Set bucket encryption configuration

To set or remove the default customer-managed encryption key applied to a bucket, you make a PUT request that is scoped to the desired bucket, and you use the encryptionConfig query string parameter. You must include an XML document in the request body that indicates the Key Management Service key you want to set as the default for encrypting new objects added to the bucket. You cannot set the encryption configuration on a new bucket that you are creating.

You must have storage.buckets.update permission to set or remove the encryption configuration for a bucket.

Query string parameters

Parameter	Description	Required
`encryptionConfig`	Used to set or remove the encryption configuration for the bucket. When used in a `PUT` Bucket request, the request body should specify the desired KMS key, or else contain an empty `EncryptionConfiguration` element.	No

Request headers

See common request headers.

Request body elements

The following request body elements are applicable only if you use the encryptionConfig query string parameter to set or remove the default customer-managed encryption key used for an existing bucket.

Element	Description
`EncryptionConfiguration`	The container for DefaultKmsKeyName. If this element is empty, the existing default customer-managed encryption key (if any) is removed.
`DefaultKmsKeyName`	The name of the Key Management Service key resource to use by default for objects added to the bucket.

Request syntax

PUT /?encryptionConfig HTTP/1.1
Host: <bucket>.storage.googleapis.com
Date: <date>
Content-Length: <request_body_length>
Authorization: <authentication_string>

<?xml version="1.0" encoding="UTF-8"?>
<EncryptionConfiguration>
  <DefaultKmsKeyName>
    Key Resource
  </DefaultKmsKeyName>
</EncryptionConfiguration>

Response headers

The request can return a variety of response headers depending on the request headers you use.

Response body elements

The response does not include an XML document in the response body.

Example

The following example sets the encryption configuration for a bucket named my-bucket.

Request

PUT /?encryptionConfig HTTP/1.1
Host: my-bucket.storage.googleapis.com
Date: Thu, 12 Mar 2012 03:38:42 GMT
Content-Length: 208
Authorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s-6Uw7p8vtgSwg

<?xml version="1.0" encoding="UTF-8"?>
<EncryptionConfiguration>
  <DefaultKmsKeyName>projects/my-kms-project/locations/us-east1/keyRings/my-keyring/cryptoKeys/my-key</DefaultKmsKeyName>
</EncryptionConfiguration>

Response

HTTP/1.1 200 OK
Date: Thu, 12 Mar 2012 03:38:42 GMT
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Content-Length: 0
Content-Type: text/html

이 페이지가 도움이 되었나요? 평가를 부탁드립니다.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

11월 15, 2019에 마지막으로 업데이트되었습니다.