New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(storage): fix upload object with bucket cmek enabled #158
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @HemangChothani, I have one request, but otherwise LGTM.
if self.kms_key_name is not None: | ||
if ( | ||
self.kms_key_name is not None | ||
and "cryptoKeyVersions" not in self.kms_key_name |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add comments on why this is needed for posterity. Mainly that Cloud Storage object metadata stores kmsKeyName with version information and uploads() expect non-versioned information.
google/cloud/storage/blob.py
Outdated
# When cmek is enabled for bucket blob.metadata stores the value of | ||
# kmsKeyName with version information whereas upload method expect | ||
# information without version so this condition ignores the kmsKeyName | ||
# which has cryptoKeyVersions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggested changes:
When a Customer Managed Encryption Key is used to encrypt Cloud Storage object at rest, object resource metadata will store the version of the Key Management Service cryptographic material. If a Blob instance with KMS Key metadata set is used to upload a new version of the object then the existing kmsKeyName version value can't be used in the upload request and the client instead ignores it.
Fixes #155