for the s3 controller

uppy/packages/@uppy/companion/src/server/controllers/s3.js

Line 96 in 1b4c246

if (config.acl != null) fields.acl = config.acl

And I think we should support it in both standalone and middleware mode, see

uppy/packages/@uppy/companion/src/standalone/helper.js

Line 143 in 1b4c246

acl: process.env.COMPANION_AWS_ACL,

[dsantanu]

Thanks for your PR!

Similar to the acl option, I think this should be implemented also for the s3 controller

uppy/packages/@uppy/companion/src/server/controllers/s3.js

Line 96 in 1b4c246

if (config.acl != null) fields.acl = config.acl

And I think we should support it in both standalone and middleware mode, see

uppy/packages/@uppy/companion/src/standalone/helper.js

Line 143 in 1b4c246

acl: process.env.COMPANION_AWS_ACL,

Thanks!
My original change was only in Uploader.js because that was the path failing for our remote-provider uploads.

In our setup, the s3.js path was already working, so I hadn’t included changes there initially.

That said, I understand the point about consistency with acl: even if the immediate failure was only in Uploader.js, it probably makes sense for SSE/SSE-KMS support to be available in both the controller path and the uploader path, and to expose it in standalone config as well.

I’ll update the PR, adding the same in s3.js accordingly.

-S

[dsantanu]

As my original use case was the remote-provider upload path, which is why I first implemented this in Uploader.js, since that was the path failing for us.

In our setup the s3.js path was already working, so I hadn’t changed it initially. But I agree it makes sense to support this consistently, similar to acl, in both:

• src/server/Uploader.js
• src/server/controllers/s3.js

and wire it through standalone config as well.

I’ve updated the PR to move this to config-based handling and add support in the s3 controller too. This is implemented consistently for both the uploader path and the s3 controller path, and is exposed in standalone config similarly to acl.

[mifi]

i think we want to merge #6179 first

[dsantanu]

i think we want to merge #6179 first

sure np! I'll stand by.

[dsantanu]

hi! any further update on this PR?

[mifi]

still waiting for that PR, which is waiting for another pr and release first