Set Bucket Encryption Configuration

To set or remove the default customer-managed encryption key applied to a bucket, you make a PUT request that is scoped to the desired bucket, and you use the encryptionConfig query string parameter. You must include an XML document in the request body that indicates the Cloud Key Management Service key you want to set as the default for encrypting new objects added to the bucket. You cannot set the encryption configuration on a new bucket that you are creating.

You must have storage.buckets.update permission to set or remove the encryption configuration for a bucket.

Query string parameters

Parameter Description Required
encryptionConfig Used to set or remove the encryption configuration for the bucket. When used in a PUT Bucket request, the request body should specify the desired Cloud KMS key, or else contain an empty EncryptionConfiguration element. No

Request headers

See common request headers.

Request body elements

The following request body elements are applicable only if you use the encryptionConfig query string parameter to set or remove the default customer-managed encryption key used for an existing bucket.

Element Description
EncryptionConfiguration The container for DefaultKmsKeyName. If this element is empty, the existing default customer-managed encryption key (if any) is removed.
DefaultKmsKeyName The name of the Cloud Key Management Service key resource to use by default for objects added to the bucket.

Request syntax

PUT /?encryptionConfig HTTP/1.1
Host: <bucket>.storage.googleapis.com
Date: <date>
Content-Length: <request_body_length>
Authorization: <authentication_string>

<?xml version="1.0" encoding="UTF-8"?>
<EncryptionConfiguration>
  <DefaultKmsKeyName>
    Key Resource
  </DefaultKmsKeyName>
</EncryptionConfiguration>

Response headers

The request can return a variety of response headers depending on the request headers you use.

Response body elements

The response does not include an XML document in the response body.

Example

The following example sets the encryption configuration for a bucket named my-bucket.

Request

PUT /?encryptionConfig HTTP/1.1
Host: my-bucket.storage.googleapis.com
Date: Thu, 12 Mar 2012 03:38:42 GMT
Content-Length: 208
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

<?xml version="1.0" encoding="UTF-8"?>
<EncryptionConfiguration>
  <DefaultKmsKeyName>projects/my-kms-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key</DefaultKmsKeyName>
</EncryptionConfiguration>

Response

HTTP/1.1 200 OK
Date: Thu, 12 Mar 2012 03:38:42 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 0
Content-Type: text/html
¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

¿Necesitas ayuda? Visita nuestra página de asistencia.