為服務帳戶管理 HMAC 金鑰

本頁說明如何建立、停用及刪除與專案中服務帳戶相關聯的雜湊架構訊息驗證代碼 (HMAC) 金鑰。如需一般資訊,請參閱 HMAC 金鑰一文。

必備條件

在 Cloud Storage 中使用這項功能之前,您應先具備以下條件:

  1. 取得足夠的權限以使用相關專案中的 HMAC 金鑰:

    • 如果您擁有該專案,代表您非常可能已具備必要的權限。

    • 您應該具備該專案的 IAM 權限 (前置字串須為 storage.hmacKeys)。請參閱使用身分與存取權管理權限一文中的操作說明,瞭解如何取得具備這些權限的角色,例如 roles/storage.hmacKeyAdmin

  2. 在您的專案中有一個要為其建立 HMAC 金鑰的服務帳戶。如果您還沒有服務帳戶,請參閱建立服務帳戶

建立 HMAC 金鑰

如何為服務帳戶建立 HMAC 金鑰:

主控台

  1. 在 Google Cloud Platform Console 中開啟 Cloud Storage 瀏覽器。
    開啟 Cloud Storage 瀏覽器
  2. 按一下 [Settings] (設定)

  3. 選取 [Interoperability] (互通性) 分頁標籤。

  4. 按一下 [+ Create a key for a service account] (+為服務帳戶建立金鑰)

  5. 選取您要與 HMAC 金鑰建立關聯的服務帳戶。

  6. 點選 [Create key] (建立金鑰)

gsutil

使用 hmac create 指令,將 [VALUES_IN_BRACKETS] 替換為適當的值:

gsutil hmac create [SERVICE_ACCOUNT_EMAIL]

如果成功,回應如下所示:

AccessId: GOOGTS7C7FUP3AIRVJTE2BCD
SecretKey: de7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

程式碼範例

C++

詳情請參閱 Cloud Storage C++ API 參考說明文件

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string service_account_email) {
  StatusOr<std::pair<gcs::HmacKeyMetadata, std::string>> hmac_key_details =
      client.CreateHmacKey(service_account_email);

  if (!hmac_key_details) {
    throw std::runtime_error(hmac_key_details.status().message());
  }
  std::cout << "The base64 encoded secret is: " << hmac_key_details->second
            << "\nDo not miss that secret, there is no API to recover it."
            << "\nThe HMAC key metadata is: " << hmac_key_details->first
            << "\n";
}

C#

詳情請參閱 Cloud Storage C# API 參考說明文件

        private void CreateHmacKey(String serviceAccountEmail)
        {
            var storage = StorageClient.Create();
            var key = storage.CreateHmacKey(s_projectId, serviceAccountEmail);

            var secret = key.Secret;
            var metadata = key.Metadata;

            Console.WriteLine($"The Base64 encoded secret is: {secret}");
            Console.WriteLine("Make sure to save that secret, there's no API to recover it.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {metadata.Id}");
            Console.WriteLine($"Access ID: {metadata.AccessId}");
            Console.WriteLine($"Project ID: {metadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {metadata.State}");
            Console.WriteLine($"Time Created: {metadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {metadata.Updated}");
            Console.WriteLine($"ETag: {metadata.ETag}");
        }

Go

詳情請參閱 Cloud Storage Go API 參考說明文件

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// createHMACKey creates a new HMAC key using the given project and service account.
func createHMACKey(w io.Writer, projectID string, serviceAccountEmail string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	key, err := client.CreateHMACKey(ctx, projectID, serviceAccountEmail)
	if err != nil {
		return nil, fmt.Errorf("CreateHMACKey: %v", err)
	}

	fmt.Fprintf(w, "%s\n", key)
	fmt.Fprintf(w, "The base64 encoded secret is %s\n", key.Secret)
	fmt.Fprintln(w, "Do not miss that secret, there is no API to recover it.")
	fmt.Fprintln(w, "The HMAC key metadata is")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

詳情請參閱 Cloud Storage Java API 參考說明文件

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The service account email for which the new HMAC key will be created.
// String serviceAccountEmail = "service-account@iam.gserviceaccount.com";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";

ServiceAccount account = ServiceAccount.of(serviceAccountEmail);
HmacKey hmacKey =
    storage.createHmacKey(account, Storage.CreateHmacKeyOption.projectId(projectId));

String secret = hmacKey.getSecretKey();
HmacKeyMetadata metadata = hmacKey.getMetadata();

System.out.println("The Base64 encoded secret is: " + secret);
System.out.println("Do not miss that secret, there is no API to recover it.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + metadata.getId());
System.out.println("Access ID: " + metadata.getAccessId());
System.out.println("Project ID: " + metadata.getProjectId());
System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
System.out.println("State: " + metadata.getState().toString());
System.out.println("Time Created: " + new Date(metadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(metadata.getUpdateTime()).toString());
System.out.println("ETag: " + metadata.getEtag());

Node.js

詳情請參閱 Cloud Storage Node.js API 參考說明文件

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Create HMAC SA Key
async function createHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const serviceAccountEmail = 'Service Account Email to associate HMAC Key';
  // const projectId = 'The project Id this service account to be created in, e.g. serviceAccountProjectId';

  const [hmacKey, secret] = await storage.createHmacKey(serviceAccountEmail, {
    projectId,
  });

  console.log(`The base64 encoded secret is: ${secret}`);
  console.log(`Do not miss that secret, there is no API to recover it.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKey.metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

詳情請參閱 Cloud Storage PHP API 參考說明文件

use Google\Cloud\Storage\StorageClient;

/**
 * Create a new HMAC key.
 *
 * @param string $serviceAccountEmail Service account email to associate with the new HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function create_hmac_key($serviceAccountEmail, $projectId)
{
    $storage = new StorageClient();
    // By default createHmacKey will use the projectId used by StorageClient().
    $hmacKeyCreated = $storage->createHmacKey($serviceAccountEmail, ['projectId' => $projectId]);

    printf('The base64 encoded secret is: %s' . PHP_EOL, $hmacKeyCreated->secret());
    print('Do not miss that secret, there is no API to recover it.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKeyCreated->hmacKey()->info(), true));
}

Python

詳情請參閱 Cloud Storage Python API 參考說明文件

# project_id = 'Your Google Cloud project ID'
# service_account_email = 'Service account used to generate HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key, secret = storage_client.create_hmac_key(
    service_account_email=service_account_email,
    project_id=project_id)
print('The base64 encoded secret is {}'.format(secret))
print('Do not miss that secret, there is no API to recover it.')
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

Ruby

詳情請參閱 Cloud Storage Ruby API 參考說明文件

# project_id = "Your Google Cloud project ID"
# service_account_email = "Service account used to associate generate HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#create_hmac_key uses the Storage client project_id
hmac_key = storage.create_hmac_key service_account_email, project_id: project_id

puts "The base64 encoded secret is: #{hmac_key.secret}"
puts "Do not miss that secret, there is no API to recover it."
puts "\nThe HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

REST API

JSON API

  1. OAuth 2.0 Playground 取得授權存取憑證。將 Playground 設為使用自己的 OAuth 憑證。
  2. 使用 cURL 透過 POST hmacKeys 要求呼叫 JSON API,並將 [VALUES_IN_BRACKETS] 替換成適當的值:

    curl -X POST \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys?serviceAccountEmail=[SERVICE_ACCOUNT_EMAIL]"

XML API

XML API 不能用於建立 HMAC 金鑰,請改用 gsutil 等其他 Cloud Storage 工具。

取得 HMAC 金鑰資訊

如要列出專案的 HMAC 金鑰,並取得金鑰相關資訊:

主控台

  1. 在 Google Cloud Platform Console 中開啟 Cloud Storage 瀏覽器。
    開啟 Cloud Storage 瀏覽器
  2. 按一下 [Settings] (設定)

  3. 選取 [Interoperability] (互通性) 分頁標籤。

gsutil

  1. 使用 hmac list 指令列出專案中的 hmac 金鑰:

    gsutil hmac list

    如果執行成功,gsutil 會傳回 hmac 金鑰存取權 ID 清單,以及與每個金鑰相關聯的服務帳戶。

  2. 使用 hmac get 指令擷取特定金鑰的中繼資料:

    gsutil hmac get [KEY_ACCESS_ID] 

    其中 [KEY_ACCESS_ID] 是該金鑰的存取權 ID。

程式碼範例

C++

詳情請參閱 Cloud Storage C++ API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client) {
  int count = 0;
  gcs::ListHmacKeysReader hmac_keys_list = client.ListHmacKeys();
  for (auto&& hmac_key_metadata : hmac_keys_list) {
    if (!hmac_key_metadata) {
      throw std::runtime_error(hmac_key_metadata.status().message());
    }
    std::cout << "service_account_email = "
              << hmac_key_metadata->service_account_email()
              << "\naccess_id = " << hmac_key_metadata->access_id() << "\n";
    ++count;
  }
  if (count == 0) {
    std::cout << "No HMAC keys in default project\n";
  }
}

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> hmac_key_details =
      client.GetHmacKey(access_id);

  if (!hmac_key_details) {
    throw std::runtime_error(hmac_key_details.status().message());
  }
  std::cout << "The HMAC key metadata is: " << *hmac_key_details << "\n";
}

C#

詳情請參閱 Cloud Storage C# API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

        private void ListHmacKeys()
        {
            var storage = StorageClient.Create();
            var keys = storage.ListHmacKeys(s_projectId);

            foreach (var metadata in keys)
            {
                Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
                Console.WriteLine($"Access ID: {metadata.AccessId}");
            }
        }

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

        private void GetHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);

            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {metadata.Id}");
            Console.WriteLine($"Access ID: {metadata.AccessId}");
            Console.WriteLine($"Project ID: {metadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {metadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {metadata.State}");
            Console.WriteLine($"Time Created: {metadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {metadata.Updated}");
            Console.WriteLine($"ETag: {metadata.ETag}");
        }

Go

詳情請參閱 Cloud Storage Go API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"google.golang.org/api/iterator"
	"io"
)

// listHMACKeys lists all HMAC keys associated with the project.
func listHMACKeys(w io.Writer, projectID string) ([]*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	iter := client.ListHMACKeys(ctx, projectID)
	var keys []*storage.HMACKey
	for {
		key, err := iter.Next()
		if err == iterator.Done {
			break
		}
		if err != nil {
			return nil, fmt.Errorf("ListHMACKeys: %v", err)
		}
		fmt.Fprintf(w, "Service Account Email: %s\n", key.ServiceAccountEmail)
		fmt.Fprintf(w, "Access ID: %s\n", key.AccessID)

		keys = append(keys, key)
	}

	return keys, nil
}

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// getHMACKey retrieves the HMACKeyMetadata with the given access id.
func getHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Get(ctx)
	if err != nil {
		return nil, fmt.Errorf("Get: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)
	return key, nil
}

Java

詳情請參閱 Cloud Storage Java API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The ID of the project to which the service account belongs.
// String projectId = "project-id";
Page<HmacKeyMetadata> page = storage.listHmacKeys(ListHmacKeysOption.projectId(projectId));

for (HmacKeyMetadata metadata : page.iterateAll()) {
  System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
  System.out.println("Access ID: " + metadata.getAccessId());
}

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));

System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + metadata.getId());
System.out.println("Access ID: " + metadata.getAccessId());
System.out.println("Project ID: " + metadata.getProjectId());
System.out.println("Service Account Email: " + metadata.getServiceAccount().getEmail());
System.out.println("State: " + metadata.getState().toString());
System.out.println("Time Created: " + new Date(metadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(metadata.getUpdateTime()).toString());
System.out.println("ETag: " + metadata.getEtag());

Node.js

詳情請參閱 Cloud Storage Node.js API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// List HMAC SA Keys' Metadata
async function listHmacKeys() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';
  const [hmacKeys] = await storage.getHmacKeys({projectId});

  // hmacKeys is an array of HmacKey objects.
  for (const hmacKey of hmacKeys) {
    console.log(
      `Service Account Email: ${hmacKey.metadata.serviceAccountEmail}`
    );
    console.log(`Access Id: ${hmacKey.metadata.accessId}`);
  }
}

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Get HMAC SA Key Metadata
async function getHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to get, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  // Populate the hmacKey object with metadata from server.
  await hmacKey.getMetadata();

  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKey.metadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

詳情請參閱 Cloud Storage PHP API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

use Google\Cloud\Storage\StorageClient;

/**
 * List HMAC keys.
 *
 * @param string $projectId Google Cloud Project ID.
 *
 */
function list_hmac_keys($projectId)
{
    $storage = new StorageClient();
    // By default hmacKeys will use the projectId used by StorageClient() to list HMAC Keys.
    $hmacKeys = $storage->hmacKeys(['projectId' => $projectId]);

    printf('HMAC Key\'s:' . PHP_EOL);
    foreach ($hmacKeys as $hmacKey) {
        printf('Service Account Email: %s' . PHP_EOL, $hmacKey->info()['serviceAccountEmail']);
        printf('Access Id: %s' . PHP_EOL, $hmacKey->info()['accessId']);
    }
}

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

use Google\Cloud\Storage\StorageClient;

/**
 * Get an HMAC key.
 *
 * @param string $accessId Access ID for an HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function get_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

詳情請參閱 Cloud Storage Python API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

# project_id = 'Your Google Cloud project ID'
storage_client = storage.Client(project=project_id)
hmac_keys = storage_client.list_hmac_keys(project_id=project_id)
print('HMAC Keys:')
for hmac_key in hmac_keys:
    print('Service Account Email: {}'.format(
        hmac_key.service_account_email))
    print('Access ID: {}'.format(hmac_key.access_id))

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

Ruby

詳情請參閱 Cloud Storage Ruby API 參考說明文件

以下範例會擷取與專案相關聯的 HMAC 金鑰清單:

# project_id = "Your Google Cloud project ID"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_keys = storage.hmac_keys project_id: project_id

puts "HMAC Keys:"
hmac_keys.all do |hmac_key|
  puts "Service Account Email: #{hmac_key.service_account_email}"
  puts "Access ID: #{hmac_key.access_id}"
end

下列範例會擷取關特定 HMAC 金鑰的相關資訊:

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

REST API

JSON API

  1. OAuth 2.0 Playground 取得授權存取憑證。將 Playground 設為使用自己的 OAuth 憑證。
  2. 使用 cURL 透過 LIST hmacKeys 要求呼叫 JSON API,並將 [VALUES_IN_BRACKETS] 替換成適當的值:

    curl -X GET \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys"

XML API

XML API 無法用於取得或列出 HMAC 金鑰,請改用 gsutil 等其他 Cloud Storage 工具。

更新 HMAC 金鑰的狀態

如何將 HMAC 金鑰切換為有效和停用狀態:

主控台

  1. 在 Google Cloud Platform Console 中開啟 Cloud Storage 瀏覽器。
    開啟 Cloud Storage 瀏覽器
  2. 按一下 [Settings] (設定)

  3. 選取 [Interoperability] (互通性) 分頁標籤。

  4. 按一下與您要更新之金鑰相關的鉛筆圖示

  5. 按一下與金鑰「狀態」相關聯的更多選項按鈕 (更多動作圖示。)。

  6. 選取您要套用至金鑰的狀態。

  7. 在出現的確認視窗中,確認您要更改金鑰的狀態。

gsutil

使用 hmac update 指令,將 [VALUES_IN_BRACKETS] 替換為適當的值:

gsutil hmac update -s [STATE] [KEY_ACCESS_ID]

如果執行成功,gsutil 會傳回 HMAC 金鑰的更新後中繼資料。

程式碼範例

C++

詳情請參閱 Cloud Storage C++ API 參考說明文件

以下範例會停用 HMAC 金鑰:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id, gcs::HmacKeyMetadata().set_state(
                     gcs::HmacKeyMetadata::state_inactive()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_inactive()) {
    throw std::runtime_error("The HMAC key is active, this is unexpected");
  }
  std::cout << "The HMAC key is now inactive\nFull metadata: "
            << *updated_metadata << "\n";
}

以下範例會啟用 HMAC 金鑰:

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string access_id) {
  StatusOr<gcs::HmacKeyMetadata> updated_metadata = client.UpdateHmacKey(
      access_id,
      gcs::HmacKeyMetadata().set_state(gcs::HmacKeyMetadata::state_active()));

  if (!updated_metadata) {
    throw std::runtime_error(updated_metadata.status().message());
  }
  if (updated_metadata->state() != gcs::HmacKeyMetadata::state_active()) {
    throw std::runtime_error(
        "The HMAC key is NOT active, this is unexpected");
  }
  std::cout << "The HMAC key is now active\nFull metadata: "
            << *updated_metadata << "\n";
}

C#

詳情請參閱 Cloud Storage C# API 參考說明文件

以下範例會停用 HMAC 金鑰:

        private void DeactivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Inactive;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now inactive.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

以下範例會啟用 HMAC 金鑰:

        private void ActivateHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            var metadata = storage.GetHmacKey(s_projectId, accessId);
            metadata.State = HmacKeyStates.Active;
            var updatedMetadata = storage.UpdateHmacKey(metadata);

            Console.WriteLine("The HMAC key is now active.");
            Console.WriteLine("The HMAC key metadata is:");
            Console.WriteLine($"ID: {updatedMetadata.Id}");
            Console.WriteLine($"Access ID: {updatedMetadata.AccessId}");
            Console.WriteLine($"Project ID: {updatedMetadata.ProjectId}");
            Console.WriteLine($"Service Account Email: {updatedMetadata.ServiceAccountEmail}");
            Console.WriteLine($"State: {updatedMetadata.State}");
            Console.WriteLine($"Time Created: {updatedMetadata.TimeCreated}");
            Console.WriteLine($"Time Updated: {updatedMetadata.Updated}");
            Console.WriteLine($"ETag: {updatedMetadata.ETag}");
        }

Go

詳情請參閱 Cloud Storage Go API 參考說明文件

以下範例會停用 HMAC 金鑰:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// deactivateHMACKey deactivates the HMAC key with the given access ID.
func deactivateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "INACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

以下範例會啟用 HMAC 金鑰:

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// activateHMACKey activates the HMAC key with the given access ID.
func activateHMACKey(w io.Writer, accessID string, projectID string) (*storage.HMACKey, error) {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	key, err := handle.Update(ctx, storage.HMACKeyAttrsToUpdate{State: "ACTIVE"})
	if err != nil {
		return nil, fmt.Errorf("Update: %v", err)
	}

	fmt.Fprintln(w, "The HMAC key metadata is:")
	fmt.Fprintf(w, "%+v", key)

	return key, nil
}

Java

詳情請參閱 Cloud Storage Java API 參考說明文件

以下範例會停用 HMAC 金鑰:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.INACTIVE);

System.out.println("The HMAC key is now inactive.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

以下範例會啟用 HMAC 金鑰:

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
HmacKeyMetadata newMetadata = storage.updateHmacKeyState(metadata, HmacKeyState.ACTIVE);

System.out.println("The HMAC key is now active.");
System.out.println("The HMAC key metadata is:");
System.out.println("ID: " + newMetadata.getId());
System.out.println("Access ID: " + newMetadata.getAccessId());
System.out.println("Project ID: " + newMetadata.getProjectId());
System.out.println("Service Account Email: " + newMetadata.getServiceAccount().getEmail());
System.out.println("State: " + newMetadata.getState().toString());
System.out.println("Time Created: " + new Date(newMetadata.getCreateTime()).toString());
System.out.println("Time Updated: " + new Date(newMetadata.getUpdateTime()).toString());
System.out.println("ETag: " + newMetadata.getEtag());

Node.js

詳情請參閱 Cloud Storage Node.js API 參考說明文件

以下範例會停用 HMAC 金鑰:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Deactivate HMAC SA Key
async function deactivateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'INACTIVE'});

  console.log(`The HMAC key is now inactive.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

以下範例會啟用 HMAC 金鑰:

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Activate HMAC SA Key
async function activateHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'HMAC Access Key Id to update, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  const [hmacKeyMetadata] = await hmacKey.setMetadata({state: 'ACTIVE'});

  console.log(`The HMAC key is now active.`);
  console.log(`The HMAC key metadata is:`);
  for (const [key, value] of Object.entries(hmacKeyMetadata)) {
    console.log(`${key}: ${value}`);
  }
}

PHP

詳情請參閱 Cloud Storage PHP API 參考說明文件

以下範例會停用 HMAC 金鑰:

use Google\Cloud\Storage\StorageClient;

/**
 * Deactivate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function deactivate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('INACTIVE');

    print('The HMAC key is now inactive.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

以下範例會啟用 HMAC 金鑰:

use Google\Cloud\Storage\StorageClient;

/**
 * Activate an HMAC key.
 *
 * @param string $accessId Access ID for an inactive HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function activate_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->update('ACTIVE');

    print('The HMAC key is now active.' . PHP_EOL);
    printf('HMAC key Metadata: %s' . PHP_EOL, print_r($hmacKey->info(), true));
}

Python

詳情請參閱 Cloud Storage Python API 參考說明文件

以下範例會停用 HMAC 金鑰:

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an active HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
hmac_key.state = 'INACTIVE'
hmac_key.update()
print('The HMAC key is now inactive.')
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

以下範例會啟用 HMAC 金鑰:

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an inactive HMAC key'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
hmac_key.state = 'ACTIVE'
hmac_key.update()
print('The HMAC key metadata is:')
print('Service Account Email: {}'.format(hmac_key.service_account_email))
print('Key ID: {}'.format(hmac_key.id))
print('Access ID: {}'.format(hmac_key.access_id))
print('Project ID: {}'.format(hmac_key.project))
print('State: {}'.format(hmac_key.state))
print('Created At: {}'.format(hmac_key.time_created))
print('Updated At: {}'.format(hmac_key.updated))
print('Etag: {}'.format(hmac_key.etag))

Ruby

詳情請參閱 Cloud Storage Ruby API 參考說明文件

以下範例會停用 HMAC 金鑰:

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.inactive!

puts "The HMAC key is now inactive."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

以下範例會啟用 HMAC 金鑰:

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.active!

puts "The HMAC key is now active."
puts "The HMAC key metadata is:"
puts "Key ID:                #{hmac_key.id}"
puts "Service Account Email: #{hmac_key.service_account_email}"
puts "Access ID:             #{hmac_key.access_id}"
puts "Project ID:            #{hmac_key.project_id}"
puts "Active:                #{hmac_key.active?}"
puts "Created At:            #{hmac_key.created_at}"
puts "Updated At:            #{hmac_key.updated_at}"
puts "Etag:                  #{hmac_key.etag}"

REST API

JSON API

  1. OAuth 2.0 Playground 取得授權存取憑證。將 Playground 設為使用自己的 OAuth 憑證。
  2. 建立一個包含下列資訊的 .json 檔案,並將 [VALUES_IN_BRACKETS] 替換為適當的值:

    {
      "metadata": {
          "state": [STATE]
      }
    }
  3. 使用 cURL 透過 PUT hmacKeys 要求呼叫 JSON API,並將 [VALUES_IN_BRACKETS] 替換成適當的值:

    curl -X PUT --data-binary @[JSON_FILE_NAME].json \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      -H "Content-Type: application/json" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys/[ACCESS_ID]"

XML API

XML API 不能用於更新 HMAC 金鑰,請改用 gsutil 等其他 Cloud Storage 工具。

刪除 HMAC 金鑰

HMAC 金鑰必須處於停用狀態才能刪除。如何刪除停用的 HMAC 金鑰:

主控台

  1. 在 Google Cloud Platform Console 中開啟 Cloud Storage 瀏覽器。
    開啟 Cloud Storage 瀏覽器
  2. 按一下 [Settings] (設定)

  3. 選取 [Interoperability] (互通性) 分頁標籤。

  4. 按一下與您要更新之金鑰相關的鉛筆圖示

  5. 按一下與金鑰「狀態」相關聯的更多選項按鈕 (更多動作圖示。)。

  6. 從下拉式選單中選擇 [Delete] (刪除)

  7. 在隨即顯示的文字方塊中,輸入 HMAC 金鑰的存取金鑰 ID (如視窗中提供的內容)。

  8. 按一下 [Delete] (刪除)。

gsutil

使用 hmac delete 指令,將 [VALUES_IN_BRACKETS] 替換為適當的值:

gsutil hmac delete [KEY_ACCESS_ID]

如果執行成功,gsutil 不會傳回回應。

程式碼範例

C++

詳情請參閱 Cloud Storage C++ API 參考說明文件

namespace gcs = google::cloud::storage;
[](gcs::Client client, std::string access_id) {
  google::cloud::Status status = client.DeleteHmacKey(access_id);

  if (!status.ok()) {
    throw std::runtime_error(status.message());
  }
  std::cout << "The key is deleted, though it may still appear"
            << " in ListHmacKeys() results.\n";
}

C#

詳情請參閱 Cloud Storage C# API 參考說明文件

        private void DeleteHmacKey(String accessId)
        {
            var storage = StorageClient.Create();
            storage.DeleteHmacKey(s_projectId, accessId);

            Console.WriteLine($"Key {accessId} was deleted.");
        }

Go

詳情請參閱 Cloud Storage Go API 參考說明文件

import (
	"cloud.google.com/go/storage"
	"context"
	"fmt"
	"io"
)

// deleteHMACKey deletes the HMAC key with the given access ID. Key must have state
// INACTIVE in order to succeed.
func deleteHMACKey(w io.Writer, accessID string, projectID string) error {
	ctx := context.Background()

	// Initialize client.
	client, err := storage.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("storage.NewClient: %v", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	handle := client.HMACKeyHandle(projectID, accessID)
	if err = handle.Delete(ctx); err != nil {
		return fmt.Errorf("Delete: %v", err)
	}

	fmt.Fprintln(w, "The key is deleted, though it may still appear in ListHMACKeys results.")

	return nil
}

Java

詳情請參閱 Cloud Storage Java API 參考說明文件

// Instantiate a Google Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// The access ID of the HMAC key, e.g. "GOOG0234230X00"
// String accessId = "GOOG0234230X00";
//
// The ID of the project to which the service account belongs.
// String projectId = "project-id";
HmacKeyMetadata metadata =
    storage.getHmacKey(accessId, Storage.GetHmacKeyOption.projectId(projectId));
storage.deleteHmacKey(metadata);

System.out.println(
    "The key is deleted, though it will still appear in getHmacKeys() results given showDeletedKey is true.");

Node.js

詳情請參閱 Cloud Storage Node.js API 參考說明文件

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

// Delete HMAC SA Key
async function deleteHmacKey() {
  /**
   * TODO(developer): Uncomment the following line before running the sample.
   */
  // const hmacKeyAccessId = 'Inactive HMAC Access Key Id to delete, e.g. GOOG0234230X00';
  // const projectId = 'The project Id this service account belongs to, e.g. serviceAccountProjectId';

  const hmacKey = storage.hmacKey(hmacKeyAccessId, {projectId});
  await hmacKey.delete();

  console.log(
    `The key is deleted, though it may still appear in getHmacKeys() results.`
  );
}

PHP

詳情請參閱 Cloud Storage PHP API 參考說明文件

use Google\Cloud\Storage\StorageClient;

/**
 * Delete an HMAC key.
 *
 * @param string $accessId Access ID for an HMAC key.
 * @param string $projectId Google Cloud Project ID.
 *
 */
function delete_hmac_key($accessId, $projectId)
{
    $storage = new StorageClient();
    // By default hmacKey will use the projectId used by StorageClient().
    $hmacKey = $storage->hmacKey($accessId, $projectId);

    $hmacKey->delete();
    print(
      'The key is deleted, though it may still appear in the results of calls ' .
      'to StorageClient.hmacKeys([\'showDeletedKeys\' => true])' . PHP_EOL
    );
}

Python

詳情請參閱 Cloud Storage Python API 參考說明文件

# project_id = 'Your Google Cloud project ID'
# access_id = 'ID of an HMAC key (must be in INACTIVE state)'
storage_client = storage.Client(project=project_id)
hmac_key = storage_client.get_hmac_key_metadata(
    access_id,
    project_id=project_id)
hmac_key.delete()
print('The key is deleted, though it may still appear in list_hmac_keys()'
      ' results.')

Ruby

詳情請參閱 Cloud Storage Ruby API 參考說明文件

# project_id = "Your Google Cloud project ID"
# access_id = "ID of an inactive HMAC key"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id

# By default Storage#hmac_keys uses the Storage client project_id
hmac_key = storage.hmac_key access_id, project_id: project_id

hmac_key.delete!

puts "The key is deleted, though it may still appear in Client#hmac_keys results."

REST API

JSON API

  1. OAuth 2.0 Playground 取得授權存取憑證。將 Playground 設為使用自己的 OAuth 憑證。
  2. 使用 cURL 透過 DELETE hmacKeys 要求呼叫 JSON API,並將 [VALUES_IN_BRACKETS] 替換成適當的值:

    curl -X DELETE \
      -H "Authorization: Bearer [OAUTH2_TOKEN]" \
      "https://www.googleapis.com/storage/v1/projects/[PROJECT_ID]/hmacKeys/[ACCESS_ID]"

XML API

XML API 不能用於刪除 HMAC 金鑰,請改用 gsutil 等其他 Cloud Storage 工具。

後續步驟

本頁內容對您是否有任何幫助?請提供意見:

傳送您對下列選項的寶貴意見...

這個網頁
Cloud Storage
需要協助嗎?請前往我們的支援網頁