Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(storage): fix upload object with bucket cmek enabled #158

Merged
merged 5 commits into from May 22, 2020
Merged

fix(storage): fix upload object with bucket cmek enabled #158

merged 5 commits into from May 22, 2020

Conversation

HemangChothani
Copy link
Contributor

Fixes #155

@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label May 21, 2020
frankyn
frankyn requested changes May 21, 2020
View reviewed changes
Copy link
Member

@frankyn frankyn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @HemangChothani, I have one request, but otherwise LGTM.

google/cloud/storage/blob.py
if self.kms_key_name is not None:
if (
self.kms_key_name is not None
and "cryptoKeyVersions" not in self.kms_key_name
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add comments on why this is needed for posterity. Mainly that Cloud Storage object metadata stores kmsKeyName with version information and uploads() expect non-versioned information.

frankyn
frankyn requested changes May 22, 2020
View reviewed changes
google/cloud/storage/blob.py Outdated
# When cmek is enabled for bucket blob.metadata stores the value of
# kmsKeyName with version information whereas upload method expect
# information without version so this condition ignores the kmsKeyName
# which has cryptoKeyVersions.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested changes:

When a Customer Managed Encryption Key is used to encrypt Cloud Storage object at rest, object resource metadata will store the version of the Key Management Service cryptographic material. If a Blob instance with KMS Key metadata set is used to upload a new version of the object then the existing kmsKeyName version value can't be used in the upload request and the client instead ignores it.

@frankyn frankyn merged commit 5f27ffa into googleapis:master May 22, 2020
cojenco pushed a commit to cojenco/python-storage that referenced this pull request Oct 13, 2021
@HemangChothani @frankyn @cojenco
fix(storage): fix upload object with bucket cmek enabled (googleapis#158
31d61de 
)

* fix(storage): fix upload object with bucket cmek enabled

* fix(storage): add comments for condition used

* fix(storage): nit

Co-authored-by: Frank Natividad <frankyn@users.noreply.github.com>
cojenco pushed a commit to cojenco/python-storage that referenced this pull request Oct 13, 2021
@HemangChothani @frankyn @cojenco
fix(storage): fix upload object with bucket cmek enabled (googleapis#158
6d24f8e 
)

* fix(storage): fix upload object with bucket cmek enabled

* fix(storage): add comments for condition used

* fix(storage): nit

Co-authored-by: Frank Natividad <frankyn@users.noreply.github.com>
@release-please release-please bot mentioned this pull request Jan 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frankyn frankyn frankyn approved these changes

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to upload new object when CMEK is enabled for a bucket.
3 participants
@HemangChothani @frankyn @googlebot