Como gerenciar chaves HMAC para contas de serviço

Esta página mostra como criar, desativar e excluir chaves de código de autenticação de mensagem baseadas em hash (HMAC) associadas a contas de serviço em seu projeto. Para informações gerais, consulte chaves HMAC.

Pré-requisitos

Para usar esse recurso no Cloud Storage, o seguinte é necessário:

  1. Ter permissão suficiente para trabalhar com chaves HMAC no projeto desejado:

    • Se você for o proprietário do projeto, provavelmente terá as permissões necessárias.

    • É preciso ter as permissões do IAM com o prefixo storage.hmacKeys para o projeto. Consulte Como usar permissões do IAM para instruções sobre como conseguir um papel, por exemplo, roles/storage.hmacKeyAdmin, com essas permissões.

  2. Tenha uma conta de serviço no seu projeto para a qual você pretende criar chaves HMAC. Consulte Como criar uma conta de serviço se você não tiver uma.

Como criar uma chave HMAC

Para criar uma chave HMAC para uma conta de serviço:

Console

  1. Abra o navegador do Cloud Storage no Console do Google Cloud Platform.
    Abra o navegador do Cloud Storage
  2. Clique em Configurações.

  3. Selecione a guia Interoperabilidade.

  4. Clique em + Criar uma chave para uma conta de serviço.

  5. Selecione a conta de serviço à qual você quer que a chave HMAC seja associada.

  6. Clique em Criar chave.

gsutil

Use o comando hmac create, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

gsutil hmac create [SERVICE_ACCOUNT_EMAIL]

Se bem-sucedida, a resposta será parecida com esta:

AccessId: GOOGTS7C7FUP3AIRVJTE2BCD
SecretKey: de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

Amostras de código

C++

Para saber mais, consulte a documentação de referência da API Cloud Storage C++ .

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string service_account_email) {
  StatusOr<std::pair<gcs::HmacKeyMetadata, std::string>> hmac_key_details =
      client.CreateHmacKey(service_account_email);

  if (!hmac_key_details) {
    throw std::runtime_error(hmac_key_details.status().message());
  }
  std::cout << "The base64 encoded secret is: " << hmac_key_details->second
            << "\nDo not miss that secret, there is no API to recover it."
            << "\nThe HMAC key metadata is: " << hmac_key_details->first
            << "\n";
}

C#

Para saber mais, consulte a documentação de referência da API Cloud Storage C# .

        private void CreateHmacKey(String serviceAccountEmail)
        {
            var storage = StorageClient.Create();
            var key = storage.CreateHmacKey(s_projectId, serviceAccountEmail);

            var secret = key.Secret;
            var metadata = key.Metadata;

            Console.WriteLine($"The Base64 encoded secret is: {secret}");
            Console.WriteLine("Make sure to save that secret, there's no API to recover it.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {metadata.Id}");
            Console.WriteLine($"Access ID: {metadata.AccessId}");
            Console.WriteLine($"Project ID: {metadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {metadata.State}");
            Console.WriteLine($"Time Created: {metadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {metadata.Updated}");
            Console.WriteLine($"ETag: {metadata.ETag}");
        }

Go

Para saber mais, consulte a documentação de referência da API Cloud Storage Go .

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// createHMACKey creates a new HMAC key using the given project and service account.
func createHMACKey(w io.Writer, projectID string, serviceAccountEmail string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	key, err := client.CreateHMACKey(ctx, projectID, serviceAccountEmail)
	if err != nil {
		return nil, fmt.Errorf("CreateHMACKey: %v", err)
	}

	fmt.Fprintf(w, "%s\n", key)
	fmt.Fprintf(w, "The base64 encoded secret is %s\n", key.Secret)
	fmt.Fprintln(w, "Do not miss that secret, there is no API to recover it.")
	fmt.Fprintln(w, "The HMAC key metadata is")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

Para saber mais, consulte a documentação de referência da API Cloud Storage Java .

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The service account email for which the new HMAC key will be created.
// String serviceAccountEmail = "service-account@iam.gserviceaccount.com";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";

ServiceAccount account = ServiceAccount.of(serviceAccountEmail);
HmacKey hmacKey =
    storage.createHmacKey(account, Storage.CreateHmacKeyOption.projectId(projectId));

String secret = hmacKey.getSecretKey();
HmacKeyMetadata metadata = hmacKey.getMetadata();

System.out.println("The Base64 encoded secret is: " + secret);
System.out.println("Do not miss that secret, there is no API to recover it.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + metadata.getId());
System.out.println("Access ID: " + metadata.getAccessId());
System.out.println("Project ID: " + metadata.getProjectId());
System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
System.out.println("State: " + metadata.getState().toString());
System.out.println("Time Created: " + new Date(metadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(metadata.getUpdateTime()).toString());
System.out.println("ETag: " + metadata.getEtag());

Node.js

Para saber mais, consulte a documentação de referência da API Cloud Storage Node.js .

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Create HMAC SA Key
async function createHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const serviceAccountEmail = 'Service Account Email to associate HMAC Key';
  // const projectId = 'The project Id this service account to be created in, e.g. serviceAccountProjectId';

  const [hmacKey, secret] = await storage.createHmacKey(serviceAccountEmail, {
    projectId,
  });

  console.log(`The base64 encoded secret is: ${secret}`);
  console.log(`Do not miss that secret, there is no API to recover it.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKey.metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

Para saber mais, consulte a documentação de referência da API Cloud Storage PHP .

use Google\Cloud\Storage\StorageClient;

/**
 * Create a new HMAC key.
 *
 * @param string $serviceAccountEmail Service account email to associate with the new HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function create_hmac_key($serviceAccountEmail, $projectId)
{
    $storage = new StorageClient();
    // By default createHmacKey will use the projectId used by StorageClient().
    $hmacKeyCreated = $storage->createHmacKey($serviceAccountEmail, ['projectId' => $projectId]);

    printf('The base64 encoded secret is: %s' . PHP_EOL, $hmacKeyCreated->secret());
    print('Do not miss that secret, there is no API to recover it.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKeyCreated->hmacKey()->info(), true));
}

Python

Para saber mais, consulte a documentação de referência da API Cloud Storage Python .

# project_id = 'Your Google Cloud project ID'
# service_account_email = 'Service account used to generate HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key, secret = storage_client.create_hmac_key(
    service_account_email=service_account_email,
    project_id=project_id)
print('The base64 encoded secret is {}'.format(secret))
print('Do not miss that secret, there is no API to recover it.')
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

Ruby

Para saber mais, consulte a documentação de referência da API Cloud Storage Ruby .

# project_id = "Your Google Cloud project ID"
# service_account_email = "Service account used to associate generate HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#create_hmac_key uses the Storage client project_id
hmac_key = storage.create_hmac_key service_account_email, project_id: project_id

puts "The base64 encoded secret is: #{hmac_key.secret}"
puts "Do not miss that secret, there is no API to recover it."
puts "\nThe HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

APIs REST

API JSON

  1. Receba um token de acesso de autorização do OAuth 2.0 Playground. Configure o Playground para usar suas credenciais do OAuth.
  2. Use cURL para chamar a API JSON com uma solicitação de POST hmacKeys, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

    curl -X POST \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys?serviceAccountEmail=[SERVICE_ACCOUNT_EMAIL]"

API XML

A API XML não pode ser usada para criar chaves HMAC. Use uma das outras ferramentas do Cloud Storage, como o gsutil.

Como acessar informações da chave HMAC

Para listar as chaves HMAC para um projeto e acessar informações sobre as chaves:

Console

  1. Abra o navegador do Cloud Storage no Console do Google Cloud Platform.
    Abra o navegador do Cloud Storage
  2. Clique em Configurações.

  3. Selecione a guia Interoperabilidade.

gsutil

  1. Use o comando hmac list para listar chaves hmac em seu projeto:

    gsutil hmac list

    Se for bem-sucedida, a gsutil retornará uma lista de IDs de acesso da chave hmac com a conta de serviço associada a cada chave.

  2. Use o comando hmac get para recuperar metadados de uma chave específica:

    gsutil hmac get [KEY_ACCESS_ID] 

    onde [KEY_ACCESS_ID] é o ID de acesso para a chave desejada.

Amostras de código

C++

Para saber mais, consulte a documentação de referência da API Cloud Storage C++ .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client) {
  int count = 0;
  gcs::ListHmacKeysReader hmac_keys_list = client.ListHmacKeys();
  for (auto&& hmac_key_metadata : hmac_keys_list) {
    if (!hmac_key_metadata) {
      throw std::runtime_error(hmac_key_metadata.status().message());
    }
    std::cout << "service_account_email = "
              << hmac_key_metadata->service_account_email()
              << "\naccess_id = " << hmac_key_metadata->access_id() << "\n";
    ++count;
  }
  if (count == 0) {
    std::cout << "No HMAC keys in default project\n";
  }
}

A amostra a seguir recupera informações para uma chave HMAC específica:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> hmac_key_details =
      client.GetHmacKey(access_id);

  if (!hmac_key_details) {
    throw std::runtime_error(hmac_key_details.status().message());
  }
  std::cout << "The HMAC key metadata is: " << *hmac_key_details << "\n";
}

C#

Para saber mais, consulte a documentação de referência da API Cloud Storage C# .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

        private void ListHmacKeys()
        {
            var storage = StorageClient.Create();
            var keys = storage.ListHmacKeys(s_projectId);

            foreach (var metadata in keys)
            {
                Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
                Console.WriteLine($"Access ID: {metadata.AccessId}");
            }
        }

A amostra a seguir recupera informações para uma chave HMAC específica:

        private void GetHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);

            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {metadata.Id}");
            Console.WriteLine($"Access ID: {metadata.AccessId}");
            Console.WriteLine($"Project ID: {metadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {metadata.State}");
            Console.WriteLine($"Time Created: {metadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {metadata.Updated}");
            Console.WriteLine($"ETag: {metadata.ETag}");
        }

Go

Para saber mais, consulte a documentação de referência da API Cloud Storage Go .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"google.golang.org/api/iterator"
	"io"
)

// listHMACKeys lists all HMAC keys associated with the project.
func listHMACKeys(w io.Writer, projectID string) ([]*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	iter := client.ListHMACKeys(ctx, projectID)
	var keys []*storage.HMACKey
	for {
		key, err := iter.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return nil, fmt.Errorf("ListHMACKeys: %v", err)
		}
		fmt.Fprintf(w, "Service Account Email: %s\n", key.ServiceAccountEmail)
		fmt.Fprintf(w, "Access ID: %s\n", key.AccessID)

		keys = append(keys, key)
	}

	return keys, nil
}

A amostra a seguir recupera informações para uma chave HMAC específica:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// getHMACKey retrieves the HMACKeyMetadata with the given access id.
func getHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Get(ctx)
	if err != nil {
		return nil, fmt.Errorf("Get: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)
	return key, nil
}

Java

Para saber mais, consulte a documentação de referência da API Cloud Storage Java .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The ID of the project to which the service account belongs.
// String projectId = "project-id";
Page<HmacKeyMetadata> page = storage.listHmacKeys(ListHmacKeysOption.projectId(projectId));

for (HmacKeyMetadata metadata : page.iterateAll()) {
  System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
  System.out.println("Access ID: " + metadata.getAccessId());
}

A amostra a seguir recupera informações para uma chave HMAC específica:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));

System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + metadata.getId());
System.out.println("Access ID: " + metadata.getAccessId());
System.out.println("Project ID: " + metadata.getProjectId());
System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
System.out.println("State: " + metadata.getState().toString());
System.out.println("Time Created: " + new Date(metadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(metadata.getUpdateTime()).toString());
System.out.println("ETag: " + metadata.getEtag());

Node.js

Para saber mais, consulte a documentação de referência da API Cloud Storage Node.js .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// List HMAC SA Keys' Metadata
async function listHmacKeys() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';
  const [hmacKeys] = await storage.getHmacKeys({projectId});

  // hmacKeys is an array of HmacKey objects.
  for (const hmacKey of hmacKeys) {
    console.log(
      `Service Account Email: ${hmacKey.metadata.serviceAccountEmail}`
    );
    console.log(`Access Id: ${hmacKey.metadata.accessId}`);
  }
}

A amostra a seguir recupera informações para uma chave HMAC específica:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Get HMAC SA Key Metadata
async function getHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to get, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  // Populate the hmacKey object with metadata from server.
  await hmacKey.getMetadata();

  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKey.metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

Para saber mais, consulte a documentação de referência da API Cloud Storage PHP .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

use Google\Cloud\Storage\StorageClient;

/**
 * List HMAC keys.
 *
 * @param string $projectId Google Cloud Project ID.
 *
 */
function list_hmac_keys($projectId)
{
    $storage = new StorageClient();
    // By default hmacKeys will use the projectId used by StorageClient() to list HMAC Keys.
    $hmacKeys = $storage->hmacKeys(['projectId' => $projectId]);

    printf('HMAC Key\'s:' . PHP_EOL);
    foreach ($hmacKeys as $hmacKey) {
        printf('Service Account Email: %s' . PHP_EOL, $hmacKey->info()['serviceAccountEmail']);
        printf('Access Id: %s' . PHP_EOL, $hmacKey->info()['accessId']);
    }
}

A amostra a seguir recupera informações para uma chave HMAC específica:

use Google\Cloud\Storage\StorageClient;

/**
 * Get an HMAC key.
 *
 * @param string $accessId Access ID for an HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function get_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

Para saber mais, consulte a documentação de referência da API Cloud Storage Python .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

# project_id = 'Your Google Cloud project ID'
storage_client = storage.Client(project=project_id)
hmac_keys = storage_client.list_hmac_keys(project_id=project_id)
print('HMAC Keys:')
for hmac_key in hmac_keys:
    print('Service Account Email: {}'.format(
        hmac_key.service_account_email))
    print('Access ID: {}'.format(hmac_key.access_id))

A amostra a seguir recupera informações para uma chave HMAC específica:

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

Ruby

Para saber mais, consulte a documentação de referência da API Cloud Storage Ruby .

A amostra a seguir recupera uma lista de chaves HMAC associadas a um projeto:

# project_id = "Your Google Cloud project ID"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_keys = storage.hmac_keys project_id: project_id

puts "HMAC Keys:"
hmac_keys.all do |hmac_key|
  puts "Service Account Email: #{hmac_key.service_account_email}"
  puts "Access ID: #{hmac_key.access_id}"
end

A amostra a seguir recupera informações para uma chave HMAC específica:

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

APIs REST

API JSON

  1. Receba um token de acesso de autorização do OAuth 2.0 Playground. Configure o Playground para usar suas credenciais do OAuth.
  2. Use cURL para chamar a API JSON com uma solicitação de LIST hmacKeys, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

    curl -X GET \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys"

API XML

A API XML não pode ser usada para receber ou listar chaves HMAC. Use uma das outras ferramentas do Cloud Storage, como o gsutil.

Como atualizar o estado de uma chave HMAC

Para alternar entre uma chave HMAC ativa e inativa:

Console

  1. Abra o navegador do Cloud Storage no Console do Google Cloud Platform.
    Abra o navegador do Cloud Storage
  2. Clique em Configurações.

  3. Selecione a guia Interoperabilidade.

  4. Clique no ícone de lápis associado à chave que você quer atualizar.

  5. Clique no botão mais opções (Ícone mais ações.) associado ao Status da chave.

  6. Selecione o status que quer aplicar à chave.

  7. Na janela de confirmação exibida, confirme que você quer alterar o status da chave.

gsutil

Use o comando hmac update, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

gsutil hmac update -s [STATE] [KEY_ACCESS_ID]

Se for bem-sucedida, a gsutil retornará os metadados atualizados da chave HMAC.

Amostras de código

C++

Para saber mais, consulte a documentação de referência da API Cloud Storage C++ .

A amostra a seguir desativa uma chave HMAC:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id, gcs::HmacKeyMetadata().set_state(
                     gcs::HmacKeyMetadata::state_inactive()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_inactive()) {
    throw std::runtime_error("The HMAC key is active, this is unexpected");
  }
  std::cout << "The HMAC key is now inactive\nFull metadata: "
            << *updated_metadata << "\n";
}

A amostra a seguir ativa uma chave HMAC:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id,
      gcs::HmacKeyMetadata().set_state(gcs::HmacKeyMetadata::state_active()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_active()) {
    throw std::runtime_error(
        "The HMAC key is NOT active, this is unexpected");
  }
  std::cout << "The HMAC key is now active\nFull metadata: "
            << *updated_metadata << "\n";
}

C#

Para saber mais, consulte a documentação de referência da API Cloud Storage C# .

A amostra a seguir desativa uma chave HMAC:

        private void DeactivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Inactive;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now inactive.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

A amostra a seguir ativa uma chave HMAC:

        private void ActivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Active;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now active.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

Go

Para saber mais, consulte a documentação de referência da API Cloud Storage Go .

A amostra a seguir desativa uma chave HMAC:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// deactivateHMACKey deactivates the HMAC key with the given access ID.
func deactivateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "INACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

A amostra a seguir ativa uma chave HMAC:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// activateHMACKey activates the HMAC key with the given access ID.
func activateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "ACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

Para saber mais, consulte a documentação de referência da API Cloud Storage Java .

A amostra a seguir desativa uma chave HMAC:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.INACTIVE);

System.out.println("The HMAC key is now inactive.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

A amostra a seguir ativa uma chave HMAC:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.ACTIVE);

System.out.println("The HMAC key is now active.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

Node.js

Para saber mais, consulte a documentação de referência da API Cloud Storage Node.js .

A amostra a seguir desativa uma chave HMAC:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Deactivate HMAC SA Key
async function deactivateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'INACTIVE'});

  console.log(`The HMAC key is now inactive.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

A amostra a seguir ativa uma chave HMAC:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Activate HMAC SA Key
async function activateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'ACTIVE'});

  console.log(`The HMAC key is now active.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

Para saber mais, consulte a documentação de referência da API Cloud Storage PHP .

A amostra a seguir desativa uma chave HMAC:

use Google\Cloud\Storage\StorageClient;

/**
 * Deactivate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function deactivate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('INACTIVE');

    print('The HMAC key is now inactive.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

A amostra a seguir ativa uma chave HMAC:

use Google\Cloud\Storage\StorageClient;

/**
 * Activate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function activate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('ACTIVE');

    print('The HMAC key is now active.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

Para saber mais, consulte a documentação de referência da API Cloud Storage Python .

A amostra a seguir desativa uma chave HMAC:

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an active HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
hmac_key.state = 'INACTIVE'
hmac_key.update()
print('The HMAC key is now inactive.')
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

A amostra a seguir ativa uma chave HMAC:

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an inactive HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
hmac_key.state = 'ACTIVE'
hmac_key.update()
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

Ruby

Para saber mais, consulte a documentação de referência da API Cloud Storage Ruby .

A amostra a seguir desativa uma chave HMAC:

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.inactive!

puts "The HMAC key is now inactive."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

A amostra a seguir ativa uma chave HMAC:

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.active!

puts "The HMAC key is now active."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

APIs REST

API JSON

  1. Receba um token de acesso de autorização do OAuth 2.0 Playground. Configure o Playground para usar suas credenciais do OAuth.
  2. Crie um arquivo .json que contenha as informações a seguir, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

    {
      "metadata": {
          "state": [STATE]
      }
    }
  3. Use cURL para chamar a API JSON com uma solicitação de PUT hmacKeys, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys/[ACCESS_ID]"

API XML

A API XML não pode ser usada para atualizar chaves HMAC. Use uma das outras ferramentas do Cloud Storage, como o gsutil.

Como excluir uma chave HMAC

Uma chave HMAC precisa estar inativa para poder ser excluída. Para excluir uma chave HMAC inativa:

Console

  1. Abra o navegador do Cloud Storage no Console do Google Cloud Platform.
    Abra o navegador do Cloud Storage
  2. Clique em Configurações.

  3. Selecione a guia Interoperabilidade.

  4. Clique no ícone de lápis associado à chave que você quer atualizar.

  5. Clique no botão mais opções (Ícone mais ações.) associado ao Status da chave.

  6. Selecione Excluir no menu suspenso.

  7. Na caixa de texto exibida, insira o ID da chave de acesso para a chave HMAC, conforme indicado na janela.

  8. Clique em Excluir.

gsutil

Use o comando hmac delete, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

gsutil hmac delete [KEY_ACCESS_ID]

Se for bem-sucedida, a gsutil não retornará nenhuma resposta.

Amostras de código

C++

Para saber mais, consulte a documentação de referência da API Cloud Storage C++ .

namespace gcs = google::cloud::storage;
[](gcs::Client client, std::string access_id) {
  google::cloud::Status status = client.DeleteHmacKey(access_id);

  if (!status.ok()) {
    throw std::runtime_error(status.message());
  }
  std::cout << "The key is deleted, though it may still appear"
            << " in ListHmacKeys() results.\n";
}

C#

Para saber mais, consulte a documentação de referência da API Cloud Storage C# .

        private void DeleteHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            storage.DeleteHmacKey(s_projectId, accessId);

            Console.WriteLine($"Key {accessId} was deleted.");
        }

Go

Para saber mais, consulte a documentação de referência da API Cloud Storage Go .

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// deleteHMACKey deletes the HMAC key with the given access ID. Key must have state
// INACTIVE in order to succeed.
func deleteHMACKey(w io.Writer, accessID string, projectID string) error {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	if err = handle.Delete(ctx); err != nil {
		return fmt.Errorf("Delete: %v", err)
	}

	fmt.Fprintln(w, "The key is deleted, though it may still appear in ListHMACKeys results.")

	return nil
}

Java

Para saber mais, consulte a documentação de referência da API Cloud Storage Java .

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
storage.deleteHmacKey(metadata);

System.out.println(
    "The key is deleted, though it will still appear in getHmacKeys() results given showDeletedKey is true.");

Node.js

Para saber mais, consulte a documentação de referência da API Cloud Storage Node.js .

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Delete HMAC SA Key
async function deleteHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'Inactive HMAC Access Key Id to delete, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  await hmacKey.delete();

  console.log(
    `The key is deleted, though it may still appear in getHmacKeys() results.`
  );
}

PHP

Para saber mais, consulte a documentação de referência da API Cloud Storage PHP .

use Google\Cloud\Storage\StorageClient;

/**
 * Delete an HMAC key.
 *
 * @param string $accessId Access ID for an HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function delete_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->delete();
    print(
      'The key is deleted, though it may still appear in the results of calls ' .
      'to StorageClient.hmacKeys([\'showDeletedKeys\' => true])' . PHP_EOL
    );
}

Python

Para saber mais, consulte a documentação de referência da API Cloud Storage Python .

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an HMAC key (must be in INACTIVE state)'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
hmac_key.delete()
print('The key is deleted, though it may still appear in list_hmac_keys()'
      ' results.')

Ruby

Para saber mais, consulte a documentação de referência da API Cloud Storage Ruby .

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.delete!

puts "The key is deleted, though it may still appear in Client#hmac_keys results."

APIs REST

API JSON

  1. Receba um token de acesso de autorização do OAuth 2.0 Playground. Configure o Playground para usar suas credenciais do OAuth.
  2. Use cURL para chamar a API JSON com uma solicitação de DELETE hmacKeys, substituindo [VALUES_IN_BRACKETS] pelos valores apropriados:

    curl -X DELETE \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys/[ACCESS_ID]"

API XML

A API XML não pode ser usada para excluir chaves HMAC. Use uma das outras ferramentas do Cloud Storage, como o gsutil.

A seguir

Esta página foi útil? Conte sua opinião sobre:

Enviar comentários sobre…

Precisa de ajuda? Acesse nossa página de suporte.