To set or remove the default customer-managed encryption key applied to
a bucket, you make a PUT request that is scoped to the desired bucket, and
you use the encryptionConfig query string parameter. You must include an
XML document in the request body that indicates the Cloud Key Management Service key you want
to set as the default for encrypting new objects added to the bucket. You
cannot set the encryption configuration on a new bucket that you are creating.
You must have storage.buckets.update permission to set or remove the
encryption configuration for a bucket.
Query string parameters
| Parameter | Description | Required |
|---|---|---|
encryptionConfig |
Used to set or remove the encryption configuration for the bucket. When
used in a PUT Bucket request, the request body should specify
the desired Cloud KMS key, or else contain an empty
EncryptionConfiguration element. |
No |
See signed URL query string parameters for information on the parameters you include when creating and using signed URLs.
Request headers
Request body elements
The following request body elements are applicable only if you use the
encryptionConfig query string parameter to set or remove the default
customer-managed encryption key used for an existing bucket.
| Element | Description |
|---|---|
EncryptionConfiguration |
The container for DefaultKmsKeyName. If this element is empty, the existing default customer-managed encryption key (if any) is removed. |
DefaultKmsKeyName |
The name of the Cloud Key Management Service key resource to use by default for objects added to the bucket. |
Request syntax
PUT /?encryptionConfig HTTP/1.1
Host: BUCKET_NAME.storage.googleapis.com
Date: DATE
Content-Length: REQUEST_BODY_LENGTH
Authorization: AUTHENTICATION_STRING
<?xml version="1.0" encoding="UTF-8"?>
<EncryptionConfiguration>
<DefaultKmsKeyName>
KEY_RESOURCE
</DefaultKmsKeyName>
</EncryptionConfiguration>
Response headers
The request can return a variety of response headers depending on the request headers you use.
Response body elements
The response does not include an XML document in the response body.
Example
The following example sets the encryption configuration for a bucket named
my-bucket.
Request
PUT /?encryptionConfig HTTP/1.1 Host: my-bucket.storage.googleapis.com Date: Thu, 12 Mar 2012 03:38:42 GMT Content-Length: 208 Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg <?xml version="1.0" encoding="UTF-8"?> <EncryptionConfiguration> <DefaultKmsKeyName>projects/my-kms-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key</DefaultKmsKeyName> </EncryptionConfiguration>
Response
HTTP/1.1 200 OK Date: Thu, 12 Mar 2012 03:38:42 GMT Expires: Mon, 01 Jan 1990 00:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate Content-Length: 0 Content-Type: text/html