update s3 related

AWS-CLI-with-SeaweedFS.md

@@ -81,5 +81,31 @@ http://localhost:8333/newbucket/t.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Cre
 
 # access the url
 $ curl "http://localhost:8333/newbucket/t.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=some_access_key1%2F20200726%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200726T161749Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e0cc153209e414ca8168661f57827aa03ab84e7041ef9270ff639bcc519d24f5"
-
 ```
+
+## Server-Side Encryption with AWS CLI
+
+### SSE-KMS
+```bash
+aws --endpoint-url http://localhost:8333 s3 cp file.txt s3://bucket/kms.txt \
+  --sse aws:kms \
+  --sse-kms-key-id "test-key-123"
+```
+
+### SSE-C
+```bash
+# Generate a 256-bit key
+openssl rand -base64 32 > key.b64
+aws --endpoint-url http://localhost:8333 s3 cp file.txt s3://bucket/ssec.txt \
+  --sse-c AES256 \
+  --sse-c-key fileb://key.b64
+```
+
+### SSE-S3 (Server-managed)
+```bash
+aws --endpoint-url http://localhost:8333 s3 cp file.txt s3://bucket/sse-s3.txt \
+  --sse AES256
+```
+
+## OIDC/JWT to S3
+For Keycloak and other OIDC providers, you can obtain a JWT and access S3 directly (or use STS to assume a role). See [[Keycloak Integration]].

Amazon-S3-API.md

@@ -56,11 +56,12 @@ To be sure, you can look at the function defined in the files `weed/s3api/s3api_
 * DeleteObjectTagging
 
 // Server-Side Encryption (NEW)
-* PutObject (with SSE-KMS, SSE-C)
+* PutObject (with SSE-KMS, SSE-C, SSE-S3)
 * GetObject (with automatic decryption)
 * HeadObject (with encryption metadata)
 * CopyObject (with encryption/decryption)
 * Multipart uploads with encryption
+* Bucket default encryption
 
 // Conditional Operations (NEW)
 * All object operations support conditional headers:
@@ -123,12 +124,14 @@ Not included:
 | allows more than "/" as a delimiter    | No        | Yes       |
 | Object Versioning                      | Yes       | Yes       |
 | MFA Delete for versioning              | No        | Yes       |
-| Server-Side Encryption (SSE-KMS)      | Yes       | Yes       |
-| Server-Side Encryption (SSE-C)        | Yes       | Yes       |
-| KMS Providers (Multi-cloud)           | Yes       | No        |
+| Server-Side Encryption (SSE-KMS)       | Yes       | Yes       |
+| Server-Side Encryption (SSE-C)         | Yes       | Yes       |
+| Server-Side Encryption (SSE-S3)        | Yes       | Yes       |
+| KMS Providers (Multi-cloud)            | Yes       | No        |
 | Conditional Headers (All operations)   | Yes       | Yes       |
-| Range requests with SSE-KMS           | Yes       | Yes       |
-| Range requests with SSE-C             | No        | No        |
+| Range requests with SSE-KMS            | Yes       | Yes       |
+| Range requests with SSE-C              | Yes       | Yes       |
+| Range requests with SSE-S3             | Yes       | Yes       |
 
 ## Empty folders
 
@@ -138,10 +141,11 @@ To be consistent with AWS S3, SeaweedFS tries to check whether the folder is emp
 
 # Server-Side Encryption
 
-SeaweedFS supports AWS S3-compatible server-side encryption to protect your data at rest. Two encryption methods are available:
+SeaweedFS supports AWS S3-compatible server-side encryption to protect your data at rest. Three encryption methods are available:
 
-- **[SSE-KMS](Server-Side-Encryption-SSE-KMS)**: External Key Management Service providers (AWS KMS, Google Cloud KMS, OpenBao/Vault)  
+- **[SSE-KMS](Server-Side-Encryption-SSE-KMS)**: External Key Management Service providers (AWS KMS, Google Cloud KMS, OpenBao/Vault)
 - **[SSE-C](Server-Side-Encryption-SSE-C)**: Customer-provided encryption keys (maximum customer control)
+- **SSE-S3**: SeaweedFS-managed server-side encryption (explicit `AES256` header or bucket default encryption)
 
 All encryption types support:
 - Automatic encryption/decryption
@@ -153,6 +157,7 @@ All encryption types support:
 For detailed setup guides and examples, see:
 - **[Server-Side Encryption Overview](Server-Side-Encryption)**
 - **[SSE-KMS Guide](Server-Side-Encryption-SSE-KMS)**
+- **[SSE-C Guide](Server-Side-Encryption-SSE-C)**
 
 ## Quick Examples
 
@@ -162,6 +167,9 @@ aws s3 cp file.txt s3://mybucket/kms-encrypted.txt --server-side-encryption aws:
 
 # SSE-C (Customer-provided keys)
 aws s3 cp file.txt s3://mybucket/customer-encrypted.txt --sse-c AES256 --sse-c-key fileb://my-key.bin
+
+# SSE-S3 (Server-managed)
+aws s3 cp file.txt s3://mybucket/server-encrypted.txt --server-side-encryption AES256
 ```
 
 # S3 Conditional Operations
@@ -203,6 +211,7 @@ curl -X PUT -H "If-None-Match: *" -d "new content" "http://localhost:8333/mybuck
 By default, the access key and secret key to access `weed s3` is not authenticated. To enable credential based access, you can choose static or dynamic configuration:
 * **Dynamic Configuration**: setup auth with `s3.configure` in `weed shell`
 * **Static Configuration**: create a config.json file similar to the example below, and specify it via `weed s3 -config=config.json`
+* **OIDC/JWT (Web Identity)**: for Keycloak and other OpenID providers, see [[Keycloak Integration]] for STS and JWT to S3 usage
 
 ## Dynamic Configuration
 

Docker-Compose-for-S3.md

@@ -39,4 +39,9 @@ services:
       }' > /etc/seaweedfs/config.json && \
       weed server -s3 -s3.config /etc/seaweedfs/config.json"
     restart: unless-stopped
-```
+```
+
+## Notes
+- To enable advanced IAM (STS, OIDC providers), mount a JSON and add `-iam.config=/etc/seaweedfs/iam.json` to the S3 command. See [[Keycloak Integration]].
+- To use SSE-KMS (with OpenBao/Vault, AWS KMS, GCP KMS), mount KMS config (e.g. `s3_kms.json`) and start with `-config=/etc/seaweedfs/s3_kms.json`. See [[Server-Side-Encryption-SSE-KMS]].
+- SSE-S3 and bucket default encryption work without external KMS; see [[Server-Side-Encryption]].

S3-API-FAQ.md

@@ -53,7 +53,6 @@ rclone lsf seaweedfs:my-bucket/dir
 
 If the directory `dir` exists in `my-bucket`, the orphaned metadata will be cleaned up. Note that due to slight API usage differences, `rclone ls` does not trigger cleanup, but `rclone lsf` will. 
 
-
 ## Setting TTL
 
 It is possible to set a TTL for a specific directory using the S3 API. They are set using [`PutBucketLifecycleConfiguration`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycleConfiguration.html).
@@ -112,6 +111,19 @@ To manage storage growth, you should:
 - Implement lifecycle policies to automatically clean up old versions
 - Use version-specific deletions for permanent removal when needed
 
+## Does SeaweedFS support encrypted range requests?
+
+Yes. Range requests are supported for encrypted objects across all SSE modes:
+- **SSE-KMS**: Supported
+- **SSE-C**: Supported
+- **SSE-S3**: Supported
+
+## Does SeaweedFS support bucket default encryption?
+
+Yes. Bucket default encryption is supported. You can configure bucket-level default encryption using the standard S3 bucket encryption API, and uploads without explicit encryption headers will be encrypted according to the bucket policy. Applies to SSE-KMS and SSE-S3.
+
+For setup guides, see [[Server-Side-Encryption]].
+
 ## Does SeaweedFS support S3 Object Lock?
 
 Yes! SeaweedFS provides comprehensive support for S3 Object Lock features, including: