上传具有指定 CMEK KMS 密钥的对象。
深入探索
如需查看包含此代码示例的详细文档,请参阅以下内容:
代码示例
C++
如需了解详情,请参阅 Cloud Storage C++ API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
namespace gcs = ::google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string const& bucket_name,
std::string const& object_name, std::string const& kms_key_name) {
gcs::ObjectWriteStream stream = client.WriteObject(
bucket_name, object_name, gcs::KmsKeyName(kms_key_name));
// Line numbers start at 1.
for (int lineno = 1; lineno <= 10; ++lineno) {
stream << lineno << ": placeholder text for CMEK example.\n";
}
stream.Close();
StatusOr<gcs::ObjectMetadata> metadata = std::move(stream).metadata();
if (!metadata) throw std::move(metadata).status();
std::cout << "Successfully wrote to object " << metadata->name()
<< " its size is: " << metadata->size()
<< "\nFull metadata: " << *metadata << "\n";
}
C#
如需了解详情,请参阅 Cloud Storage C# API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
using Google.Cloud.Storage.V1;
using System;
using System.IO;
public class UploadFileWithKmsKeySample
{
public void UploadFileWithKmsKey(
string projectId = "your-project-id",
string bucketName = "your-unique-bucket-name",
string keyLocation = "us-west1",
string kmsKeyRing = "kms-key-ring",
string kmsKeyName = "key-name",
string localPath = "my-local-path/my-file-name",
string objectName = "my-file-name")
{
// KMS Key identifier of an already created KMS key.
// If you use the Google.Cloud.Kms.V1 library, you can construct these names using helper class CryptoKeyName.
// var fullKeyName = new CryptoKeyName(projectId, keyLocation, kmsKeyRing, kmsKeyName).ToString();
string keyPrefix = $"projects/{projectId}/locations/{keyLocation}";
string fullKeyringName = $"{keyPrefix}/keyRings/{kmsKeyRing}";
string fullKeyName = $"{fullKeyringName}/cryptoKeys/{kmsKeyName}";
var storage = StorageClient.Create();
using var fileStream = File.OpenRead(localPath);
storage.UploadObject(bucketName, objectName, null, fileStream, new UploadObjectOptions { KmsKeyName = fullKeyName });
Console.WriteLine($"Uploaded {objectName}.");
}
}
Go
如需了解详情,请参阅 Cloud Storage Go API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import (
"context"
"fmt"
"io"
"time"
"cloud.google.com/go/storage"
)
// uploadWithKMSKey writes an object using Cloud KMS encryption.
func uploadWithKMSKey(w io.Writer, bucket, object, keyName string) error {
// bucket := "bucket-name"
// object := "object-name"
// keyName := "projects/projectId/locations/global/keyRings/keyRingID/cryptoKeys/cryptoKeyID"
ctx := context.Background()
client, err := storage.NewClient(ctx)
if err != nil {
return fmt.Errorf("storage.NewClient: %w", err)
}
defer client.Close()
ctx, cancel := context.WithTimeout(ctx, time.Second*50)
defer cancel()
o := client.Bucket(bucket).Object(object)
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request to upload is aborted if the
// object's generation number does not match your precondition.
// For an object that does not yet exist, set the DoesNotExist precondition.
o = o.If(storage.Conditions{DoesNotExist: true})
// If the live object already exists in your bucket, set instead a
// generation-match precondition using the live object's generation number.
// attrs, err := o.Attrs(ctx)
// if err != nil {
// return fmt.Errorf("object.Attrs: %w", err)
// }
// o = o.If(storage.Conditions{GenerationMatch: attrs.Generation})
// Encrypt the object's contents.
wc := o.NewWriter(ctx)
wc.KMSKeyName = keyName
if _, err := wc.Write([]byte("top secret")); err != nil {
return fmt.Errorf("Writer.Write: %w", err)
}
if err := wc.Close(); err != nil {
return fmt.Errorf("Writer.Close: %w", err)
}
fmt.Fprintf(w, "Uploaded blob %v with KMS key.\n", object)
return nil
}
Java
如需了解详情,请参阅 Cloud Storage Java API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
import static java.nio.charset.StandardCharsets.UTF_8;
import com.google.cloud.storage.BlobId;
import com.google.cloud.storage.BlobInfo;
import com.google.cloud.storage.Storage;
import com.google.cloud.storage.StorageOptions;
public class UploadKmsEncryptedObject {
public static void uploadKmsEncryptedObject(
String projectId, String bucketName, String objectName, String kmsKeyName) {
// The ID of your GCP project
// String projectId = "your-project-id";
// The ID of your GCS bucket
// String bucketName = "your-unique-bucket-name";
// The ID of your GCS object
// String objectName = "your-object-name";
// The name of the KMS key to encrypt with
// String kmsKeyName = "projects/my-project/locations/us/keyRings/my_key_ring/cryptoKeys/my_key"
Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService();
byte[] data = "Hello, World!".getBytes(UTF_8);
BlobId blobId = BlobId.of(bucketName, objectName);
BlobInfo blobInfo = BlobInfo.newBuilder(blobId).setContentType("text/plain").build();
// Optional: set a generation-match precondition to avoid potential race
// conditions and data corruptions. The request returns a 412 error if the
// preconditions are not met.
Storage.BlobTargetOption precondition;
if (storage.get(bucketName, objectName) == null) {
// For a target object that does not yet exist, set the DoesNotExist precondition.
// This will cause the request to fail if the object is created before the request runs.
precondition = Storage.BlobTargetOption.doesNotExist();
} else {
// If the destination already exists in your bucket, instead set a generation-match
// precondition. This will cause the request to fail if the existing object's generation
// changes before the request runs.
precondition =
Storage.BlobTargetOption.generationMatch(
storage.get(bucketName, objectName).getGeneration());
}
storage.create(blobInfo, data, Storage.BlobTargetOption.kmsKeyName(kmsKeyName), precondition);
System.out.println(
"Uploaded object "
+ objectName
+ " in bucket "
+ bucketName
+ " encrypted with "
+ kmsKeyName);
}
}
Node.js
如需了解详情,请参阅 Cloud Storage Node.js API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
/**
* TODO(developer): Uncomment the following lines before running the sample.
*/
// The ID of your GCS bucket
// const bucketName = 'your-unique-bucket-name';
// The path to your file to upload
// const filePath = 'path/to/your/file';
// The name of the KMS-key
// const kmsKeyName = 'my-key';
// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');
// Creates a client
const storage = new Storage();
async function uploadFileWithKmsKey() {
const options = {
kmsKeyName,
// Optional:
// Set a generation-match precondition to avoid potential race conditions
// and data corruptions. The request to upload is aborted if the object's
// generation number does not match your precondition. For a destination
// object that does not yet exist, set the ifGenerationMatch precondition to 0
// If the destination object already exists in your bucket, set instead a
// generation-match precondition using its generation number.
preconditionOpts: {ifGenerationMatch: generationMatchPrecondition},
};
await storage.bucket(bucketName).upload(filePath, options);
console.log(`${filePath} uploaded to ${bucketName} using ${kmsKeyName}.`);
}
uploadFileWithKmsKey().catch(console.error);
PHP
如需了解详情,请参阅 Cloud Storage PHP API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
use Google\Cloud\Storage\StorageClient;
/**
* Upload a file using KMS encryption.
*
* @param string $bucketName The name of your Cloud Storage bucket.
* (e.g. 'my-bucket')
* @param string $objectName The name of your Cloud Storage object.
* (e.g. 'my-object')
* @param string $source The path to the file to upload.
* (e.g. '/path/to/your/file')
* @param string $kmsKeyName The KMS key used to encrypt objects server side.
* Key names are provided in the following format:
* `projects/<PROJECT>/locations/<LOCATION>/keyRings/<RING_NAME>/cryptoKeys/<KEY_NAME>`.
*/
function upload_with_kms_key(string $bucketName, string $objectName, string $source, string $kmsKeyName): void
{
$storage = new StorageClient();
if (!$file = fopen($source, 'r')) {
throw new \InvalidArgumentException('Unable to open file for reading');
}
$bucket = $storage->bucket($bucketName);
$object = $bucket->upload($file, [
'name' => $objectName,
'destinationKmsKeyName' => $kmsKeyName,
]);
printf('Uploaded %s to gs://%s/%s using encryption key %s' . PHP_EOL,
basename($source),
$bucketName,
$objectName,
$kmsKeyName);
}
Python
如需了解详情,请参阅 Cloud Storage Python API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
from google.cloud import storage
def upload_blob_with_kms(
bucket_name, source_file_name, destination_blob_name, kms_key_name,
):
"""Uploads a file to the bucket, encrypting it with the given KMS key."""
# bucket_name = "your-bucket-name"
# source_file_name = "local/path/to/file"
# destination_blob_name = "storage-object-name"
# kms_key_name = "projects/PROJ/locations/LOC/keyRings/RING/cryptoKey/KEY"
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
blob = bucket.blob(destination_blob_name, kms_key_name=kms_key_name)
# Optional: set a generation-match precondition to avoid potential race conditions
# and data corruptions. The request to upload is aborted if the object's
# generation number does not match your precondition. For a destination
# object that does not yet exist, set the if_generation_match precondition to 0.
# If the destination object already exists in your bucket, set instead a
# generation-match precondition using its generation number.
generation_match_precondition = 0
blob.upload_from_filename(source_file_name, if_generation_match=generation_match_precondition)
print(
"File {} uploaded to {} with encryption key {}.".format(
source_file_name, destination_blob_name, kms_key_name
)
)
Ruby
如需了解详情,请参阅 Cloud Storage Ruby API 参考文档。
如需向 Cloud Storage 进行身份验证,请设置应用默认凭据。 如需了解详情,请参阅为本地开发环境设置身份验证。
def upload_with_kms_key bucket_name:, local_file_path:, file_name: nil, kms_key:
# The ID of your GCS bucket
# bucket_name = "your-unique-bucket-name"
# The path to your file to upload
# local_file_path = "/local/path/to/file.txt"
# The ID of your GCS object
# file_name = "your-file-name"
# The name of the KMS key to manage this object with
# kms_key = "projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key"
require "google/cloud/storage"
storage = Google::Cloud::Storage.new
bucket = storage.bucket bucket_name, skip_lookup: true
file = bucket.create_file local_file_path, file_name, kms_key: kms_key
puts "Uploaded #{file.name} and encrypted service side using #{file.kms_key}"
end
后续步骤
如需搜索和过滤其他 Google Cloud 产品的代码示例,请参阅 Google Cloud 示例浏览器。