Managing HMAC keys for service accounts

This page shows you how to create, disable and delete Hash-based Message Authentication Code (HMAC) keys associated with service accounts in your project. For general information, see HMAC keys.

Prerequisites

Before using this feature in Cloud Storage, you should:

  1. Have sufficient permission to work with HMAC keys in the desired project:

    • If you own the project, you most likely have the necessary permissions.

    • You should have the IAM permissions that are prefixed with storage.hmacKeys for the project. See Using IAM Permissions for instructions on how to get a role, such as roles/storage.hmacKeyAdmin, that has these permissions.

  2. Have a service account in your project that you intend to create HMAC keys for. See Creating a service account if you don't currently have one.

Creating an HMAC key

To create an HMAC key for a service account:

Console

  1. Open the Cloud Storage browser in the Google Cloud Console.
    Open the Cloud Storage browser

  2. Click Settings.

  3. Select the Interoperability tab.

  4. Click + Create a key for a service account.

  5. Select the service account you want the HMAC key to be associated with.

  6. Click Create key.

gsutil

Use the hmac create command:

gsutil hmac create [SERVICE_ACCOUNT_EMAIL]

Where [SERVICE_ACCOUNT_EMAIL] is the email address associated with your service account. For example, service-7550275089395@my-pet-project.iam.gserviceaccount.com.

If successful, the response looks like:

AccessId: GOOGTS7C7FUP3AIRVJTE2BCD
SecretKey: de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation . 

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string service_account_email) {
  StatusOr<std::pair<gcs::HmacKeyMetadata, std::string>> hmac_key_details =
      client.CreateHmacKey(service_account_email);

  if (!hmac_key_details) {
    throw std::runtime_error(hmac_key_details.status().message());
  }
  std::cout << "The base64 encoded secret is: " << hmac_key_details->second
            << "\nDo not miss that secret, there is no API to recover it."
            << "\nThe HMAC key metadata is: " << hmac_key_details->first
            << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation . 

        private void CreateHmacKey(String serviceAccountEmail)
        {
            var storage = StorageClient.Create();
            var key = storage.CreateHmacKey(s_projectId, serviceAccountEmail);

            var secret = key.Secret;
            var metadata = key.Metadata;

            Console.WriteLine($"The Base64 encoded secret is: {secret}");
            Console.WriteLine("Make sure to save that secret, there's no API to recover it.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {metadata.Id}");
            Console.WriteLine($"Access ID: {metadata.AccessId}");
            Console.WriteLine($"Project ID: {metadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {metadata.State}");
            Console.WriteLine($"Time Created: {metadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {metadata.Updated}");
            Console.WriteLine($"ETag: {metadata.ETag}");
        }

Go

For more information, see the Cloud Storage Go API reference documentation . 

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// createHMACKey creates a new HMAC key using the given project and service account.
func createHMACKey(w io.Writer, projectID string, serviceAccountEmail string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	key, err := client.CreateHMACKey(ctx, projectID, serviceAccountEmail)
	if err != nil {
		return nil, fmt.Errorf("CreateHMACKey: %v", err)
	}

	fmt.Fprintf(w, "%s\n", key)
	fmt.Fprintf(w, "The base64 encoded secret is %s\n", key.Secret)
	fmt.Fprintln(w, "Do not miss that secret, there is no API to recover it.")
	fmt.Fprintln(w, "The HMAC key metadata is")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

For more information, see the Cloud Storage Java API reference documentation . 

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The service account email for which the new HMAC key will be created.
// String serviceAccountEmail = "service-account@iam.gserviceaccount.com";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";

ServiceAccount account = ServiceAccount.of(serviceAccountEmail);
HmacKey hmacKey =
    storage.createHmacKey(account, Storage.CreateHmacKeyOption.projectId(projectId));

String secret = hmacKey.getSecretKey();
HmacKeyMetadata metadata = hmacKey.getMetadata();

System.out.println("The Base64 encoded secret is: " + secret);
System.out.println("Do not miss that secret, there is no API to recover it.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + metadata.getId());
System.out.println("Access ID: " + metadata.getAccessId());
System.out.println("Project ID: " + metadata.getProjectId());
System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
System.out.println("State: " + metadata.getState().toString());
System.out.println("Time Created: " + new Date(metadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(metadata.getUpdateTime()).toString());
System.out.println("ETag: " + metadata.getEtag());

Node.js

For more information, see the Cloud Storage Node.js API reference documentation . 

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Create HMAC SA Key
async function createHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const serviceAccountEmail = 'Service Account Email to associate HMAC Key';
  // const projectId = 'The project Id this service account to be created in, e.g. serviceAccountProjectId';

  const [hmacKey, secret] = await storage.createHmacKey(serviceAccountEmail, {
    projectId,
  });

  console.log(`The base64 encoded secret is: ${secret}`);
  console.log(`Do not miss that secret, there is no API to recover it.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKey.metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

For more information, see the Cloud Storage PHP API reference documentation . 

use Google\Cloud\Storage\StorageClient;

/**
 * Create a new HMAC key.
 *
 * @param string $serviceAccountEmail Service account email to associate with the new HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function create_hmac_key($serviceAccountEmail, $projectId)
{
    $storage = new StorageClient();
    // By default createHmacKey will use the projectId used by StorageClient().
    $hmacKeyCreated = $storage->createHmacKey($serviceAccountEmail, ['projectId' => $projectId]);

    printf('The base64 encoded secret is: %s' . PHP_EOL, $hmacKeyCreated->secret());
    print('Do not miss that secret, there is no API to recover it.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKeyCreated->hmacKey()->info(), true));
}

Python

For more information, see the Cloud Storage Python API reference documentation . 

from google.cloud import storage


def create_key(project_id, service_account_email):
    """
    Create a new HMAC key using the given project and service account.
    """
    # project_id = 'Your Google Cloud project ID'
    # service_account_email = 'Service account used to generate HMAC key'

    storage_client = storage.Client(project=project_id)

    hmac_key, secret = storage_client.create_hmac_key(
        service_account_email=service_account_email, project_id=project_id
    )

    print("The base64 encoded secret is {}".format(secret))
    print("Do not miss that secret, there is no API to recover it.")
    print("The HMAC key metadata is:")
    print("Service Account Email: {}".format(hmac_key.service_account_email))
    print("Key ID: {}".format(hmac_key.id))
    print("Access ID: {}".format(hmac_key.access_id))
    print("Project ID: {}".format(hmac_key.project))
    print("State: {}".format(hmac_key.state))
    print("Created At: {}".format(hmac_key.time_created))
    print("Updated At: {}".format(hmac_key.updated))
    print("Etag: {}".format(hmac_key.etag))
    return hmac_key

Ruby

For more information, see the Cloud Storage Ruby API reference documentation . 

# project_id = "Your Google Cloud project ID"
# service_account_email = "Service account used to associate generate HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#create_hmac_key uses the Storage client project_id
hmac_key = storage.create_hmac_key service_account_email, project_id: project_id

puts "The base64 encoded secret is: #{hmac_key.secret}"
puts "Do not miss that secret, there is no API to recover it."
puts "\nThe HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the JSON API with a POST hmacKeys request,:

    curl -X POST \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  "https://storage.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys?serviceAccountEmail=[SERVICE_ACCOUNT_EMAIL]"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [PROJECT_ID] is the ID for the project associated with the key you want to create. For example, my-pet-project.
    • [SERVICE_ACCOUNT_EMAIL] is the email address associated with your service account. For example, service-7550275089395@my-pet-project.iam.gserviceaccount.com.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the XML API with a POST HMAC Key request:

    curl -X POST \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  "https://storage.googleapis.com/?Action=CreateAccessKey&UserName=[SERVICE_ACCOUNT_EMAIL]"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [SERVICE_ACCOUNT_EMAIL] is the email address associated with your service account. For example, service-7550275089395@my-pet-project.iam.gserviceaccount.com.

Getting HMAC key information

To list the HMAC keys for a project, and get information about the keys:

Console

  1. Open the Cloud Storage browser in the Google Cloud Console.
    Open the Cloud Storage browser

  2. Click Settings.

  3. Select the Interoperability tab.

gsutil

  1. Use the hmac list command to list hmac keys in your project:

    gsutil hmac list

    If successful, gsutil returns a list of hmac key access IDs, along with the service account associated with each key.

  2. Use the hmac get command to retrieve metadata for a specific key:

    gsutil hmac get [KEY_ACCESS_ID]

    Where [KEY_ACCESS_ID] is the access ID for the desired key.

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

google/cloud/storage/examples/storage_service_account_samples.cc 
namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client) {
  int count = 0;
  gcs::ListHmacKeysReader hmac_keys_list = client.ListHmacKeys();
  for (auto&& hmac_key_metadata : hmac_keys_list) {
    if (!hmac_key_metadata) {
      throw std::runtime_error(hmac_key_metadata.status().message());
    }
    std::cout << "service_account_email = "
              << hmac_key_metadata->service_account_email()
              << "\naccess_id = " << hmac_key_metadata->access_id() << "\n";
    ++count;
  }
  if (count == 0) {
    std::cout << "No HMAC keys in default project\n";
  }
}

The following sample retrieves information for a specific HMAC key:

google/cloud/storage/examples/storage_service_account_samples.cc 
namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> hmac_key_details =
      client.GetHmacKey(access_id);

  if (!hmac_key_details) {
    throw std::runtime_error(hmac_key_details.status().message());
  }
  std::cout << "The HMAC key metadata is: " << *hmac_key_details << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

storage/api/Storage/Storage.cs 
        private void ListHmacKeys()
        {
            var storage = StorageClient.Create();
            var keys = storage.ListHmacKeys(s_projectId);

            foreach (var metadata in keys)
            {
                Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
                Console.WriteLine($"Access ID: {metadata.AccessId}");
            }
        }

The following sample retrieves information for a specific HMAC key:

storage/api/Storage/Storage.cs 
        private void GetHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);

            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {metadata.Id}");
            Console.WriteLine($"Access ID: {metadata.AccessId}");
            Console.WriteLine($"Project ID: {metadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {metadata.State}");
            Console.WriteLine($"Time Created: {metadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {metadata.Updated}");
            Console.WriteLine($"ETag: {metadata.ETag}");
        }

Go

For more information, see the Cloud Storage Go API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

storage/service_account/hmac/list.go 
import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"google.golang.org/api/iterator"
	"io"
	"time"
)

// listHMACKeys lists all HMAC keys associated with the project.
func listHMACKeys(w io.Writer, projectID string) ([]*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	iter := client.ListHMACKeys(ctx, projectID)
	var keys []*storage.HMACKey
	for {
		key, err := iter.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return nil, fmt.Errorf("ListHMACKeys: %v", err)
		}
		fmt.Fprintf(w, "Service Account Email: %s\n", key.ServiceAccountEmail)
		fmt.Fprintf(w, "Access ID: %s\n", key.AccessID)

		keys = append(keys, key)
	}

	return keys, nil
}

The following sample retrieves information for a specific HMAC key:

storage/service_account/hmac/get.go 
import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// getHMACKey retrieves the HMACKeyMetadata with the given access id.
func getHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	key, err := handle.Get(ctx)
	if err != nil {
		return nil, fmt.Errorf("Get: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)
	return key, nil
}

Java

For more information, see the Cloud Storage Java API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

google-cloud-examples/src/main/java/com/google/cloud/examples/storage/snippets/StorageSnippets.java 
// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The ID of the project to which the service account belongs.
// String projectId = "project-id";
Page<HmacKeyMetadata> page = storage.listHmacKeys(ListHmacKeysOption.projectId(projectId));

for (HmacKeyMetadata metadata : page.iterateAll()) {
  System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
  System.out.println("Access ID: " + metadata.getAccessId());
}

The following sample retrieves information for a specific HMAC key:

google-cloud-examples/src/main/java/com/google/cloud/examples/storage/snippets/StorageSnippets.java 
// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));

System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + metadata.getId());
System.out.println("Access ID: " + metadata.getAccessId());
System.out.println("Project ID: " + metadata.getProjectId());
System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
System.out.println("State: " + metadata.getState().toString());
System.out.println("Time Created: " + new Date(metadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(metadata.getUpdateTime()).toString());
System.out.println("ETag: " + metadata.getEtag());

Node.js

For more information, see the Cloud Storage Node.js API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

samples/hmacKeysList.js 
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// List HMAC SA Keys' Metadata
async function listHmacKeys() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';
  const [hmacKeys] = await storage.getHmacKeys({projectId});

  // hmacKeys is an array of HmacKey objects.
  for (const hmacKey of hmacKeys) {
    console.log(
      `Service Account Email: ${hmacKey.metadata.serviceAccountEmail}`
    );
    console.log(`Access Id: ${hmacKey.metadata.accessId}`);
  }
}

The following sample retrieves information for a specific HMAC key:

samples/hmacKeyGet.js 
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Get HMAC SA Key Metadata
async function getHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to get, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  // Populate the hmacKey object with metadata from server.
  await hmacKey.getMetadata();

  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKey.metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

For more information, see the Cloud Storage PHP API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

storage/src/list_hmac_keys.php 
use Google\Cloud\Storage\StorageClient;

/**
 * List HMAC keys.
 *
 * @param string $projectId Google Cloud Project ID.
 *
 */
function list_hmac_keys($projectId)
{
    $storage = new StorageClient();
    // By default hmacKeys will use the projectId used by StorageClient() to list HMAC Keys.
    $hmacKeys = $storage->hmacKeys(['projectId' => $projectId]);

    printf('HMAC Key\'s:' . PHP_EOL);
    foreach ($hmacKeys as $hmacKey) {
        printf('Service Account Email: %s' . PHP_EOL, $hmacKey->info()['serviceAccountEmail']);
        printf('Access Id: %s' . PHP_EOL, $hmacKey->info()['accessId']);
    }
}

The following sample retrieves information for a specific HMAC key:

storage/src/get_hmac_key.php 
use Google\Cloud\Storage\StorageClient;

/**
 * Get an HMAC key.
 *
 * @param string $accessId Access ID for an HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function get_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

For more information, see the Cloud Storage Python API reference documentation .

The following sample retrieves a list of HMAC keys associated with a project:

storage/cloud-client/storage_list_hmac_keys.py 
from google.cloud import storage


def list_keys(project_id):
    """
    List all HMAC keys associated with the project.
    """
    # project_id = "Your Google Cloud project ID"

    storage_client = storage.Client(project=project_id)
    hmac_keys = storage_client.list_hmac_keys(project_id=project_id)
    print("HMAC Keys:")
    for hmac_key in hmac_keys:
        print(
            "Service Account Email: {}".format(hmac_key.service_account_email)
        )
        print("Access ID: {}".format(hmac_key.access_id))
    return hmac_keys

The following sample retrieves information for a specific HMAC key:

storage/cloud-client/storage_get_hmac_key.py 
from google.cloud import storage


def get_key(access_id, project_id):
    """
    Retrieve the HMACKeyMetadata with the given access id.
    """
    # project_id = "Your Google Cloud project ID"
    # access_id = "ID of an HMAC key"

    storage_client = storage.Client(project=project_id)

    hmac_key = storage_client.get_hmac_key_metadata(
        access_id, project_id=project_id
    )

    print("The HMAC key metadata is:")
    print("Service Account Email: {}".format(hmac_key.service_account_email))
    print("Key ID: {}".format(hmac_key.id))
    print("Access ID: {}".format(hmac_key.access_id))
    print("Project ID: {}".format(hmac_key.project))
    print("State: {}".format(hmac_key.state))
    print("Created At: {}".format(hmac_key.time_created))
    print("Updated At: {}".format(hmac_key.updated))
    print("Etag: {}".format(hmac_key.etag))
    return hmac_key

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the JSON API with a LIST hmacKeys request:

    curl -X GET \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Type: application/json" \
  "https://storage.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [PROJECT_ID] is the ID for the project associated with the keys you want to list. For example, my-pet-project.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the XML API with a GET HMAC Key request:

    curl -X GET \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  "https://storage.googleapis.com/?Action=ListAccessKeys&UserName=[SERVICE_ACCOUNT_EMAIL]"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [SERVICE_ACCOUNT_EMAIL] is the email address associated with your service account. For example, service-7550275089395@my-pet-project.iam.gserviceaccount.com.

Updating the state of an HMAC key

To switch an HMAC key between being active and inactive:

Console

  1. Open the Cloud Storage browser in the Google Cloud Console.
    Open the Cloud Storage browser

  2. Click Settings.

  3. Select the Interoperability tab.

  4. Click the Edit menu (Edit menu icon.) associated with the key you want to update.

  5. Click the more actions menu () associated with the Status of the key.

  6. Select the state you want to apply to the key.

  7. In the confirmation window that appears, confirm you want to change the state of the key.

gsutil

Use the hmac update command:

gsutil hmac update -s [STATE] [ACCESS_KEY_ID]

Where:

  • [STATE] is the desired state for the key. For example, INACTIVE.
  • [ACCESS_KEY_ID] is the access ID associated with the key you are updating.

If successful, gsutil returns the updated metadata of the HMAC key.

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation .

The following sample deactivates an HMAC key:

google/cloud/storage/examples/storage_service_account_samples.cc 
namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id, gcs::HmacKeyMetadata().set_state(
                     gcs::HmacKeyMetadata::state_inactive()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_inactive()) {
    throw std::runtime_error("The HMAC key is active, this is unexpected");
  }
  std::cout << "The HMAC key is now inactive\nFull metadata: "
            << *updated_metadata << "\n";
}

The following sample activates an HMAC key:

google/cloud/storage/examples/storage_service_account_samples.cc 
namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id,
      gcs::HmacKeyMetadata().set_state(gcs::HmacKeyMetadata::state_active()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_active()) {
    throw std::runtime_error(
        "The HMAC key is NOT active, this is unexpected");
  }
  std::cout << "The HMAC key is now active\nFull metadata: "
            << *updated_metadata << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation .

The following sample deactivates an HMAC key:

storage/api/Storage/Storage.cs 
        private void DeactivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Inactive;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now inactive.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

The following sample activates an HMAC key:

storage/api/Storage/Storage.cs 
        private void ActivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Active;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now active.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

Go

For more information, see the Cloud Storage Go API reference documentation .

The following sample deactivates an HMAC key:

storage/service_account/hmac/deactivate.go 
import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// deactivateHMACKey deactivates the HMAC key with the given access ID.
func deactivateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "INACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

The following sample activates an HMAC key:

storage/service_account/hmac/activate.go 
import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// activateHMACKey activates the HMAC key with the given access ID.
func activateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "ACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

For more information, see the Cloud Storage Java API reference documentation .

The following sample deactivates an HMAC key:

google-cloud-examples/src/main/java/com/google/cloud/examples/storage/snippets/StorageSnippets.java 
// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.INACTIVE);

System.out.println("The HMAC key is now inactive.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

The following sample activates an HMAC key:

google-cloud-examples/src/main/java/com/google/cloud/examples/storage/snippets/StorageSnippets.java 
// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.ACTIVE);

System.out.println("The HMAC key is now active.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

Node.js

For more information, see the Cloud Storage Node.js API reference documentation .

The following sample deactivates an HMAC key:

samples/hmacKeyDeactivate.js 
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Deactivate HMAC SA Key
async function deactivateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'INACTIVE'});

  console.log(`The HMAC key is now inactive.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

The following sample activates an HMAC key:

samples/hmacKeyActivate.js 
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Activate HMAC SA Key
async function activateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'ACTIVE'});

  console.log(`The HMAC key is now active.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

For more information, see the Cloud Storage PHP API reference documentation .

The following sample deactivates an HMAC key:

storage/src/deactivate_hmac_key.php 
use Google\Cloud\Storage\StorageClient;

/**
 * Deactivate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function deactivate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('INACTIVE');

    print('The HMAC key is now inactive.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

The following sample activates an HMAC key:

storage/src/activate_hmac_key.php 
use Google\Cloud\Storage\StorageClient;

/**
 * Activate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function activate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('ACTIVE');

    print('The HMAC key is now active.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

For more information, see the Cloud Storage Python API reference documentation .

The following sample deactivates an HMAC key:

storage/cloud-client/storage_deactivate_hmac_key.py 
from google.cloud import storage


def deactivate_key(access_id, project_id):
    """
    Deactivate the HMAC key with the given access ID.
    """
    # project_id = "Your Google Cloud project ID"
    # access_id = "ID of an active HMAC key"

    storage_client = storage.Client(project=project_id)

    hmac_key = storage_client.get_hmac_key_metadata(
        access_id, project_id=project_id
    )
    hmac_key.state = "INACTIVE"
    hmac_key.update()

    print("The HMAC key is now inactive.")
    print("The HMAC key metadata is:")
    print("Service Account Email: {}".format(hmac_key.service_account_email))
    print("Key ID: {}".format(hmac_key.id))
    print("Access ID: {}".format(hmac_key.access_id))
    print("Project ID: {}".format(hmac_key.project))
    print("State: {}".format(hmac_key.state))
    print("Created At: {}".format(hmac_key.time_created))
    print("Updated At: {}".format(hmac_key.updated))
    print("Etag: {}".format(hmac_key.etag))
    return hmac_key

The following sample activates an HMAC key:

storage/cloud-client/storage_activate_hmac_key.py 
from google.cloud import storage


def activate_key(access_id, project_id):
    """
    Activate the HMAC key with the given access ID.
    """
    # project_id = "Your Google Cloud project ID"
    # access_id = "ID of an inactive HMAC key"

    storage_client = storage.Client(project=project_id)

    hmac_key = storage_client.get_hmac_key_metadata(
        access_id, project_id=project_id
    )
    hmac_key.state = "ACTIVE"
    hmac_key.update()

    print("The HMAC key metadata is:")
    print("Service Account Email: {}".format(hmac_key.service_account_email))
    print("Key ID: {}".format(hmac_key.id))
    print("Access ID: {}".format(hmac_key.access_id))
    print("Project ID: {}".format(hmac_key.project))
    print("State: {}".format(hmac_key.state))
    print("Created At: {}".format(hmac_key.time_created))
    print("Updated At: {}".format(hmac_key.updated))
    print("Etag: {}".format(hmac_key.etag))
    return hmac_key

Ruby

For more information, see the Cloud Storage Ruby API reference documentation .

The following sample deactivates an HMAC key:

storage/hmac.rb 
# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.inactive!

puts "The HMAC key is now inactive."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

The following sample activates an HMAC key:

storage/hmac.rb 
# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.active!

puts "The HMAC key is now active."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Create a .json file that contains the following information:

    {
  "metadata": {
      "state": [STATE]
  }
}

    Where [STATE] is the desired state for the key. For example, INACTIVE.

  3. Use cURL to call the JSON API with a PUT hmacKeys request:

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  -H "Content-Type: application/json" \
  "https://storage.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys/[ACCESS_KEY_ID]"

    Where:

    • [JSON_FILE_NAME] is the file you created in Step 2.
    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [PROJECT_ID] is the ID for the project associated with the key you want to update. For example, my-pet-project.
    • [ACCESS_KEY_ID] is the access ID associated with the key you are updating.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the XML API with a POST HMAC Key request:

    curl -X POST \
    -H "Authorization: Bearer [OAUTH2_TOKEN]" \
    "https://storage.googleapis.com/?Action=UpdateAccessKey&AccessKeyId=[ACCESS_KEY_ID]&Status=[STATUS]"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [ACCESS_KEY_ID] is the access ID associated with the key you are updating.
    • [STATUS] is the desired status for the key. For example, Inactive.

Deleting an HMAC key

An HMAC key must be in an inactive state in order to delete it. To delete an inactive HMAC key:

Console

  1. Open the Cloud Storage browser in the Google Cloud Console.
    Open the Cloud Storage browser

  2. Click Settings.

  3. Select the Interoperability tab.

  4. Click the Edit menu (Edit menu icon.) associated with the key you want to update.

  5. Click the more actions menu () associated with the Status of the key.

  6. Select Delete from the drop-down menu.

  7. In the text box that appears, enter the access key ID for the HMAC key as it's given in the window.

  8. Click Delete.

gsutil

Use the hmac delete command:

gsutil hmac delete [ACCESS_KEY_ID]

Where [ACCESS_KEY_ID] is the access ID associated with the key you are deleting.

If successful, gsutil does not return a response.

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation .

C++

For more information, see the Cloud Storage C++ API reference documentation .

The following sample deactivates an HMAC key:

google/cloud/storage/examples/storage_service_account_samples.cc 
namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id, gcs::HmacKeyMetadata().set_state(
                     gcs::HmacKeyMetadata::state_inactive()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_inactive()) {
    throw std::runtime_error("The HMAC key is active, this is unexpected");
  }
  std::cout << "The HMAC key is now inactive\nFull metadata: "
            << *updated_metadata << "\n";
}

The following sample activates an HMAC key:

google/cloud/storage/examples/storage_service_account_samples.cc 
namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id,
      gcs::HmacKeyMetadata().set_state(gcs::HmacKeyMetadata::state_active()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_active()) {
    throw std::runtime_error(
        "The HMAC key is NOT active, this is unexpected");
  }
  std::cout << "The HMAC key is now active\nFull metadata: "
            << *updated_metadata << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation .

The following sample deactivates an HMAC key:

storage/api/Storage/Storage.cs 
        private void DeactivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Inactive;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now inactive.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

The following sample activates an HMAC key:

storage/api/Storage/Storage.cs 
        private void ActivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Active;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now active.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

Go

For more information, see the Cloud Storage Go API reference documentation .

The following sample deactivates an HMAC key:

storage/service_account/hmac/deactivate.go 
import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// deactivateHMACKey deactivates the HMAC key with the given access ID.
func deactivateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "INACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

The following sample activates an HMAC key:

storage/service_account/hmac/activate.go 
import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// activateHMACKey activates the HMAC key with the given access ID.
func activateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "ACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

For more information, see the Cloud Storage Java API reference documentation .

The following sample deactivates an HMAC key:

google-cloud-examples/src/main/java/com/google/cloud/examples/storage/snippets/StorageSnippets.java 
// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.INACTIVE);

System.out.println("The HMAC key is now inactive.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

The following sample activates an HMAC key:

google-cloud-examples/src/main/java/com/google/cloud/examples/storage/snippets/StorageSnippets.java 
// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.ACTIVE);

System.out.println("The HMAC key is now active.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

Node.js

For more information, see the Cloud Storage Node.js API reference documentation .

The following sample deactivates an HMAC key:

samples/hmacKeyDeactivate.js 
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Deactivate HMAC SA Key
async function deactivateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'INACTIVE'});

  console.log(`The HMAC key is now inactive.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

The following sample activates an HMAC key:

samples/hmacKeyActivate.js 
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Activate HMAC SA Key
async function activateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'ACTIVE'});

  console.log(`The HMAC key is now active.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

For more information, see the Cloud Storage PHP API reference documentation .

The following sample deactivates an HMAC key:

storage/src/deactivate_hmac_key.php 
use Google\Cloud\Storage\StorageClient;

/**
 * Deactivate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function deactivate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('INACTIVE');

    print('The HMAC key is now inactive.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

The following sample activates an HMAC key:

storage/src/activate_hmac_key.php 
use Google\Cloud\Storage\StorageClient;

/**
 * Activate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function activate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('ACTIVE');

    print('The HMAC key is now active.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

For more information, see the Cloud Storage Python API reference documentation .

The following sample deactivates an HMAC key:

storage/cloud-client/storage_deactivate_hmac_key.py 
from google.cloud import storage


def deactivate_key(access_id, project_id):
    """
    Deactivate the HMAC key with the given access ID.
    """
    # project_id = "Your Google Cloud project ID"
    # access_id = "ID of an active HMAC key"

    storage_client = storage.Client(project=project_id)

    hmac_key = storage_client.get_hmac_key_metadata(
        access_id, project_id=project_id
    )
    hmac_key.state = "INACTIVE"
    hmac_key.update()

    print("The HMAC key is now inactive.")
    print("The HMAC key metadata is:")
    print("Service Account Email: {}".format(hmac_key.service_account_email))
    print("Key ID: {}".format(hmac_key.id))
    print("Access ID: {}".format(hmac_key.access_id))
    print("Project ID: {}".format(hmac_key.project))
    print("State: {}".format(hmac_key.state))
    print("Created At: {}".format(hmac_key.time_created))
    print("Updated At: {}".format(hmac_key.updated))
    print("Etag: {}".format(hmac_key.etag))
    return hmac_key

The following sample activates an HMAC key:

storage/cloud-client/storage_activate_hmac_key.py 
from google.cloud import storage


def activate_key(access_id, project_id):
    """
    Activate the HMAC key with the given access ID.
    """
    # project_id = "Your Google Cloud project ID"
    # access_id = "ID of an inactive HMAC key"

    storage_client = storage.Client(project=project_id)

    hmac_key = storage_client.get_hmac_key_metadata(
        access_id, project_id=project_id
    )
    hmac_key.state = "ACTIVE"
    hmac_key.update()

    print("The HMAC key metadata is:")
    print("Service Account Email: {}".format(hmac_key.service_account_email))
    print("Key ID: {}".format(hmac_key.id))
    print("Access ID: {}".format(hmac_key.access_id))
    print("Project ID: {}".format(hmac_key.project))
    print("State: {}".format(hmac_key.state))
    print("Created At: {}".format(hmac_key.time_created))
    print("Updated At: {}".format(hmac_key.updated))
    print("Etag: {}".format(hmac_key.etag))
    return hmac_key

Ruby

For more information, see the Cloud Storage Ruby API reference documentation .

The following sample deactivates an HMAC key:

storage/hmac.rb 
# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.inactive!

puts "The HMAC key is now inactive."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

The following sample activates an HMAC key:

storage/hmac.rb 
# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.active!

puts "The HMAC key is now active."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

C#

For more information, see the Cloud Storage C# API reference documentation . 

        private void DeleteHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            storage.DeleteHmacKey(s_projectId, accessId);

            Console.WriteLine($"Key {accessId} was deleted.");
        }

Go

For more information, see the Cloud Storage Go API reference documentation . 

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
	"time"
)

// deleteHMACKey deletes the HMAC key with the given access ID. Key must have state
// INACTIVE in order to succeed.
func deleteHMACKey(w io.Writer, accessID string, projectID string) error {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
	defer cancel()
	if err = handle.Delete(ctx); err != nil {
		return fmt.Errorf("Delete: %v", err)
	}

	fmt.Fprintln(w, "The key is deleted, though it may still appear in ListHMACKeys results.")

	return nil
}

Java

For more information, see the Cloud Storage Java API reference documentation . 

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
storage.deleteHmacKey(metadata);

System.out.println(
    "The key is deleted, though it will still appear in getHmacKeys() results given showDeletedKey is true.");

Node.js

For more information, see the Cloud Storage Node.js API reference documentation . 

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Delete HMAC SA Key
async function deleteHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'Inactive HMAC Access Key Id to delete, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  await hmacKey.delete();

  console.log(
    `The key is deleted, though it may still appear in getHmacKeys() results.`
  );
}

PHP

For more information, see the Cloud Storage PHP API reference documentation . 

use Google\Cloud\Storage\StorageClient;

/**
 * Delete an HMAC key.
 *
 * @param string $accessId Access ID for an HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function delete_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->delete();
    print(
      'The key is deleted, though it may still appear in the results of calls ' .
      'to StorageClient.hmacKeys([\'showDeletedKeys\' => true])' . PHP_EOL
    );
}

Python

For more information, see the Cloud Storage Python API reference documentation . 

from google.cloud import storage


def delete_key(access_id, project_id):
    """
    Delete the HMAC key with the given access ID. Key must have state INACTIVE
    in order to succeed.
    """
    # project_id = "Your Google Cloud project ID"
    # access_id = "ID of an HMAC key (must be in INACTIVE state)"

    storage_client = storage.Client(project=project_id)

    hmac_key = storage_client.get_hmac_key_metadata(
        access_id, project_id=project_id
    )
    hmac_key.delete()

    print(
        "The key is deleted, though it may still appear in list_hmac_keys()"
        " results."
    )

Ruby

For more information, see the Cloud Storage Ruby API reference documentation . 

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.delete!

puts "The key is deleted, though it may still appear in Client#hmac_keys results."

REST APIs

JSON API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the JSON API with a DELETE hmacKeys request:

    curl -X DELETE \
  -H "Authorization: Bearer [OAUTH2_TOKEN]" \
  "https://storage.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys/[ACCESS_KEY_ID]"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [PROJECT_ID] is the ID for the project associated with the key you want to delete. For example, my-pet-project.
    • [ACCESS_KEY_ID] is the access ID associated with the key you are deleting.

XML API

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the XML API with a POST HMAC Key request:

    curl -X POST \
    -H "Authorization: Bearer [OAUTH2_TOKEN]" \
    "https://storage.googleapis.com/?Action=DeleteAccessKey&AccessKeyId=[ACCESS_KEY_ID]"

    Where:

    • [OAUTH2_TOKEN] is the access token you generated in Step 1.
    • [ACCESS_KEY_ID] is the access ID associated with the key you are deleting.

What's next