Use customer-managed encryption keys

usingGoogle.Cloud.Iam.V1 ;
usingGoogle.Cloud.Kms.V1 ;
publicclassIamAddMemberSample
{
publicPolicyIamAddMember(
stringprojectId="my-project",stringlocationId="us-east1",stringkeyRingId="my-key-ring",stringkeyId="my-key",
stringmember="user:foo@example.com")
{
// Create the client.
KeyManagementServiceClient client=KeyManagementServiceClient .Create ();
// Build the resource name.
CryptoKeyName resourceName=newCryptoKeyName (projectId,locationId,keyRingId,keyId);
// The resource name could also be a key ring.
// var resourceName = new KeyRingName(projectId, locationId, keyRingId);
// Get the current IAM policy.
Policy policy=client.IAMPolicyClient .GetIamPolicy(
newGetIamPolicyRequest
{
ResourceAsResourceName=resourceName
});
// Add the member to the policy.
policy.AddRoleMember ("roles/cloudkms.cryptoKeyEncrypterDecrypter",member);
// Save the updated IAM policy.
Policy result=client.IAMPolicyClient .SetIamPolicy(
newSetIamPolicyRequest
{
ResourceAsResourceName=resourceName,
Policy=policy
});
// Return the resulting policy.
returnresult;
}
}

import(
"context"
"fmt"
"io"
kms"cloud.google.com/go/kms/apiv1"
)
// iamAddMember adds a new IAM member to the Cloud KMS key
funciamAddMember(wio.Writer,name,memberstring)error{
// NOTE: The resource name can be either a key or a key ring. If IAM
// permissions are granted on the key ring, the permissions apply to all keys
// in the key ring.
//
// name := "projects/my-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key"
// member := "user:foo@example.com"
// Create the client.
ctx:=context.Background()
client,err:=kms.NewKeyManagementClient (ctx)
iferr!=nil{
returnfmt.Errorf("failed to create kms client: %w",err)
}
deferclient.Close()
// Get the current IAM policy.
handle:=client.ResourceIAM (name)
policy,err:=handle.Policy(ctx)
iferr!=nil{
returnfmt.Errorf("failed to get IAM policy: %w",err)
}
// Grant the member permissions. This example grants permission to use the key
// to encrypt data.
policy.Add(member,"roles/cloudkms.cryptoKeyEncrypterDecrypter")
iferr:=handle.SetPolicy(ctx,policy);err!=nil{
returnfmt.Errorf("failed to save policy: %w",err)
}
fmt.Fprintf(w,"Updated IAM policy for %s\n",name)
returnnil
}

importcom.google.cloud.kms.v1.CryptoKeyName ;
importcom.google.cloud.kms.v1.KeyManagementServiceClient ;
importcom.google.iam.v1.Binding ;
importcom.google.iam.v1.Policy ;
importjava.io.IOException;
publicclass IamAddMember{
publicvoidiamAddMember()throwsIOException{
// TODO(developer): Replace these variables before running the sample.
StringprojectId="your-project-id";
StringlocationId="us-east1";
StringkeyRingId="my-key-ring";
StringkeyId="my-key";
Stringmember="user:foo@example.com";
iamAddMember(projectId,locationId,keyRingId,keyId,member);
}
// Add the given IAM member to the key.
publicvoidiamAddMember(
StringprojectId,StringlocationId,StringkeyRingId,StringkeyId,Stringmember)
throwsIOException{
// Initialize client that will be used to send requests. This client only
// needs to be created once, and can be reused for multiple requests. After
// completing all of your requests, call the "close" method on the client to
// safely clean up any remaining background resources.
try(KeyManagementServiceClient client=KeyManagementServiceClient .create()){
// Build the key version name from the project, location, key ring, key,
// and key version.
CryptoKeyName resourceName=CryptoKeyName .of(projectId,locationId,keyRingId,keyId);
// The resource name could also be a key ring.
// KeyRingName resourceName = KeyRingName.of(projectId, locationId, keyRingId);
// Get the current policy.
Policy policy=client.getIamPolicy(resourceName);
// Create a new IAM binding for the member and role.
Binding binding=
Binding .newBuilder()
.setRole("roles/cloudkms.cryptoKeyEncrypterDecrypter")
.addMembers (member)
.build();
// Add the binding to the policy.
Policy newPolicy=policy.toBuilder ().addBindings (binding).build();
client.setIamPolicy(resourceName,newPolicy);
System.out.printf("Updated IAM policy for %s%n",resourceName.toString ());
}
}
}

//
// TODO(developer): Uncomment these variables before running the sample.
//
// const projectId = 'my-project';
// const locationId = 'us-east1';
// const keyRingId = 'my-key-ring';
// const keyId = 'my-key';
// const member = 'user:foo@example.com';
// Imports the Cloud KMS library
const{KeyManagementServiceClient}=require('@google-cloud/kms');
// Instantiates a client
constclient=newKeyManagementServiceClient ();
// Build the resource name
constresourceName=client.cryptoKeyPath(
projectId,
locationId,
keyRingId,
keyId
);
// The resource name could also be a key ring.
// const resourceName = client.keyRingPath(projectId, locationId, keyRingId);
asyncfunctioniamAddMember(){
// Get the current IAM policy.
const[policy]=awaitclient.getIamPolicy({
resource:resourceName,
});
// Add the member to the policy.
policy.bindings.push({
role:'roles/cloudkms.cryptoKeyEncrypterDecrypter',
members:[member],
});
// Save the updated policy.
const[updatedPolicy]=awaitclient.setIamPolicy({
resource:resourceName,
policy:policy,
});
console.log('Updated policy');
returnupdatedPolicy;
}
returniamAddMember();

use Google\Cloud\Iam\V1\Binding;
use Google\Cloud\Iam\V1\GetIamPolicyRequest;
use Google\Cloud\Iam\V1\SetIamPolicyRequest;
use Google\Cloud\Kms\V1\Client\KeyManagementServiceClient;
function iam_add_member(
 string $projectId = 'my-project',
 string $locationId = 'us-east1',
 string $keyRingId = 'my-key-ring',
 string $keyId = 'my-key',
 string $member = 'user:foo@example.com'
) {
 // Create the Cloud KMS client.
 $client = new KeyManagementServiceClient();
 // Build the resource name.
 $resourceName = $client->cryptoKeyName($projectId, $locationId, $keyRingId, $keyId);
 // The resource name could also be a key ring.
 // $resourceName = $client->keyRingName($projectId, $locationId, $keyRingId);
 // Get the current IAM policy.
 $getIamPolicyRequest = (new GetIamPolicyRequest())
 ->setResource($resourceName);
 $policy = $client->getIamPolicy($getIamPolicyRequest);
 // Add the member to the policy.
 $bindings = $policy->getBindings();
 $bindings[] = (new Binding())
 ->setRole('roles/cloudkms.cryptoKeyEncrypterDecrypter')
 ->setMembers([$member]);
 $policy->setBindings($bindings);
 // Save the updated IAM policy.
 $setIamPolicyRequest = (new SetIamPolicyRequest())
 ->setResource($resourceName)
 ->setPolicy($policy);
 $updatedPolicy = $client->setIamPolicy($setIamPolicyRequest);
 printf('Added %s' . PHP_EOL, $member);
 return $updatedPolicy;
}

fromgoogle.cloudimport kms
fromgoogle.iam.v1import policy_pb2 as iam_policy
defiam_add_member(
 project_id: str, location_id: str, key_ring_id: str, key_id: str, member: str
) -> iam_policy.Policy:
"""
 Add an IAM member to a resource.
 Args:
 project_id (string): Google Cloud project ID (e.g. 'my-project').
 location_id (string): Cloud KMS location (e.g. 'us-east1').
 key_ring_id (string): ID of the Cloud KMS key ring (e.g. 'my-key-ring').
 key_id (string): ID of the key to use (e.g. 'my-key').
 member (string): Member to add (e.g. 'user:foo@example.com')
 Returns:
 Policy: Updated Cloud IAM policy.
 """
 # Create the client.
 client = kms.KeyManagementServiceClient ()
 # Build the resource name.
 resource_name = client.crypto_key_path (project_id, location_id, key_ring_id, key_id)
 # The resource name could also be a key ring.
 # resource_name = client.key_ring_path(project_id, location_id, key_ring_id);
 # Get the current policy.
 policy = client.get_iam_policy (request={"resource": resource_name})
 # Add the member to the policy.
 policy.bindings.add(
 role="roles/cloudkms.cryptoKeyEncrypterDecrypter", members=[member]
 )
 # Save the updated IAM policy.
 request = {"resource": resource_name, "policy": policy}
 updated_policy = client.set_iam_policy (request=request)
 print(f"Added {member} to {resource_name}")
 return updated_policy

# TODO(developer): uncomment these values before running the sample.
# project_id = "my-project"
# location_id = "us-east1"
# key_ring_id = "my-key-ring"
# key_id = "my-key"
# member = "user:foo@example.com"
# Require the library.
require"google/cloud/kms"
# Create the client.
client=Google::Cloud::Kms .key_management_service
# Build the resource name.
resource_name=client.crypto_key_pathproject:project_id,
location:location_id,
key_ring:key_ring_id,
crypto_key:key_id
# The resource name could also be a key ring.
# resource_name = client.key_ring_path project: project_id, location: location_id, key_ring: key_ring_id
# Create the IAM client.
iam_client=Google::Cloud::Kms ::V1 ::IAMPolicy::Client.new
# Get the current IAM policy.
policy=iam_client.get_iam_policyresource:resource_name
# Add the member to the policy.
policy.bindings << Google::Iam::V1 ::Binding.new(
members:[member],
role:"roles/cloudkms.cryptoKeyEncrypterDecrypter"
)
# Save the updated policy.
updated_policy=iam_client.set_iam_policyresource:resource_name,policy:policy
puts"Added #{member}"

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name,
std::stringconst&key_name){
StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(
bucket_name,gcs::BucketMetadataPatchBuilder().SetEncryption(
gcs::BucketEncryption{key_name}));
if(!updated)throwstd::move(updated).status();
if(!updated->has_encryption()){
std::cerr << "The change to set the encryption attribute on bucket "
 << updated->name()
 << " was successful, but the encryption is not set."
 << "This is unexpected, maybe a concurrent change?\n";
return;
}
std::cout << "Successfully set default KMS key on bucket "
 << updated->name() << " to "
 << updated->encryption().default_kms_key_name << "."
 << "\nFull metadata: " << *updated << "\n";
}

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name){
StatusOr<gcs::BucketMetadata>updated=client.PatchBucket(
bucket_name,gcs::BucketMetadataPatchBuilder().ResetEncryption());
if(!updated)throwstd::move(updated).status();
std::cout << "Successfully removed default KMS key on bucket "
 << updated->name() << "\n";
}

usingGoogle.Apis.Storage.v1.Data;
usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassEnableDefaultKMSKeySample
{
publicBucketEnableDefaultKMSKey(
stringprojectId="your-project-id",
stringbucketName="your-unique-bucket-name",
stringkeyLocation="us-west1",
stringkmsKeyRing="kms-key-ring",
stringkmsKeyName="key-name")
{
// KMS Key identifier of an already created KMS key.
// If you use the Google.Cloud.Kms.V1 library, you can construct these names using helper class CryptoKeyName.
// var fullKeyName = new CryptoKeyName(projectId, keyLocation, kmsKeyRing, kmsKeyName).ToString();
stringkeyPrefix=$"projects/{projectId}/locations/{keyLocation}";
stringfullKeyringName=$"{keyPrefix}/keyRings/{kmsKeyRing}";
stringfullKeyName=$"{fullKeyringName}/cryptoKeys/{kmsKeyName}";
varstorage=StorageClient .Create ();
varbucket=storage.GetBucket(bucketName,newGetBucketOptions {Projection=Projection .Full });
bucket.Encryption=newBucket.EncryptionData{DefaultKmsKeyName=fullKeyName};
varupdatedBucket=storage.UpdateBucket(bucket);
Console.WriteLine($"Default KMS key for {bucketName} was set to {kmsKeyName}.");
returnupdatedBucket;
}
}

usingGoogle.Apis.Storage.v1.Data;
usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassBucketDeleteDefaultKmsKeySample
{
publicBucketBucketDeleteDefaultKmsKey(stringbucketName="your-bucket-name")
{
varstorage=StorageClient .Create ();
varbucket=storage.GetBucket(bucketName);
if(bucket.Encryption==null)
{
Console.WriteLine("No default kms key to remove");
}
else
{
bucket.Encryption.DefaultKmsKeyName=null;
bucket=storage.UpdateBucket(bucket);
Console.WriteLine($"Default KMS key was removed from {bucketName}. ");
}
returnbucket;
}
}

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// setBucketDefaultKMSKey sets the Cloud KMS encryption key for the bucket.
funcsetBucketDefaultKMSKey(wio.Writer ,bucketName,keyNamestring)error{
// bucketName := "bucket-name"
// keyName := "key"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
bucket:=client.Bucket (bucketName)
bucketAttrsToUpdate:=storage.BucketAttrsToUpdate {
Encryption:&storage.BucketEncryption {DefaultKMSKeyName:keyName},
}
if_,err:=bucket.Update(ctx,bucketAttrsToUpdate);err!=nil{
returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)
}
fmt.Fprintf(w,"Default KMS Key Name: %v",bucketAttrsToUpdate.Encryption.DefaultKMSKeyName)
returnnil
}

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// removeBucketDefaultKMSKey removes any default Cloud KMS key set on a bucket.
funcremoveBucketDefaultKMSKey(wio.Writer ,bucketNamestring)error{
// bucketName := "bucket-name"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
bucket:=client.Bucket (bucketName)
bucketAttrsToUpdate:=storage.BucketAttrsToUpdate {
Encryption:&storage.BucketEncryption {},
}
if_,err:=bucket.Update(ctx,bucketAttrsToUpdate);err!=nil{
returnfmt.Errorf("Bucket(%q).Update: %w",bucketName,err)
}
fmt.Fprintf(w,"Default KMS key was removed from: %v",bucketName)
returnnil
}

importcom.google.cloud.storage.Bucket ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.Storage.BucketTargetOption ;
importcom.google.cloud.storage.StorageException ;
importcom.google.cloud.storage.StorageOptions ;
publicclass SetBucketDefaultKmsKey{
publicstaticvoidsetBucketDefaultKmsKey(StringprojectId,StringbucketName,StringkmsKeyName)
throwsStorageException {
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// The name of the KMS key to use as a default
// String kmsKeyName =
// "projects/your-project-id/locations/us/keyRings/my_key_ring/cryptoKeys/my_key"
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
// first look up the bucket, so we will have its metageneration
Bucket bucket=storage.get (bucketName);
Bucket updated=
storage.update (
bucket.toBuilder().setDefaultKmsKeyName(kmsKeyName).build(),
BucketTargetOption.metagenerationMatch());
System.out.println(
"KMS Key "
+updated.getDefaultKmsKeyName ()
+"was set to default for bucket "
+bucketName);
}
}

importcom.google.cloud.storage.Bucket ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.Storage.BucketTargetOption ;
importcom.google.cloud.storage.StorageOptions ;
publicclass RemoveBucketDefaultKmsKey{
publicstaticvoidremoveBucketDefaultKmsKey(StringprojectId,StringbucketName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
// first look up the bucket, so we will have its metageneration
Bucket bucket=storage.get (bucketName);
storage.update (
bucket.toBuilder().setDefaultKmsKeyName(null).build(),
BucketTargetOption.metagenerationMatch());
System.out.println("Default KMS key was removed from "+bucketName);
}
}

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The name of the KMS-key to use as a default
// const defaultKmsKeyName = 'my-key';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctionenableDefaultKMSKey(){
awaitstorage.bucket(bucketName).setMetadata({
encryption:{
defaultKmsKeyName,
},
});
console.log(
`Default KMS key for ${bucketName} was set to ${defaultKmsKeyName}.`
);
}
enableDefaultKMSKey().catch(console.error);

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctionremoveDefaultKMSKey(){
awaitstorage.bucket(bucketName).setMetadata({
encryption:{
defaultKmsKeyName:null,
},
});
console.log(`Default KMS key was removed from ${bucketName}`);
}
removeDefaultKMSKey().catch(console.error);

use Google\Cloud\Storage\StorageClient;
/**
 * Enable a bucket's requesterpays metadata.
 *
 * @param string $bucketName The name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 * @param string $kmsKeyName The KMS key to use as the default KMS key.
 * Key names are provided in the following format:
 * `projects/<PROJECT>/locations/<LOCATION>/keyRings/<RING_NAME>/cryptoKeys/<KEY_NAME>`.
 */
function enable_default_kms_key(string $bucketName, string $kmsKeyName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $bucket->update([
 'encryption' => [
 'defaultKmsKeyName' => $kmsKeyName
 ]
 ]);
 printf('Default KMS key for %s was set to %s' . PHP_EOL,
 $bucketName,
 $bucket->info()['encryption']['defaultKmsKeyName']);
}

use Google\Cloud\Storage\StorageClient;
/**
 * Delete the default KMS key on the given bucket.
 *
 * @param string $bucketName The name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 */
function bucket_delete_default_kms_key(string $bucketName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $objects = $bucket->objects([
 'encryption' => [
 'defaultKmsKeyName' => null,
 ]
 ]);
 printf('Default KMS key was removed from %s', $bucketName);
}

fromgoogle.cloudimport storage
defenable_default_kms_key(bucket_name, kms_key_name):
"""Sets a bucket's default KMS key."""
 # bucket_name = "your-bucket-name"
 # kms_key_name = "projects/PROJ/locations/LOC/keyRings/RING/cryptoKey/KEY"
 storage_client = storage .Client ()
 bucket = storage_client.get_bucket (bucket_name)
 bucket.default_kms_key_name = kms_key_name
 bucket.patch()
 print(
 "Set default KMS key for bucket {} to {}.".format(
 bucket.name, bucket.default_kms_key_name
 )
 )

fromgoogle.cloudimport storage
defbucket_delete_default_kms_key(bucket_name):
"""Delete a default KMS key of bucket"""
 # bucket_name = "your-bucket-name"
 storage_client = storage .Client ()
 bucket = storage_client.get_bucket (bucket_name)
 bucket.default_kms_key_name = None
 bucket.patch()
 print(f"Default KMS key was removed from {bucket.name}")
 return bucket

defset_bucket_default_kms_keybucket_name:,default_kms_key:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# The name of the KMS key to manage this object with
# default_kms_key = "projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name
bucket.default_kms_key =default_kms_key
puts"Default KMS key for #{bucket.name} was set to #{bucket.default_kms_key }"
end

defbucket_delete_default_kms_keybucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name
bucket.default_kms_key =nil
puts"Default KMS key was removed from #{bucket_name}"
end

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name){
StatusOr<gcs::BucketMetadata>metadata=
client.GetBucketMetadata(bucket_name);
if(!metadata)throwstd::move(metadata).status();
if(!metadata->has_encryption()){
std::cout << "The bucket " << metadata->name()
 << " does not have a default KMS key set.\n";
return;
}
std::cout << "The default KMS key for bucket " << metadata->name()
 << " is: " << metadata->encryption().default_kms_key_name << "\n";
}

usingGoogle.Apis.Storage.v1.Data;
usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassGetBucketMetadataSample
{
publicBucketGetBucketMetadata(stringbucketName="your-unique-bucket-name")
{
varstorage=StorageClient .Create ();
varbucket=storage.GetBucket(bucketName,newGetBucketOptions {Projection=Projection .Full });
Console.WriteLine($"Bucket:\t{bucket.Name}");
Console.WriteLine($"Acl:\t{bucket.Acl}");
Console.WriteLine($"Billing:\t{bucket.Billing}");
Console.WriteLine($"Cors:\t{bucket.Cors}");
Console.WriteLine($"DefaultEventBasedHold:\t{bucket.DefaultEventBasedHold}");
Console.WriteLine($"DefaultObjectAcl:\t{bucket.DefaultObjectAcl}");
Console.WriteLine($"Encryption:\t{bucket.Encryption}");
if(bucket.Encryption!=null)
{
Console.WriteLine($"KmsKeyName:\t{bucket.Encryption.DefaultKmsKeyName}");
}
Console.WriteLine($"Id:\t{bucket.Id}");
Console.WriteLine($"Kind:\t{bucket.Kind}");
Console.WriteLine($"Lifecycle:\t{bucket.Lifecycle}");
Console.WriteLine($"Location:\t{bucket.Location}");
Console.WriteLine($"LocationType:\t{bucket.LocationType}");
Console.WriteLine($"Logging:\t{bucket.Logging}");
Console.WriteLine($"Metageneration:\t{bucket.Metageneration}");
Console.WriteLine($"ObjectRetention:\t{bucket.ObjectRetention}");
Console.WriteLine($"Owner:\t{bucket.Owner}");
Console.WriteLine($"ProjectNumber:\t{bucket.ProjectNumber}");
Console.WriteLine($"RetentionPolicy:\t{bucket.RetentionPolicy}");
Console.WriteLine($"SelfLink:\t{bucket.SelfLink}");
Console.WriteLine($"StorageClass:\t{bucket.StorageClass}");
Console.WriteLine($"TimeCreated:\t{bucket.TimeCreated}");
Console.WriteLine($"Updated:\t{bucket.Updated}");
Console.WriteLine($"Versioning:\t{bucket.Versioning}");
Console.WriteLine($"Website:\t{bucket.Website}");
Console.WriteLine($"TurboReplication:\t{bucket.Rpo}");
if(bucket.Labels!=null)
{
Console.WriteLine("Labels:");
foreach(varlabelinbucket.Labels)
{
Console.WriteLine($"{label.Key}:\t{label.Value}");
}
}
returnbucket;
}
}

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// getBucketMetadata gets the bucket metadata.
funcgetBucketMetadata(wio.Writer ,bucketNamestring)(*storage.BucketAttrs ,error){
// bucketName := "bucket-name"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnnil,fmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
attrs,err:=client.Bucket (bucketName).Attrs(ctx)
iferr!=nil{
returnnil,fmt.Errorf("Bucket(%q).Attrs: %w",bucketName,err)
}
fmt.Fprintf(w,"BucketName: %v\n",attrs.Name)
fmt.Fprintf(w,"Location: %v\n",attrs.Location)
fmt.Fprintf(w,"LocationType: %v\n",attrs.LocationType)
fmt.Fprintf(w,"StorageClass: %v\n",attrs.StorageClass)
fmt.Fprintf(w,"Turbo replication (RPO): %v\n",attrs.RPO )
fmt.Fprintf(w,"TimeCreated: %v\n",attrs.Created)
fmt.Fprintf(w,"Metageneration: %v\n",attrs.MetaGeneration)
fmt.Fprintf(w,"PredefinedACL: %v\n",attrs.PredefinedACL)
ifattrs.Encryption!=nil{
fmt.Fprintf(w,"DefaultKmsKeyName: %v\n",attrs.Encryption.DefaultKMSKeyName)
}
ifattrs.Website!=nil{
fmt.Fprintf(w,"IndexPage: %v\n",attrs.Website.MainPageSuffix)
fmt.Fprintf(w,"NotFoundPage: %v\n",attrs.Website.NotFoundPage)
}
fmt.Fprintf(w,"DefaultEventBasedHold: %v\n",attrs.DefaultEventBasedHold)
ifattrs.RetentionPolicy !=nil{
fmt.Fprintf(w,"RetentionEffectiveTime: %v\n",attrs.RetentionPolicy .EffectiveTime)
fmt.Fprintf(w,"RetentionPeriod: %v\n",attrs.RetentionPolicy .RetentionPeriod)
fmt.Fprintf(w,"RetentionPolicyIsLocked: %v\n",attrs.RetentionPolicy .IsLocked)
}
fmt.Fprintf(w,"ObjectRetentionMode: %v\n",attrs.ObjectRetentionMode)
fmt.Fprintf(w,"RequesterPays: %v\n",attrs.RequesterPays)
fmt.Fprintf(w,"VersioningEnabled: %v\n",attrs.VersioningEnabled)
ifattrs.Logging!=nil{
fmt.Fprintf(w,"LogBucket: %v\n",attrs.Logging.LogBucket)
fmt.Fprintf(w,"LogObjectPrefix: %v\n",attrs.Logging.LogObjectPrefix)
}
ifattrs.CORS !=nil{
fmt.Fprintln(w,"CORS:")
for_,v:=rangeattrs.CORS {
fmt.Fprintf(w,"\tMaxAge: %v\n",v.MaxAge)
fmt.Fprintf(w,"\tMethods: %v\n",v.Methods)
fmt.Fprintf(w,"\tOrigins: %v\n",v.Origins)
fmt.Fprintf(w,"\tResponseHeaders: %v\n",v.ResponseHeaders)
}
}
ifattrs.Labels!=nil{
fmt.Fprintf(w,"\n\n\nLabels:")
forkey,value:=rangeattrs.Labels{
fmt.Fprintf(w,"\t%v = %v\n",key,value)
}
}
returnattrs,nil
}

importcom.google.cloud.storage.Bucket ;
importcom.google.cloud.storage.BucketInfo ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
importjava.util.Map;
publicclass GetBucketMetadata{
publicstaticvoidgetBucketMetadata(StringprojectId,StringbucketName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
// Select all fields. Fields can be selected individually e.g. Storage.BucketField.NAME
Bucket bucket=
storage.get (bucketName,Storage.BucketGetOption.fields(Storage.BucketField.values()));
// Print bucket metadata
System.out.println("BucketName: "+bucket.getName());
System.out.println("DefaultEventBasedHold: "+bucket.getDefaultEventBasedHold ());
System.out.println("DefaultKmsKeyName: "+bucket.getDefaultKmsKeyName ());
System.out.println("Id: "+bucket.getGeneratedId());
System.out.println("IndexPage: "+bucket.getIndexPage ());
System.out.println("Location: "+bucket.getLocation());
System.out.println("LocationType: "+bucket.getLocationType ());
System.out.println("Metageneration: "+bucket.getMetageneration());
System.out.println("NotFoundPage: "+bucket.getNotFoundPage ());
System.out.println("RetentionEffectiveTime: "+bucket.getRetentionEffectiveTime ());
System.out.println("RetentionPeriod: "+bucket.getRetentionPeriod ());
System.out.println("RetentionPolicyIsLocked: "+bucket.retentionPolicyIsLocked ());
System.out.println("RequesterPays: "+bucket.requesterPays());
System.out.println("SelfLink: "+bucket.getSelfLink());
System.out.println("StorageClass: "+bucket.getStorageClass().name ());
System.out.println("TimeCreated: "+bucket.getCreateTime());
System.out.println("VersioningEnabled: "+bucket.versioningEnabled ());
System.out.println("ObjectRetention: "+bucket.getObjectRetention ());
if(bucket.getLabels()!=null){
System.out.println("\n\n\nLabels:");
for(Map.Entry<String,String>label:bucket.getLabels().entrySet()){
System.out.println(label.getKey()+"="+label.getValue());
}
}
if(bucket.getLifecycleRules()!=null){
System.out.println("\n\n\nLifecycle Rules:");
for(BucketInfo.LifecycleRulerule:bucket.getLifecycleRules()){
System.out.println(rule);
}
}
}
}

// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctiongetBucketMetadata(){
/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// Get Bucket Metadata
const[metadata]=awaitstorage.bucket(bucketName).getMetadata();
console.log(JSON .stringify(metadata,null,2));
}

use Google\Cloud\Storage\StorageClient;
/**
 * Get bucket metadata.
 *
 * @param string $bucketName The name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 */
function get_bucket_metadata(string $bucketName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $info = $bucket->info();
 printf('Bucket Metadata: %s' . PHP_EOL, print_r($info, true));
}

fromgoogle.cloudimport storage
defbucket_metadata(bucket_name):
"""Prints out a bucket's metadata."""
 # bucket_name = 'your-bucket-name'
 storage_client = storage .Client ()
 bucket = storage_client.get_bucket (bucket_name)
 print(f"ID: {bucket.id}")
 print(f"Name: {bucket.name}")
 print(f"Storage Class: {bucket.storage_class}")
 print(f"Location: {bucket.location }")
 print(f"Location Type: {bucket.location_type }")
 print(f"Cors: {bucket.cors }")
 print(f"Default Event Based Hold: {bucket.default_event_based_hold }")
 print(f"Default KMS Key Name: {bucket.default_kms_key_name }")
 print(f"Metageneration: {bucket.metageneration}")
 print(
 f"Public Access Prevention: {bucket.iam_configuration .public_access_prevention }"
 )
 print(f"Retention Effective Time: {bucket.retention_policy_effective_time }")
 print(f"Retention Period: {bucket.retention_period }")
 print(f"Retention Policy Locked: {bucket.retention_policy_locked }")
 print(f"Object Retention Mode: {bucket.object_retention_mode }")
 print(f"Requester Pays: {bucket.requester_pays }")
 print(f"Self Link: {bucket.self_link}")
 print(f"Time Created: {bucket.time_created}")
 print(f"Versioning Enabled: {bucket.versioning_enabled }")
 print(f"Labels: {bucket.labels }")

defget_bucket_metadatabucket_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name
puts"ID: #{bucket.id}"
puts"Name: #{bucket.name}"
puts"Storage Class: #{bucket.storage_class}"
puts"Location: #{bucket.location}"
puts"Location Type: #{bucket.location_type}"
puts"Cors: #{bucket.cors}"
puts"Default Event Based Hold: #{bucket.default_event_based_hold? }"
puts"Default KMS Key Name: #{bucket.default_kms_key }"
puts"Logging Bucket: #{bucket.logging_bucket }"
puts"Logging Prefix: #{bucket.logging_prefix }"
puts"Metageneration: #{bucket.metageneration}"
puts"Retention Effective Time: #{bucket.retention_effective_at }"
puts"Retention Period: #{bucket.retention_period }"
puts"Retention Policy Locked: #{bucket.retention_policy_locked? }"
puts"Requester Pays: #{bucket.requester_pays }"
puts"Self Link: #{bucket.api_url}"
puts"Time Created: #{bucket.created_at}"
puts"Versioning Enabled: #{bucket.versioning? }"
puts"Index Page: #{bucket.website_main }"
puts"Not Found Page: #{bucket.website_404 }"
puts"Labels:"
bucket.labels.each do|key,value|
puts" - #{key} = #{value}"
end
puts"Lifecycle Rules:"
bucket.lifecycle.each do|rule|
puts"#{rule.action } - #{rule.storage_class} - #{rule.age } - #{rule.matches_storage_class }"
end
end

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name,
std::stringconst&object_name,std::stringconst&kms_key_name){
gcs::ObjectWriteStreamstream=client.WriteObject(
bucket_name,object_name,gcs::KmsKeyName(kms_key_name));
// Line numbers start at 1.
for(intlineno=1;lineno<=10;++lineno){
stream << lineno << ": placeholder text for CMEK example.\n";
}
stream.Close();
StatusOr<gcs::ObjectMetadata>metadata=std::move(stream).metadata();
if(!metadata)throwstd::move(metadata).status();
std::cout << "Successfully wrote to object " << metadata->name()
 << " its size is: " << metadata->size()
 << "\nFull metadata: " << *metadata << "\n";
}

usingGoogle.Cloud.Storage.V1 ;
usingSystem;
usingSystem.IO;
publicclassUploadFileWithKmsKeySample
{
publicvoidUploadFileWithKmsKey(
stringprojectId="your-project-id",
stringbucketName="your-unique-bucket-name",
stringkeyLocation="us-west1",
stringkmsKeyRing="kms-key-ring",
stringkmsKeyName="key-name",
stringlocalPath="my-local-path/my-file-name",
stringobjectName="my-file-name")
{
// KMS Key identifier of an already created KMS key.
// If you use the Google.Cloud.Kms.V1 library, you can construct these names using helper class CryptoKeyName.
// var fullKeyName = new CryptoKeyName(projectId, keyLocation, kmsKeyRing, kmsKeyName).ToString();
stringkeyPrefix=$"projects/{projectId}/locations/{keyLocation}";
stringfullKeyringName=$"{keyPrefix}/keyRings/{kmsKeyRing}";
stringfullKeyName=$"{fullKeyringName}/cryptoKeys/{kmsKeyName}";
varstorage=StorageClient .Create ();
usingvarfileStream=File.OpenRead(localPath);
storage.UploadObject(bucketName,objectName,null,fileStream,newUploadObjectOptions {KmsKeyName=fullKeyName});
Console.WriteLine($"Uploaded {objectName}.");
}
}

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// uploadWithKMSKey writes an object using Cloud KMS encryption.
funcuploadWithKMSKey(wio.Writer ,bucket,object,keyNamestring)error{
// bucket := "bucket-name"
// object := "object-name"
// keyName := "projects/projectId/locations/global/keyRings/keyRingID/cryptoKeys/cryptoKeyID"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*50)
defercancel()
o:=client.Bucket (bucket).Object (object)
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request to upload is aborted if the
// object's generation number does not match your precondition.
// For an object that does not yet exist, set the DoesNotExist precondition.
o=o.If(storage.Conditions {DoesNotExist:true})
// If the live object already exists in your bucket, set instead a
// generation-match precondition using the live object's generation number.
// attrs, err := o.Attrs(ctx)
// if err != nil {
// 	return fmt.Errorf("object.Attrs: %w", err)
// }
// o = o.If(storage.Conditions{GenerationMatch: attrs.Generation})
// Encrypt the object's contents.
wc:=o.NewWriter (ctx)
wc.KMSKeyName=keyName
if_,err:=wc.Write ([]byte("top secret"));err!=nil{
returnfmt.Errorf("Writer.Write: %w",err)
}
iferr:=wc.Close();err!=nil{
returnfmt.Errorf("Writer.Close: %w",err)
}
fmt.Fprintf(w,"Uploaded blob %v with KMS key.\n",object)
returnnil
}

import staticjava.nio.charset.StandardCharsets.UTF_8;
importcom.google.cloud.storage.BlobId ;
importcom.google.cloud.storage.BlobInfo ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
publicclass UploadKmsEncryptedObject{
publicstaticvoiduploadKmsEncryptedObject(
StringprojectId,StringbucketName,StringobjectName,StringkmsKeyName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// The ID of your GCS object
// String objectName = "your-object-name";
// The name of the KMS key to encrypt with
// String kmsKeyName = "projects/my-project/locations/us/keyRings/my_key_ring/cryptoKeys/my_key"
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
byte[]data="Hello, World!".getBytes(UTF_8);
BlobId blobId=BlobId .of(bucketName,objectName);
BlobInfo blobInfo=BlobInfo .newBuilder(blobId).setContentType("text/plain").build();
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request returns a 412 error if the
// preconditions are not met.
Storage .BlobTargetOptionprecondition;
if(storage.get (bucketName,objectName)==null){
// For a target object that does not yet exist, set the DoesNotExist precondition.
// This will cause the request to fail if the object is created before the request runs.
precondition=Storage .BlobTargetOption.doesNotExist();
}else{
// If the destination already exists in your bucket, instead set a generation-match
// precondition. This will cause the request to fail if the existing object's generation
// changes before the request runs.
precondition=
Storage .BlobTargetOption.generationMatch(
storage.get (bucketName,objectName).getGeneration());
}
storage.create (blobInfo,data,Storage.BlobTargetOption.kmsKeyName(kmsKeyName),precondition);
System.out.println(
"Uploaded object "
+objectName
+" in bucket "
+bucketName
+" encrypted with "
+kmsKeyName);
}
}

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The path to your file to upload
// const filePath = 'path/to/your/file';
// The name of the KMS-key
// const kmsKeyName = 'my-key';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctionuploadFileWithKmsKey(){
constoptions={
kmsKeyName,
// Optional:
// Set a generation-match precondition to avoid potential race conditions
// and data corruptions. The request to upload is aborted if the object's
// generation number does not match your precondition. For a destination
// object that does not yet exist, set the ifGenerationMatch precondition to 0
// If the destination object already exists in your bucket, set instead a
// generation-match precondition using its generation number.
preconditionOpts:{ifGenerationMatch:generationMatchPrecondition},
};
awaitstorage.bucket(bucketName).upload (filePath,options);
console.log(`${filePath} uploaded to ${bucketName} using ${kmsKeyName}.`);
}
uploadFileWithKmsKey().catch(console.error);

use Google\Cloud\Storage\StorageClient;
/**
 * Upload a file using KMS encryption.
 *
 * @param string $bucketName The name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 * @param string $objectName The name of your Cloud Storage object.
 * (e.g. 'my-object')
 * @param string $source The path to the file to upload.
 * (e.g. '/path/to/your/file')
 * @param string $kmsKeyName The KMS key used to encrypt objects server side.
 * Key names are provided in the following format:
 * `projects/<PROJECT>/locations/<LOCATION>/keyRings/<RING_NAME>/cryptoKeys/<KEY_NAME>`.
 */
function upload_with_kms_key(string $bucketName, string $objectName, string $source, string $kmsKeyName): void
{
 $storage = new StorageClient();
 if (!$file = fopen($source, 'r')) {
 throw new \InvalidArgumentException('Unable to open file for reading');
 }
 $bucket = $storage->bucket($bucketName);
 $object = $bucket->upload($file, [
 'name' => $objectName,
 'destinationKmsKeyName' => $kmsKeyName,
 ]);
 printf('Uploaded %s to gs://%s/%s using encryption key %s' . PHP_EOL,
 basename($source),
 $bucketName,
 $objectName,
 $kmsKeyName);
}

fromgoogle.cloudimport storage
defupload_blob_with_kms(
 bucket_name, source_file_name, destination_blob_name, kms_key_name,
):
"""Uploads a file to the bucket, encrypting it with the given KMS key."""
 # bucket_name = "your-bucket-name"
 # source_file_name = "local/path/to/file"
 # destination_blob_name = "storage-object-name"
 # kms_key_name = "projects/PROJ/locations/LOC/keyRings/RING/cryptoKey/KEY"
 storage_client = storage .Client ()
 bucket = storage_client.bucket (bucket_name)
 blob = bucket.blob(destination_blob_name, kms_key_name=kms_key_name)
 # Optional: set a generation-match precondition to avoid potential race conditions
 # and data corruptions. The request to upload is aborted if the object's
 # generation number does not match your precondition. For a destination
 # object that does not yet exist, set the if_generation_match precondition to 0.
 # If the destination object already exists in your bucket, set instead a
 # generation-match precondition using its generation number.
 generation_match_precondition = 0
 blob.upload_from_filename (source_file_name, if_generation_match=generation_match_precondition)
 print(
 "File {} uploaded to {} with encryption key {}.".format(
 source_file_name, destination_blob_name, kms_key_name
 )
 )

defupload_with_kms_keybucket_name:,local_file_path:,file_name:nil,kms_key:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# The path to your file to upload
# local_file_path = "/local/path/to/file.txt"
# The ID of your GCS object
# file_name = "your-file-name"
# The name of the KMS key to manage this object with
# kms_key = "projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name,skip_lookup:true
file=bucket.create_file local_file_path,file_name,kms_key:kms_key
puts"Uploaded #{file.name} and encrypted service side using #{file.kms_key}"
end

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name,
std::stringconst&object_name,std::stringconst&old_csek_key_base64,
std::stringconst&new_cmek_key_name){
StatusOr<gcs::ObjectMetadata>metadata=client.RewriteObjectBlocking(
bucket_name,object_name,bucket_name,object_name,
gcs::SourceEncryptionKey::FromBase64Key(old_csek_key_base64),
gcs::DestinationKmsKeyName(new_cmek_key_name));
if(!metadata)throwstd::move(metadata).status();
std::cout << "Changed object " << metadata->name() << " in bucket "
 << metadata->bucket()
 << " from using CSEK to CMEK key.\nFull Metadata: " << *metadata
 << "\n";
}

usingGoogle.Cloud.Storage.V1 ;
usingSystem;
usingSystem.IO;
publicclassObjectCsekToCmekSample
{
publicvoidObjectCsekToCmek(
stringprojectId="your-project-id",
stringbucketName="your-unique-bucket-name",
stringobjectName="your-object-name",
stringcurrrentEncryptionKey="TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=",
stringkeyLocation="us-west1",
stringkmsKeyRing="kms-key-ring",
stringkmsKeyName="key-name")
{
stringkeyPrefix=$"projects/{projectId}/locations/{keyLocation}";
stringfullKeyringName=$"{keyPrefix}/keyRings/{kmsKeyRing}";
stringfullKeyName=$"{fullKeyringName}/cryptoKeys/{kmsKeyName}";
varstorage=StorageClient .Create ();
usingvaroutputStream=newMemoryStream();
storage.DownloadObject(bucketName,objectName,outputStream,newDownloadObjectOptions ()
{
EncryptionKey=EncryptionKey .Create (Convert.FromBase64String(currrentEncryptionKey))
});
outputStream.Position=0;
storage.UploadObject(bucketName,objectName,null,outputStream,newUploadObjectOptions ()
{
KmsKeyName=fullKeyName
});
Console.WriteLine($"Object {objectName} in bucket {bucketName} is now managed"+
$" by the KMS key ${kmsKeyName} instead of a customer-supplied encryption key");
}
}

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// сhangeObjectCSEKtoKMS changes the key used to encrypt an object from
// a customer-supplied encryption key to a customer-managed encryption key.
funcсhangeObjectCSEKToKMS(wio.WrWriterbucket,objectstring,encryptionKey[]byte,kmsKeyNamestring)error{
// bucket := "bucket-name"
// object := "object-name"
// encryptionKey is the Base64 encoded decryption key, which should be the same
// key originally used to encrypt the object.
// encryptionKey := []byte("TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=")
// kmsKeyName is the name of the KMS key to manage this object with.
// kmsKeyName := "projects/projectId/locations/global/keyRings/keyRingID/cryptoKeys/cryptoKeyID"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnfmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
o:=clclient.Bucket (bucket).Objectbject)
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request to copy is aborted if the
// object's generation number does not match your precondition.
attrs,err:=o.Attrs(ctx)
iferr!=nil{
returnfmt.Errorf("object.Attrs: %w",err)
}
o=o.If(storage.CoConditionsenerationMatch:atattrs.Generation
// You can't change an object's encryption key directly. Instead, you must
// rewrite the object using the new key.
src:=o.o.KeyncryptionKey)
c:=o.o.CopierFromrc)
c.DestinationKMSKeyName=kmsKeyName
if_,err:=c.Run(ctx);err!=nil{
returnfmt.Errorf("Copier.Run: %w",err)
}
fmt.Fprintf(w,"Object %v in bucket %v is now managed by the KMS key %v instead of a customer-supplied encryption key\n",object,bucket,kmsKeyName)
returnnil
}

importcom.google.cloud.storage.Blob ;
importcom.google.cloud.storage.BlobId ;
importcom.google.cloud.storage.Storage ;
importcom.google.cloud.storage.StorageOptions ;
publicclass ChangeObjectCsekToKms{
publicstaticvoidchangeObjectFromCsekToKms(
StringprojectId,
StringbucketName,
StringobjectName,
StringdecryptionKey,
StringkmsKeyName){
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// The ID of your GCS object
// String objectName = "your-object-name";
// The Base64 encoded decryption key, which should be the same key originally used to encrypt
// the object
// String decryptionKey = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=";
// The name of the KMS key to manage this object with
// String kmsKeyName =
// "projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key";
Storage storage=StorageOptions .newBuilder().setProjectId(projectId).build().getService ();
BlobId blobId=BlobId .of(bucketName,objectName);
Blob blob=storage.get (blobId);
if(blob==null){
System.out.println("The object "+objectName+" wasn't found in "+bucketName);
return;
}
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request to upload returns a 412 error if
// the object's generation number does not match your precondition.
Storage .BlobSourceOptionprecondition=
Storage .BlobSourceOption.generationMatch(blob.getGeneration());
Storage .CopyRequest request=
Storage .CopyRequest.newBuilder()
.setSource(blobId)
.setSourceOptions(Storage .BlobSourceOption.decryptionKey(decryptionKey),precondition)
.setTarget(blobId,Storage .BlobTargetOption.kmsKeyName(kmsKeyName))
.build();
storage.copy (request);
System.out.println(
"Object "
+objectName
+" in bucket "
+bucketName
+" is now managed by the KMS key "
+kmsKeyName
+" instead of a customer-supplied encryption key");
}
}

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The ID of your GCS file
// const fileName = 'your-file-name';
// The Base64 encoded decryption key, which should be the same key originally
// used to encrypt the file
// const encryptionKey = 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=';
// The name of the KMS key to manage this file with
// const kmsKeyName = 'projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key';
// Imports the Google Cloud client library
const{Storage}=require('@google-cloud/storage');
// Creates a client
conststorage=newStorage();
asyncfunctionchangeFileCSEKToCMEK(){
constrotateEncryptionKeyOptions={
kmsKeyName,
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request to copy is aborted if the
// object's generation number does not match your precondition.
preconditionOpts:{
ifGenerationMatch:generationMatchPrecondition,
},
};
console.log(rotateEncryptionKeyOptions);
awaitstorage
.bucket(bucketName)
.file(fileName,{
encryptionKey:Buffer.from(encryptionKey,'base64'),
})
.rotateEncryptionKey ({
rotateEncryptionKeyOptions,
});
console.log(
`file ${fileName} in bucket ${bucketName} is now managed by KMS key ${kmsKeyName} instead of customer-supplied encryption key`
);
}
changeFileCSEKToCMEK().catch(console.error);

use Google\Cloud\Storage\StorageClient;
/**
 * Migrate an object from a Customer-Specified Encryption Key to a Customer-Managed
 * Encryption Key.
 *
 * @param string $bucketName The name of your Cloud Storage bucket.
 * (e.g. 'my-bucket')
 * @param string $objectName The name of your Cloud Storage object.
 * (e.g. 'my-object')
 * @param string $decryptionKey The Base64 encoded decryption key, which should
 * (e.g. 'TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g=')
 * be the same key originally used to encrypt the object.
 * @param string $kmsKeyName The name of the KMS key to manage this object.
 * Key names are provided in the following format:
 * `projects/<PROJECT>/locations/<LOCATION>/keyRings/<RING_NAME>/cryptoKeys/<KEY_NAME>`.
 */
function object_csek_to_cmek(string $bucketName, string $objectName, string $decryptionKey, string $kmsKeyName): void
{
 $storage = new StorageClient();
 $bucket = $storage->bucket($bucketName);
 $object = $bucket->object($objectName, [
 'encryptionKey' => $decryptionKey,
 ]);
 $object->rewrite($bucketName, [
 'destinationKmsKeyName' => $kmsKeyName,
 ]);
 printf(
 'Object %s in bucket %s is now managed by the KMS key %s instead of a customer-supplied encryption key',
 $objectName,
 $bucketName,
 $kmsKeyName
 );
}

fromgoogle.cloudimport storage
defobject_csek_to_cmek(bucket_name, blob_name, encryption_key, kms_key_name):
"""Change a blob's customer-supplied encryption key to KMS key"""
 # bucket_name = "your-bucket-name"
 # blob_name = "your-object-name"
 # encryption_key = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="
 # kms_key_name = "projects/PROJ/locations/LOC/keyRings/RING/cryptoKey/KEY"
 storage_client = storage .Client ()
 bucket = storage_client.bucket (bucket_name)
 current_encryption_key = base64.b64decode(encryption_key)
 source_blob = bucket.blob(blob_name, encryption_key=current_encryption_key)
 destination_blob = bucket.blob(blob_name, kms_key_name=kms_key_name)
 generation_match_precondition = None
 token = None
 # Optional: set a generation-match precondition to avoid potential race conditions
 # and data corruptions. The request to rewrite is aborted if the object's
 # generation number does not match your precondition.
 source_blob.reload() # Fetch blob metadata to use in generation_match_precondition.
 generation_match_precondition = source_blob.generation
 while True:
 token, bytes_rewritten, total_bytes = destination_blob.rewrite (
 source_blob, token=token, if_generation_match=generation_match_precondition
 )
 if token is None:
 break
 print(
 "Blob {} in bucket {} is now managed by the KMS key {} instead of a customer-supplied encryption key".format(
 blob_name, bucket_name, kms_key_name
 )
 )
 return destination_blob

defobject_csek_to_cmekbucket_name:,file_name:,encryption_key:,kms_key_name:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# The ID of your GCS object
# file_name = "your-file-name"
# The Base64 encoded encryption key, which should be the same key originally used to encrypt the object
# encryption_key = "TIbv/fjexq+VmtXzAlc63J4z5kFmWJ6NdAPQulQBT7g="
# The name of the KMS key to manage this object with
# kms_key_name = "projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key"
require"google/cloud/storage"
storage=Google::Cloud::Storage .new
bucket=storage.bucketbucket_name,skip_lookup:true
file=bucket.file file_name,encryption_key:encryption_key
file.rotate encryption_key:encryption_key,new_kms_key:kms_key_name
puts"File #{file_name} in bucket #{bucket_name} is now managed by the KMS key #{kms_key_name} instead of a "\
"customer-supplied encryption key"
end

namespacegcs=::google::cloud::storage;
using::google::cloud::StatusOr;
[](gcs::Clientclient,std::stringconst&bucket_name,
std::stringconst&object_name){
StatusOr<gcs::ObjectMetadata>metadata=
client.GetObjectMetadata(bucket_name,object_name);
if(!metadata)throwstd::move(metadata).status();
std::cout << "KMS key on object " << metadata->name() << " in bucket "
 << metadata->bucket() << ": " << metadata->kms_key_name() << "\n";
}

usingGoogle.Cloud.Storage.V1 ;
usingSystem;
publicclassGetMetadataSample
{
publicGoogle.Apis.Storage.v1.Data.ObjectGetMetadata(
stringbucketName="your-unique-bucket-name",
stringobjectName="your-object-name")
{
varstorage=StorageClient .Create ();
varstorageObject=storage.GetObject(bucketName,objectName,newGetObjectOptions {Projection=Projection .Full });
Console.WriteLine($"Bucket:\t{storageObject.Bucket}");
Console.WriteLine($"CacheControl:\t{storageObject.CacheControl}");
Console.WriteLine($"ComponentCount:\t{storageObject.ComponentCount}");
Console.WriteLine($"ContentDisposition:\t{storageObject.ContentDisposition}");
Console.WriteLine($"ContentEncoding:\t{storageObject.ContentEncoding}");
Console.WriteLine($"ContentLanguage:\t{storageObject.ContentLanguage}");
Console.WriteLine($"ContentType:\t{storageObject.ContentType}");
Console.WriteLine($"Crc32c:\t{storageObject.Crc32c}");
Console.WriteLine($"ETag:\t{storageObject.ETag}");
Console.WriteLine($"Generation:\t{storageObject.Generation}");
Console.WriteLine($"Id:\t{storageObject.Id}");
Console.WriteLine($"Kind:\t{storageObject.Kind}");
Console.WriteLine($"KmsKeyName:\t{storageObject.KmsKeyName}");
Console.WriteLine($"Md5Hash:\t{storageObject.Md5Hash}");
Console.WriteLine($"MediaLink:\t{storageObject.MediaLink}");
Console.WriteLine($"Metageneration:\t{storageObject.Metageneration}");
Console.WriteLine($"Name:\t{storageObject.Name}");
Console.WriteLine($"Retention:\t{storageObject.Retention}");
Console.WriteLine($"Size:\t{storageObject.Size}");
Console.WriteLine($"StorageClass:\t{storageObject.StorageClass}");
Console.WriteLine($"TimeCreated:\t{storageObject.TimeCreated}");
Console.WriteLine($"Updated:\t{storageObject.Updated}");
booleventBasedHold=storageObject.EventBasedHold??false;
Console.WriteLine("Event-based hold enabled? {0}",eventBasedHold);
booltemporaryHold=storageObject.TemporaryHold??false;
Console.WriteLine("Temporary hold enabled? {0}",temporaryHold);
Console.WriteLine($"RetentionExpirationTime\t{storageObject.RetentionExpirationTime}");
if(storageObject.Metadata!=null)
{
Console.WriteLine("Metadata: ");
foreach(varmetadatainstorageObject.Metadata)
{
Console.WriteLine($"{metadata.Key}:\t{metadata.Value}");
}
}
Console.WriteLine($"CustomTime:\t{storageObject.CustomTime}");
returnstorageObject;
}
}

import(
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// getMetadata prints all of the object attributes.
funcgetMetadata(wio.Writer ,bucket,objectstring)(*storage.ObjectAttrs ,error){
// bucket := "bucket-name"
// object := "object-name"
ctx:=context.Background()
client,err:=storage.NewClient(ctx)
iferr!=nil{
returnnil,fmt.Errorf("storage.NewClient: %w",err)
}
deferclient.Close()
ctx,cancel:=context.WithTimeout(ctx,time.Second*10)
defercancel()
o:=client.Bucket (bucket).Object (object)
attrs,err:=o.Attrs(ctx)
iferr!=nil{
returnnil,fmt.Errorf("Object(%q).Attrs: %w",object,err)
}
fmt.Fprintf(w,"Bucket: %v\n",attrs.Bucket )
fmt.Fprintf(w,"CacheControl: %v\n",attrs.CacheControl )
fmt.Fprintf(w,"ContentDisposition: %v\n",attrs.ContentDisposition)
fmt.Fprintf(w,"ContentEncoding: %v\n",attrs.ContentEncoding )
fmt.Fprintf(w,"ContentLanguage: %v\n",attrs.ContentLanguage)
fmt.Fprintf(w,"ContentType: %v\n",attrs.ContentType )
fmt.Fprintf(w,"Crc32c: %v\n",attrs.CRC32C)
fmt.Fprintf(w,"Generation: %v\n",attrs.Generation )
fmt.Fprintf(w,"KmsKeyName: %v\n",attrs.KMSKeyName)
fmt.Fprintf(w,"Md5Hash: %v\n",attrs.MD5)
fmt.Fprintf(w,"MediaLink: %v\n",attrs.MediaLink)
fmt.Fprintf(w,"Metageneration: %v\n",attrs.Metageneration)
fmt.Fprintf(w,"Name: %v\n",attrs.Name)
fmt.Fprintf(w,"Size: %v\n",attrs.Size )
fmt.Fprintf(w,"StorageClass: %v\n",attrs.StorageClass)
fmt.Fprintf(w,"TimeCreated: %v\n",attrs.Created)
fmt.Fprintf(w,"Updated: %v\n",attrs.Updated)
fmt.Fprintf(w,"Event-based hold enabled? %t\n",attrs.EventBasedHold)
fmt.Fprintf(w,"Temporary hold enabled? %t\n",attrs.TemporaryHold)
fmt.Fprintf(w,"Retention expiration time %v\n",attrs.RetentionExpirationTime)
fmt.Fprintf(w,"Custom time %v\n",attrs.CustomTime)
fmt.Fprintf(w,"Retention: %+v\n",attrs.Retention)
fmt.Fprintf(w,"\n\nMetadata\n")
forkey,value:=rangeattrs.Metadata{
fmt.Fprintf(w,"\t%v = %v\n",key,value)
}
returnattrs,nil
}