Get Bucket Encryption Configuration

To return the default customer-managed encryption key set on a bucket, you make a GET request that is scoped to the desired bucket, and you use the encryptionConfig query string parameter. Information on the default encryption key set for the bucket is returned in an XML document in the response body.

You must have storage.buckets.get permission to check the encryption configuration status for a bucket.

Query string parameters

Parameter Description Required
encryptionConfig Used to return the encryption configuration for the bucket. No

Request headers

See common request headers.

Request body elements

This request does not include an XML document in the request body.

Request syntax

The following syntax applies to GET Bucket requests that use the encryptionConfig query string parameter.

GET /?encryptionConfig HTTP/1.1
Host: <bucket>.storage.googleapis.com
Date: <date>
Content-Length: <request body length>
Authorization: <authentication string>

Response headers

The request can return a variety of response headers depending on the request headers you use.

Response body elements

The following response body elements are applicable only if you use the encryptionConfig query string parameter to get the default encryption key set for the bucket.

Element Description
EncryptionConfiguration The container for DefaultKmsKeyName. This element is empty if the bucket does not have a default key set for it.
DefaultKmsKeyName The name of the Cloud Key Management Service key resource used by default for objects added to the bucket.

Example

The following example retrieves the encryption configuration for a bucket named my-bucket. In this example, the bucket has a default key set on it.

Request

GET /?encryptionConfig HTTP/1.1
Host: my-bucket.storage.googleapis.com
Date: Thu, 24 Jan 2016 02:34:56 GMT
Content-Length: 0
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

Response

HTTP/1.1 200 OK
Date: Thu, 24 Jan 2016 02:34:56 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 208
Content-Type: text/html

<?xml version="1.0" encoding="UTF-8"?>
<EncryptionConfiguration>
  <DefaultKmsKeyName>projects/my-kms-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key</DefaultKmsKeyName>
</EncryptionConfiguration>
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Storage
Need help? Visit our support page.