Upload an object with a specified KMS key

  namespace 
  
 gcs 
  
 = 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 storage 
 ; 
 using 
  
 :: 
 google 
 :: 
 cloud 
 :: 
 StatusOr 
 ; 
 []( 
 gcs 
 :: 
 Client 
  
 client 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 bucket_name 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 object_name 
 , 
  
 std 
 :: 
 string 
  
 const 
&  
 kms_key_name 
 ) 
  
 { 
  
 gcs 
 :: 
 ObjectWriteStream 
  
 stream 
  
 = 
  
 client 
 . 
 WriteObject 
 ( 
  
 bucket_name 
 , 
  
 object_name 
 , 
  
 gcs 
 :: 
 KmsKeyName 
 ( 
 kms_key_name 
 )); 
  
 // Line numbers start at 1. 
  
 for 
  
 ( 
 int 
  
 lineno 
  
 = 
  
 1 
 ; 
  
 lineno 
  
< = 
  
 10 
 ; 
  
 ++ 
 lineno 
 ) 
  
 { 
  
 stream 
 << 
 lineno 
 << 
 ": placeholder text for CMEK example. 
 \n 
 " 
 ; 
  
 } 
  
 stream 
 . 
 Close 
 (); 
  
 StatusOr<gcs 
 :: 
 ObjectMetadata 
>  
 metadata 
  
 = 
  
 std 
 :: 
 move 
 ( 
 stream 
 ). 
 metadata 
 (); 
  
 if 
  
 ( 
 ! 
 metadata 
 ) 
  
 throw 
  
 std 
 :: 
 move 
 ( 
 metadata 
 ). 
 status 
 (); 
  
 std 
 :: 
 cout 
 << 
 "Successfully wrote to object " 
 << 
 metadata 
 - 
> name 
 () 
 << 
 " its size is: " 
 << 
 metadata 
 - 
> size 
 () 
 << 
 " 
 \n 
 Full metadata: " 
 << 
 * 
 metadata 
 << 
 " 
 \n 
 " 
 ; 
 } 
 

  using 
  
  Google.Cloud.Storage.V1 
 
 ; 
 using 
  
 System 
 ; 
 using 
  
 System.IO 
 ; 
 public 
  
 class 
  
 UploadFileWithKmsKeySample 
 { 
  
 public 
  
 void 
  
 UploadFileWithKmsKey 
 ( 
  
 string 
  
 projectId 
  
 = 
  
 "your-project-id" 
 , 
  
 string 
  
 bucketName 
  
 = 
  
 "your-unique-bucket-name" 
 , 
  
 string 
  
 keyLocation 
  
 = 
  
 "us-west1" 
 , 
  
 string 
  
 kmsKeyRing 
  
 = 
  
 "kms-key-ring" 
 , 
  
 string 
  
 kmsKeyName 
  
 = 
  
 "key-name" 
 , 
  
 string 
  
 localPath 
  
 = 
  
 "my-local-path/my-file-name" 
 , 
  
 string 
  
 objectName 
  
 = 
  
 "my-file-name" 
 ) 
  
 { 
  
 // KMS Key identifier of an already created KMS key. 
  
 // If you use the Google.Cloud.Kms.V1 library, you can construct these names using helper class CryptoKeyName. 
  
 // var fullKeyName = new CryptoKeyName(projectId, keyLocation, kmsKeyRing, kmsKeyName).ToString(); 
  
 string 
  
 keyPrefix 
  
 = 
  
 $"projects/{projectId}/locations/{keyLocation}" 
 ; 
  
 string 
  
 fullKeyringName 
  
 = 
  
 $"{keyPrefix}/keyRings/{kmsKeyRing}" 
 ; 
  
 string 
  
 fullKeyName 
  
 = 
  
 $"{fullKeyringName}/cryptoKeys/{kmsKeyName}" 
 ; 
  
 var 
  
 storage 
  
 = 
  
  StorageClient 
 
 . 
  Create 
 
 (); 
  
 using 
  
 var 
  
 fileStream 
  
 = 
  
 File 
 . 
 OpenRead 
 ( 
 localPath 
 ); 
  
 storage 
 . 
 UploadObject 
 ( 
 bucketName 
 , 
  
 objectName 
 , 
  
 null 
 , 
  
 fileStream 
 , 
  
 new 
  
  UploadObjectOptions 
 
  
 { 
  
 KmsKeyName 
  
 = 
  
 fullKeyName 
  
 }); 
  
 Console 
 . 
 WriteLine 
 ( 
 $"Uploaded {objectName}." 
 ); 
  
 } 
 } 
 

  import 
  
 ( 
  
 "context" 
  
 "fmt" 
  
 "io" 
  
 "time" 
  
 "cloud.google.com/go/storage" 
 ) 
 // uploadWithKMSKey writes an object using Cloud KMS encryption. 
 func 
  
 uploadWithKMSKey 
 ( 
 w 
  
 io 
 . 
  Writer 
 
 , 
  
 bucket 
 , 
  
 object 
 , 
  
 keyName 
  
 string 
 ) 
  
 error 
  
 { 
  
 // bucket := "bucket-name" 
  
 // object := "object-name" 
  
 // keyName := "projects/projectId/locations/global/keyRings/keyRingID/cryptoKeys/cryptoKeyID" 
  
 ctx 
  
 := 
  
 context 
 . 
 Background 
 () 
  
 client 
 , 
  
 err 
  
 := 
  
 storage 
 . 
 NewClient 
 ( 
 ctx 
 ) 
  
 if 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "storage.NewClient: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 defer 
  
 client 
 . 
 Close 
 () 
  
 ctx 
 , 
  
 cancel 
  
 := 
  
 context 
 . 
 WithTimeout 
 ( 
 ctx 
 , 
  
 time 
 . 
 Second 
 * 
 50 
 ) 
  
 defer 
  
 cancel 
 () 
  
 o 
  
 := 
  
 client 
 . 
  Bucket 
 
 ( 
 bucket 
 ). 
  Object 
 
 ( 
 object 
 ) 
  
 // Optional: set a generation-match precondition to avoid potential race 
  
 // conditions and data corruptions. The request to upload is aborted if the 
  
 // object's generation number does not match your precondition. 
  
 // For an object that does not yet exist, set the DoesNotExist precondition. 
  
 o 
  
 = 
  
 o 
 . 
 If 
 ( 
 storage 
 . 
  Conditions 
 
 { 
 DoesNotExist 
 : 
  
 true 
 }) 
  
 // If the live object already exists in your bucket, set instead a 
  
 // generation-match precondition using the live object's generation number. 
  
 // attrs, err := o.Attrs(ctx) 
  
 // if err != nil { 
  
 // 	return fmt.Errorf("object.Attrs: %w", err) 
  
 // } 
  
 // o = o.If(storage.Conditions{GenerationMatch: attrs.Generation}) 
  
 // Encrypt the object's contents. 
  
 wc 
  
 := 
  
 o 
 . 
  NewWriter 
 
 ( 
 ctx 
 ) 
  
 wc 
 . 
 KMSKeyName 
  
 = 
  
 keyName 
  
 if 
  
 _ 
 , 
  
 err 
  
 := 
  
 wc 
 . 
  Write 
 
 ([] 
 byte 
 ( 
 "top secret" 
 )); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Writer.Write: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 if 
  
 err 
  
 := 
  
 wc 
 . 
 Close 
 (); 
  
 err 
  
 != 
  
 nil 
  
 { 
  
 return 
  
 fmt 
 . 
 Errorf 
 ( 
 "Writer.Close: %w" 
 , 
  
 err 
 ) 
  
 } 
  
 fmt 
 . 
 Fprintf 
 ( 
 w 
 , 
  
 "Uploaded blob %v with KMS key.\n" 
 , 
  
 object 
 ) 
  
 return 
  
 nil 
 } 
 

  import static 
  
 java.nio.charset.StandardCharsets.UTF_8 
 ; 
 import 
  
 com.google.cloud.storage. BlobId 
 
 ; 
 import 
  
 com.google.cloud.storage. BlobInfo 
 
 ; 
 import 
  
 com.google.cloud.storage. Storage 
 
 ; 
 import 
  
 com.google.cloud.storage. StorageOptions 
 
 ; 
 public 
  
 class 
 UploadKmsEncryptedObject 
  
 { 
  
 public 
  
 static 
  
 void 
  
 uploadKmsEncryptedObject 
 ( 
  
 String 
  
 projectId 
 , 
  
 String 
  
 bucketName 
 , 
  
 String 
  
 objectName 
 , 
  
 String 
  
 kmsKeyName 
 ) 
  
 { 
  
 // The ID of your GCP project 
  
 // String projectId = "your-project-id"; 
  
 // The ID of your GCS bucket 
  
 // String bucketName = "your-unique-bucket-name"; 
  
 // The ID of your GCS object 
  
 // String objectName = "your-object-name"; 
  
 // The name of the KMS key to encrypt with 
  
 // String kmsKeyName = "projects/my-project/locations/us/keyRings/my_key_ring/cryptoKeys/my_key" 
  
  Storage 
 
  
 storage 
  
 = 
  
  StorageOptions 
 
 . 
 newBuilder 
 (). 
 setProjectId 
 ( 
 projectId 
 ). 
 build 
 (). 
  getService 
 
 (); 
  
 byte 
 [] 
  
 data 
  
 = 
  
 "Hello, World!" 
 . 
 getBytes 
 ( 
 UTF_8 
 ); 
  
  BlobId 
 
  
 blobId 
  
 = 
  
  BlobId 
 
 . 
 of 
 ( 
 bucketName 
 , 
  
 objectName 
 ); 
  
  BlobInfo 
 
  
 blobInfo 
  
 = 
  
  BlobInfo 
 
 . 
 newBuilder 
 ( 
 blobId 
 ). 
 setContentType 
 ( 
 "text/plain" 
 ). 
 build 
 (); 
  
 // Optional: set a generation-match precondition to avoid potential race 
  
 // conditions and data corruptions. The request returns a 412 error if the 
  
 // preconditions are not met. 
  
  Storage 
 
 . 
 BlobTargetOption 
  
 precondition 
 ; 
  
 if 
  
 ( 
 storage 
 . 
  get 
 
 ( 
 bucketName 
 , 
  
 objectName 
 ) 
  
 == 
  
 null 
 ) 
  
 { 
  
 // For a target object that does not yet exist, set the DoesNotExist precondition. 
  
 // This will cause the request to fail if the object is created before the request runs. 
  
 precondition 
  
 = 
  
  Storage 
 
 . 
 BlobTargetOption 
 . 
 doesNotExist 
 (); 
  
 } 
  
 else 
  
 { 
  
 // If the destination already exists in your bucket, instead set a generation-match 
  
 // precondition. This will cause the request to fail if the existing object's generation 
  
 // changes before the request runs. 
  
 precondition 
  
 = 
  
  Storage 
 
 . 
 BlobTargetOption 
 . 
 generationMatch 
 ( 
  
 storage 
 . 
  get 
 
 ( 
 bucketName 
 , 
  
 objectName 
 ). 
 getGeneration 
 ()); 
  
 } 
  
 storage 
 . 
  create 
 
 ( 
 blobInfo 
 , 
  
 data 
 , 
  
 Storage 
 . 
 BlobTargetOption 
 . 
 kmsKeyName 
 ( 
 kmsKeyName 
 ), 
  
 precondition 
 ); 
  
 System 
 . 
 out 
 . 
 println 
 ( 
  
 "Uploaded object " 
  
 + 
  
 objectName 
  
 + 
  
 " in bucket " 
  
 + 
  
 bucketName 
  
 + 
  
 " encrypted with " 
  
 + 
  
 kmsKeyName 
 ); 
  
 } 
 } 
 

  /** 
 * TODO(developer): Uncomment the following lines before running the sample. 
 */ 
 // The ID of your GCS bucket 
 // const bucketName = 'your-unique-bucket-name'; 
 // The path to your file to upload 
 // const filePath = 'path/to/your/file'; 
 // The name of the KMS-key 
 // const kmsKeyName = 'my-key'; 
 // Imports the Google Cloud client library 
 const 
  
 { 
 Storage 
 } 
  
 = 
  
 require 
 ( 
 ' @google-cloud/storage 
' 
 ); 
 // Creates a client 
 const 
  
 storage 
  
 = 
  
 new 
  
 Storage 
 (); 
 async 
  
 function 
  
 uploadFileWithKmsKey 
 () 
  
 { 
  
 const 
  
 options 
  
 = 
  
 { 
  
 kmsKeyName 
 , 
  
 // Optional: 
  
 // Set a generation-match precondition to avoid potential race conditions 
  
 // and data corruptions. The request to upload is aborted if the object's 
  
 // generation number does not match your precondition. For a destination 
  
 // object that does not yet exist, set the ifGenerationMatch precondition to 0 
  
 // If the destination object already exists in your bucket, set instead a 
  
 // generation-match precondition using its generation number. 
  
 preconditionOpts 
 : 
  
 { 
 ifGenerationMatch 
 : 
  
 generationMatchPrecondition 
 }, 
  
 }; 
  
 await 
  
 storage 
 . 
 bucket 
 ( 
 bucketName 
 ). 
  upload 
 
 ( 
 filePath 
 , 
  
 options 
 ); 
  
 console 
 . 
 log 
 ( 
 ` 
 ${ 
 filePath 
 } 
 uploaded to 
 ${ 
 bucketName 
 } 
 using 
 ${ 
 kmsKeyName 
 } 
 .` 
 ); 
 } 
 uploadFileWithKmsKey 
 (). 
 catch 
 ( 
 console 
 . 
 error 
 ); 
 

  use Google\Cloud\Storage\StorageClient; 
 /** 
 * Upload a file using KMS encryption. 
 * 
 * @param string $bucketName The name of your Cloud Storage bucket. 
 *        (e.g. 'my-bucket') 
 * @param string $objectName The name of your Cloud Storage object. 
 *        (e.g. 'my-object') 
 * @param string $source The path to the file to upload. 
 *        (e.g. '/path/to/your/file') 
 * @param string $kmsKeyName The KMS key used to encrypt objects server side. 
 *     Key names are provided in the following format: 
 *     `projects/<PROJECT>/locations/<LOCATION>/keyRings/<RING_NAME>/cryptoKeys/<KEY_NAME>`. 
 */ 
 function upload_with_kms_key(string $bucketName, string $objectName, string $source, string $kmsKeyName): void 
 { 
 $storage = new StorageClient(); 
 if (!$file = fopen($source, 'r')) { 
 throw new \InvalidArgumentException('Unable to open file for reading'); 
 } 
 $bucket = $storage->bucket($bucketName); 
 $object = $bucket->upload($file, [ 
 'name' => $objectName, 
 'destinationKmsKeyName' => $kmsKeyName, 
 ]); 
 printf('Uploaded %s to gs://%s/%s using encryption key %s' . PHP_EOL, 
 basename($source), 
 $bucketName, 
 $objectName, 
 $kmsKeyName); 
 } 
 

  from 
  
 google.cloud 
  
 import 
  storage 
 
 def 
  
 upload_blob_with_kms 
 ( 
 bucket_name 
 , 
 source_file_name 
 , 
 destination_blob_name 
 , 
 kms_key_name 
 , 
 ): 
  
 """Uploads a file to the bucket, encrypting it with the given KMS key.""" 
 # bucket_name = "your-bucket-name" 
 # source_file_name = "local/path/to/file" 
 # destination_blob_name = "storage-object-name" 
 # kms_key_name = "projects/PROJ/locations/LOC/keyRings/RING/cryptoKey/KEY" 
 storage_client 
 = 
  storage 
 
 . 
  Client 
 
 () 
 bucket 
 = 
 storage_client 
 . 
  bucket 
 
 ( 
 bucket_name 
 ) 
 blob 
 = 
 bucket 
 . 
 blob 
 ( 
 destination_blob_name 
 , 
 kms_key_name 
 = 
 kms_key_name 
 ) 
 # Optional: set a generation-match precondition to avoid potential race conditions 
 # and data corruptions. The request to upload is aborted if the object's 
 # generation number does not match your precondition. For a destination 
 # object that does not yet exist, set the if_generation_match precondition to 0. 
 # If the destination object already exists in your bucket, set instead a 
 # generation-match precondition using its generation number. 
 generation_match_precondition 
 = 
 0 
 blob 
 . 
  upload_from_filename 
 
 ( 
 source_file_name 
 , 
 if_generation_match 
 = 
 generation_match_precondition 
 ) 
 print 
 ( 
 "File 
 {} 
 uploaded to 
 {} 
 with encryption key 
 {} 
 ." 
 . 
 format 
 ( 
 source_file_name 
 , 
 destination_blob_name 
 , 
 kms_key_name 
 ) 
 ) 
 

  def 
  
 upload_with_kms_key 
  
 bucket_name 
 :, 
  
 local_file_path 
 :, 
  
 file_name 
 : 
  
 nil 
 , 
  
 kms_key 
 : 
  
 # The ID of your GCS bucket 
  
 # bucket_name = "your-unique-bucket-name" 
  
 # The path to your file to upload 
  
 # local_file_path = "/local/path/to/file.txt" 
  
 # The ID of your GCS object 
  
 # file_name = "your-file-name" 
  
 # The name of the KMS key to manage this object with 
  
 # kms_key = "projects/your-project-id/locations/global/keyRings/your-key-ring/cryptoKeys/your-key" 
  
 require 
  
 "google/cloud/storage" 
  
 storage 
  
 = 
  
 Google 
 :: 
 Cloud 
 :: 
  Storage 
 
 . 
  new 
 
  
 bucket 
  
 = 
  
 storage 
 . 
 bucket 
  
 bucket_name 
 , 
  
 skip_lookup 
 : 
  
 true 
  
 file 
  
 = 
  
 bucket 
 . 
  create_file 
 
  
 local_file_path 
 , 
  
 file_name 
 , 
  
 kms_key 
 : 
  
 kms_key 
  
 puts 
  
 "Uploaded 
 #{ 
 file 
 . 
 name 
 } 
 and encrypted service side using 
 #{ 
 file 
 . 
 kms_key 
 } 
 " 
 end