From da0832979d1dbb51437603aba7673b487584adfe Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 11:33:04 +0000 Subject: [PATCH 1/5] feat: add samples for bucket encryption enforcement config Co-authored-by: nidhiii-27 <224584462+nidhiii-27@users.noreply.github.com> --- samples/snippets/encryption_test.py | 51 +++++++++++++++++++ ...et_bucket_encryption_enforcement_config.py | 40 +++++++++++++++ ...ll_bucket_encryption_enforcement_config.py | 36 +++++++++++++ ...et_bucket_encryption_enforcement_config.py | 40 +++++++++++++++ ...ge_update_encryption_enforcement_config.py | 42 +++++++++++++++ 5 files changed, 209 insertions(+) create mode 100644 samples/snippets/storage_get_bucket_encryption_enforcement_config.py create mode 100644 samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py create mode 100644 samples/snippets/storage_set_bucket_encryption_enforcement_config.py create mode 100644 samples/snippets/storage_update_encryption_enforcement_config.py diff --git a/samples/snippets/encryption_test.py b/samples/snippets/encryption_test.py index 9039b1fad..3a0d8cf18 100644 --- a/samples/snippets/encryption_test.py +++ b/samples/snippets/encryption_test.py @@ -27,6 +27,10 @@ import storage_object_csek_to_cmek import storage_rotate_encryption_key import storage_upload_encrypted_file +import storage_get_bucket_encryption_enforcement_config +import storage_set_bucket_encryption_enforcement_config +import storage_update_encryption_enforcement_config +import storage_remove_all_bucket_encryption_enforcement_config BUCKET = os.environ["CLOUD_STORAGE_BUCKET"] KMS_KEY = os.environ["MAIN_CLOUD_KMS_KEY"] @@ -126,3 +130,50 @@ def test_object_csek_to_cmek(test_blob): ) assert cmek_blob.download_as_bytes(), test_blob_content + +def test_bucket_encryption_enforcement_config(capsys): + bucket_name = f"test_encryption_enforcement_{uuid.uuid4().hex}" + + try: + # Create + storage_set_bucket_encryption_enforcement_config.set_bucket_encryption_enforcement_config(bucket_name) + out, _ = capsys.readouterr() + assert f"Created bucket {bucket_name} with Encryption Enforcement Config." in out + + # Get + storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) + out, _ = capsys.readouterr() + assert f"Encryption Enforcement Config for bucket {bucket_name}:" in out + assert "Customer-managed encryption enforcement config restriction mode: NOT_RESTRICTED" in out + assert "Customer-supplied encryption enforcement config restriction mode: FULLY_RESTRICTED" in out + assert "Google-managed encryption enforcement config restriction mode: FULLY_RESTRICTED" in out + + # Update + storage_update_encryption_enforcement_config.update_encryption_enforcement_config(bucket_name) + out, _ = capsys.readouterr() + assert f"Encryption enforcement policy updated for bucket {bucket_name}." in out + + # Get after update + storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) + out, _ = capsys.readouterr() + assert "Customer-managed encryption enforcement config restriction mode: NOT_RESTRICTED" in out + assert "Customer-supplied encryption enforcement config restriction mode: None" in out + assert "Google-managed encryption enforcement config restriction mode: FULLY_RESTRICTED" in out + + # Remove + storage_remove_all_bucket_encryption_enforcement_config.remove_all_bucket_encryption_enforcement_config(bucket_name) + out, _ = capsys.readouterr() + assert f"Removed Encryption Enforcement Config from bucket {bucket_name}." in out + + # Get after remove + storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) + out, _ = capsys.readouterr() + assert "Customer-managed encryption enforcement config restriction mode: None" in out + assert "Customer-supplied encryption enforcement config restriction mode: None" in out + assert "Google-managed encryption enforcement config restriction mode: None" in out + + finally: + try: + storage.Client().get_bucket(bucket_name).delete(force=True) + except Exception: + pass diff --git a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py new file mode 100644 index 000000000..5b4fbd359 --- /dev/null +++ b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py @@ -0,0 +1,40 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from google.cloud import storage + +# [START storage_get_bucket_encryption_enforcement_config] +def get_bucket_encryption_enforcement_config(bucket_name): + """Gets the bucket encryption enforcement configuration.""" + # The ID of your GCS bucket + # bucket_name = "your-unique-bucket-name" + + storage_client = storage.Client() + bucket = storage_client.get_bucket(bucket_name) + + print(f"Encryption Enforcement Config for bucket {bucket.name}:") + + cmek_config = bucket.customer_managed_encryption_enforcement_config + csek_config = bucket.customer_supplied_encryption_enforcement_config + gmek_config = bucket.google_managed_encryption_enforcement_config + + print(f"Customer-managed encryption enforcement config restriction mode: {cmek_config.restriction_mode if cmek_config else None}") + print(f"Customer-supplied encryption enforcement config restriction mode: {csek_config.restriction_mode if csek_config else None}") + print(f"Google-managed encryption enforcement config restriction mode: {gmek_config.restriction_mode if gmek_config else None}") + + +# [END storage_get_bucket_encryption_enforcement_config] + +if __name__ == "__main__": + get_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py b/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py new file mode 100644 index 000000000..2e15d0020 --- /dev/null +++ b/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py @@ -0,0 +1,36 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from google.cloud import storage + +# [START storage_remove_all_bucket_encryption_enforcement_config] +def remove_all_bucket_encryption_enforcement_config(bucket_name): + """Removes all bucket encryption enforcement configuration.""" + # The ID of your GCS bucket + # bucket_name = "your-unique-bucket-name" + + storage_client = storage.Client() + bucket = storage_client.get_bucket(bucket_name) + + bucket.customer_managed_encryption_enforcement_config = None + bucket.customer_supplied_encryption_enforcement_config = None + bucket.google_managed_encryption_enforcement_config = None + bucket.patch() + + print(f"Removed Encryption Enforcement Config from bucket {bucket.name}.") + +# [END storage_remove_all_bucket_encryption_enforcement_config] + +if __name__ == "__main__": + remove_all_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py new file mode 100644 index 000000000..0d4f4461f --- /dev/null +++ b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py @@ -0,0 +1,40 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from google.cloud import storage + +# [START storage_set_bucket_encryption_enforcement_config] +def set_bucket_encryption_enforcement_config(bucket_name): + """Creates a bucket with encryption enforcement configuration.""" + # The ID of your GCS bucket + # bucket_name = "your-unique-bucket-name" + + storage_client = storage.Client() + bucket = storage_client.bucket(bucket_name) + + # Restriction mode can be "FULLY_RESTRICTED" or "NOT_RESTRICTED" + from google.cloud.storage.bucket import EncryptionEnforcementConfig + + bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NOT_RESTRICTED") + bucket.customer_supplied_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") + bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") + + bucket.create() + + print(f"Created bucket {bucket.name} with Encryption Enforcement Config.") + +# [END storage_set_bucket_encryption_enforcement_config] + +if __name__ == "__main__": + set_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_update_encryption_enforcement_config.py b/samples/snippets/storage_update_encryption_enforcement_config.py new file mode 100644 index 000000000..91a09bf0f --- /dev/null +++ b/samples/snippets/storage_update_encryption_enforcement_config.py @@ -0,0 +1,42 @@ +# Copyright 2024 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from google.cloud import storage + +# [START storage_update_encryption_enforcement_config] +def update_encryption_enforcement_config(bucket_name): + """Updates the encryption enforcement policy for a bucket.""" + # The ID of your GCS bucket + # bucket_name = "your-unique-bucket-name" + + storage_client = storage.Client() + bucket = storage_client.get_bucket(bucket_name) + + # 1. Update a specific type (e.g., change GMEK to FULLY_RESTRICTED) + from google.cloud.storage.bucket import EncryptionEnforcementConfig + bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") + bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NOT_RESTRICTED") + + # 2. Remove a specific type (e.g., remove CSEK enforcement) + bucket.customer_supplied_encryption_enforcement_config = None + + bucket.patch() + + print(f"Encryption enforcement policy updated for bucket {bucket.name}.") + print("GMEK is now fully restricted, CMEK is now not restricted, and CSEK enforcement has been removed.") + +# [END storage_update_encryption_enforcement_config] + +if __name__ == "__main__": + update_encryption_enforcement_config(bucket_name="your-unique-bucket-name") From 9e0c4112a48bf77a153af9f9fc6a80665a484e3d Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 12:22:33 +0000 Subject: [PATCH 2/5] samples: add samples for bucket encryption enforcement config Co-authored-by: nidhiii-27 <224584462+nidhiii-27@users.noreply.github.com> --- fix_test.py | 23 +++++++++++++++++++ samples/snippets/encryption_test.py | 1 + ...et_bucket_encryption_enforcement_config.py | 4 ++-- ...ll_bucket_encryption_enforcement_config.py | 3 ++- ...et_bucket_encryption_enforcement_config.py | 6 ++--- ...ge_update_encryption_enforcement_config.py | 5 ++-- 6 files changed, 34 insertions(+), 8 deletions(-) create mode 100644 fix_test.py diff --git a/fix_test.py b/fix_test.py new file mode 100644 index 000000000..1a4f8637d --- /dev/null +++ b/fix_test.py @@ -0,0 +1,23 @@ +import re +with open("samples/snippets/encryption_test.py", "r") as f: + lines = f.readlines() + +new_lines = [] +for i, line in enumerate(lines): + if line.startswith("def test_") or line.startswith("@pytest.fixture"): + # Make sure there are two blank lines before it + # by checking the end of new_lines + if not (len(new_lines) >= 2 and new_lines[-1] == "\n" and new_lines[-2] == "\n"): + while len(new_lines) > 0 and new_lines[-1] == "\n": + new_lines.pop() + if len(new_lines) > 0: + new_lines.append("\n") + new_lines.append("\n") + if line.startswith("def test_blob"): + # make sure no blank lines between @pytest.fixture and def test_blob + while len(new_lines) > 0 and new_lines[-1] == "\n": + new_lines.pop() + new_lines.append(line) + +with open("samples/snippets/encryption_test.py", "w") as f: + f.writelines(new_lines) diff --git a/samples/snippets/encryption_test.py b/samples/snippets/encryption_test.py index 3a0d8cf18..93bdf619b 100644 --- a/samples/snippets/encryption_test.py +++ b/samples/snippets/encryption_test.py @@ -131,6 +131,7 @@ def test_object_csek_to_cmek(test_blob): assert cmek_blob.download_as_bytes(), test_blob_content + def test_bucket_encryption_enforcement_config(capsys): bucket_name = f"test_encryption_enforcement_{uuid.uuid4().hex}" diff --git a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py index 5b4fbd359..23ef2a099 100644 --- a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py @@ -14,6 +14,7 @@ from google.cloud import storage + # [START storage_get_bucket_encryption_enforcement_config] def get_bucket_encryption_enforcement_config(bucket_name): """Gets the bucket encryption enforcement configuration.""" @@ -32,9 +33,8 @@ def get_bucket_encryption_enforcement_config(bucket_name): print(f"Customer-managed encryption enforcement config restriction mode: {cmek_config.restriction_mode if cmek_config else None}") print(f"Customer-supplied encryption enforcement config restriction mode: {csek_config.restriction_mode if csek_config else None}") print(f"Google-managed encryption enforcement config restriction mode: {gmek_config.restriction_mode if gmek_config else None}") - - # [END storage_get_bucket_encryption_enforcement_config] + if __name__ == "__main__": get_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py b/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py index 2e15d0020..a3f6f13f4 100644 --- a/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py @@ -14,6 +14,7 @@ from google.cloud import storage + # [START storage_remove_all_bucket_encryption_enforcement_config] def remove_all_bucket_encryption_enforcement_config(bucket_name): """Removes all bucket encryption enforcement configuration.""" @@ -29,8 +30,8 @@ def remove_all_bucket_encryption_enforcement_config(bucket_name): bucket.patch() print(f"Removed Encryption Enforcement Config from bucket {bucket.name}.") - # [END storage_remove_all_bucket_encryption_enforcement_config] + if __name__ == "__main__": remove_all_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py index 0d4f4461f..129d835d8 100644 --- a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py @@ -13,6 +13,8 @@ # limitations under the License. from google.cloud import storage +from google.cloud.storage.bucket import EncryptionEnforcementConfig + # [START storage_set_bucket_encryption_enforcement_config] def set_bucket_encryption_enforcement_config(bucket_name): @@ -24,8 +26,6 @@ def set_bucket_encryption_enforcement_config(bucket_name): bucket = storage_client.bucket(bucket_name) # Restriction mode can be "FULLY_RESTRICTED" or "NOT_RESTRICTED" - from google.cloud.storage.bucket import EncryptionEnforcementConfig - bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NOT_RESTRICTED") bucket.customer_supplied_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") @@ -33,8 +33,8 @@ def set_bucket_encryption_enforcement_config(bucket_name): bucket.create() print(f"Created bucket {bucket.name} with Encryption Enforcement Config.") - # [END storage_set_bucket_encryption_enforcement_config] + if __name__ == "__main__": set_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_update_encryption_enforcement_config.py b/samples/snippets/storage_update_encryption_enforcement_config.py index 91a09bf0f..94d1d9f81 100644 --- a/samples/snippets/storage_update_encryption_enforcement_config.py +++ b/samples/snippets/storage_update_encryption_enforcement_config.py @@ -13,6 +13,8 @@ # limitations under the License. from google.cloud import storage +from google.cloud.storage.bucket import EncryptionEnforcementConfig + # [START storage_update_encryption_enforcement_config] def update_encryption_enforcement_config(bucket_name): @@ -24,7 +26,6 @@ def update_encryption_enforcement_config(bucket_name): bucket = storage_client.get_bucket(bucket_name) # 1. Update a specific type (e.g., change GMEK to FULLY_RESTRICTED) - from google.cloud.storage.bucket import EncryptionEnforcementConfig bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NOT_RESTRICTED") @@ -35,8 +36,8 @@ def update_encryption_enforcement_config(bucket_name): print(f"Encryption enforcement policy updated for bucket {bucket.name}.") print("GMEK is now fully restricted, CMEK is now not restricted, and CSEK enforcement has been removed.") - # [END storage_update_encryption_enforcement_config] + if __name__ == "__main__": update_encryption_enforcement_config(bucket_name="your-unique-bucket-name") From 9c84456800a39e4ea24e9d9e0d480ca590568211 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 12:30:59 +0000 Subject: [PATCH 3/5] samples: add samples for bucket encryption enforcement config Co-authored-by: nidhiii-27 <224584462+nidhiii-27@users.noreply.github.com> --- fix_test.py | 23 ------------ samples/snippets/encryption_test.py | 13 ------- ...et_bucket_encryption_enforcement_config.py | 2 +- ...ll_bucket_encryption_enforcement_config.py | 37 ------------------- ...et_bucket_encryption_enforcement_config.py | 2 +- ...ge_update_encryption_enforcement_config.py | 2 +- 6 files changed, 3 insertions(+), 76 deletions(-) delete mode 100644 fix_test.py delete mode 100644 samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py diff --git a/fix_test.py b/fix_test.py deleted file mode 100644 index 1a4f8637d..000000000 --- a/fix_test.py +++ /dev/null @@ -1,23 +0,0 @@ -import re -with open("samples/snippets/encryption_test.py", "r") as f: - lines = f.readlines() - -new_lines = [] -for i, line in enumerate(lines): - if line.startswith("def test_") or line.startswith("@pytest.fixture"): - # Make sure there are two blank lines before it - # by checking the end of new_lines - if not (len(new_lines) >= 2 and new_lines[-1] == "\n" and new_lines[-2] == "\n"): - while len(new_lines) > 0 and new_lines[-1] == "\n": - new_lines.pop() - if len(new_lines) > 0: - new_lines.append("\n") - new_lines.append("\n") - if line.startswith("def test_blob"): - # make sure no blank lines between @pytest.fixture and def test_blob - while len(new_lines) > 0 and new_lines[-1] == "\n": - new_lines.pop() - new_lines.append(line) - -with open("samples/snippets/encryption_test.py", "w") as f: - f.writelines(new_lines) diff --git a/samples/snippets/encryption_test.py b/samples/snippets/encryption_test.py index 93bdf619b..fb6167927 100644 --- a/samples/snippets/encryption_test.py +++ b/samples/snippets/encryption_test.py @@ -30,7 +30,6 @@ import storage_get_bucket_encryption_enforcement_config import storage_set_bucket_encryption_enforcement_config import storage_update_encryption_enforcement_config -import storage_remove_all_bucket_encryption_enforcement_config BUCKET = os.environ["CLOUD_STORAGE_BUCKET"] KMS_KEY = os.environ["MAIN_CLOUD_KMS_KEY"] @@ -161,18 +160,6 @@ def test_bucket_encryption_enforcement_config(capsys): assert "Customer-supplied encryption enforcement config restriction mode: None" in out assert "Google-managed encryption enforcement config restriction mode: FULLY_RESTRICTED" in out - # Remove - storage_remove_all_bucket_encryption_enforcement_config.remove_all_bucket_encryption_enforcement_config(bucket_name) - out, _ = capsys.readouterr() - assert f"Removed Encryption Enforcement Config from bucket {bucket_name}." in out - - # Get after remove - storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) - out, _ = capsys.readouterr() - assert "Customer-managed encryption enforcement config restriction mode: None" in out - assert "Customer-supplied encryption enforcement config restriction mode: None" in out - assert "Google-managed encryption enforcement config restriction mode: None" in out - finally: try: storage.Client().get_bucket(bucket_name).delete(force=True) diff --git a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py index 23ef2a099..e61517493 100644 --- a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py b/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py deleted file mode 100644 index a3f6f13f4..000000000 --- a/samples/snippets/storage_remove_all_bucket_encryption_enforcement_config.py +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2024 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from google.cloud import storage - - -# [START storage_remove_all_bucket_encryption_enforcement_config] -def remove_all_bucket_encryption_enforcement_config(bucket_name): - """Removes all bucket encryption enforcement configuration.""" - # The ID of your GCS bucket - # bucket_name = "your-unique-bucket-name" - - storage_client = storage.Client() - bucket = storage_client.get_bucket(bucket_name) - - bucket.customer_managed_encryption_enforcement_config = None - bucket.customer_supplied_encryption_enforcement_config = None - bucket.google_managed_encryption_enforcement_config = None - bucket.patch() - - print(f"Removed Encryption Enforcement Config from bucket {bucket.name}.") -# [END storage_remove_all_bucket_encryption_enforcement_config] - - -if __name__ == "__main__": - remove_all_bucket_encryption_enforcement_config(bucket_name="your-unique-bucket-name") diff --git a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py index 129d835d8..39b85fdb7 100644 --- a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/samples/snippets/storage_update_encryption_enforcement_config.py b/samples/snippets/storage_update_encryption_enforcement_config.py index 94d1d9f81..6dc14d6e2 100644 --- a/samples/snippets/storage_update_encryption_enforcement_config.py +++ b/samples/snippets/storage_update_encryption_enforcement_config.py @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2026 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. From 725d6101d06a31e040c472a7172e484b8724558b Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Tue, 17 Mar 2026 12:38:47 +0000 Subject: [PATCH 4/5] samples: add samples for bucket encryption enforcement config Co-authored-by: nidhiii-27 <224584462+nidhiii-27@users.noreply.github.com> --- samples/snippets/encryption_test.py | 10 +++++----- ...storage_get_bucket_encryption_enforcement_config.py | 2 +- ...storage_set_bucket_encryption_enforcement_config.py | 10 +++++----- .../storage_update_encryption_enforcement_config.py | 8 ++++---- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/samples/snippets/encryption_test.py b/samples/snippets/encryption_test.py index fb6167927..ad6ed1f8d 100644 --- a/samples/snippets/encryption_test.py +++ b/samples/snippets/encryption_test.py @@ -144,9 +144,9 @@ def test_bucket_encryption_enforcement_config(capsys): storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) out, _ = capsys.readouterr() assert f"Encryption Enforcement Config for bucket {bucket_name}:" in out - assert "Customer-managed encryption enforcement config restriction mode: NOT_RESTRICTED" in out - assert "Customer-supplied encryption enforcement config restriction mode: FULLY_RESTRICTED" in out - assert "Google-managed encryption enforcement config restriction mode: FULLY_RESTRICTED" in out + assert "Customer-managed encryption enforcement config restriction mode: NotRestricted" in out + assert "Customer-supplied encryption enforcement config restriction mode: FullyRestricted" in out + assert "Google-managed encryption enforcement config restriction mode: FullyRestricted" in out # Update storage_update_encryption_enforcement_config.update_encryption_enforcement_config(bucket_name) @@ -156,9 +156,9 @@ def test_bucket_encryption_enforcement_config(capsys): # Get after update storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) out, _ = capsys.readouterr() - assert "Customer-managed encryption enforcement config restriction mode: NOT_RESTRICTED" in out + assert "Customer-managed encryption enforcement config restriction mode: NotRestricted" in out assert "Customer-supplied encryption enforcement config restriction mode: None" in out - assert "Google-managed encryption enforcement config restriction mode: FULLY_RESTRICTED" in out + assert "Google-managed encryption enforcement config restriction mode: FullyRestricted" in out finally: try: diff --git a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py index e61517493..269a41376 100644 --- a/samples/snippets/storage_get_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_get_bucket_encryption_enforcement_config.py @@ -12,10 +12,10 @@ # See the License for the specific language governing permissions and # limitations under the License. +# [START storage_get_bucket_encryption_enforcement_config] from google.cloud import storage -# [START storage_get_bucket_encryption_enforcement_config] def get_bucket_encryption_enforcement_config(bucket_name): """Gets the bucket encryption enforcement configuration.""" # The ID of your GCS bucket diff --git a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py index 39b85fdb7..e4a251793 100644 --- a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py @@ -12,11 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +# [START storage_set_bucket_encryption_enforcement_config] from google.cloud import storage from google.cloud.storage.bucket import EncryptionEnforcementConfig -# [START storage_set_bucket_encryption_enforcement_config] def set_bucket_encryption_enforcement_config(bucket_name): """Creates a bucket with encryption enforcement configuration.""" # The ID of your GCS bucket @@ -25,10 +25,10 @@ def set_bucket_encryption_enforcement_config(bucket_name): storage_client = storage.Client() bucket = storage_client.bucket(bucket_name) - # Restriction mode can be "FULLY_RESTRICTED" or "NOT_RESTRICTED" - bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NOT_RESTRICTED") - bucket.customer_supplied_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") - bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") + # Restriction mode can be "FullyRestricted" or "NotRestricted" + bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NotRestricted") + bucket.customer_supplied_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FullyRestricted") + bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FullyRestricted") bucket.create() diff --git a/samples/snippets/storage_update_encryption_enforcement_config.py b/samples/snippets/storage_update_encryption_enforcement_config.py index 6dc14d6e2..0fa38ee01 100644 --- a/samples/snippets/storage_update_encryption_enforcement_config.py +++ b/samples/snippets/storage_update_encryption_enforcement_config.py @@ -12,11 +12,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +# [START storage_update_encryption_enforcement_config] from google.cloud import storage from google.cloud.storage.bucket import EncryptionEnforcementConfig -# [START storage_update_encryption_enforcement_config] def update_encryption_enforcement_config(bucket_name): """Updates the encryption enforcement policy for a bucket.""" # The ID of your GCS bucket @@ -25,9 +25,9 @@ def update_encryption_enforcement_config(bucket_name): storage_client = storage.Client() bucket = storage_client.get_bucket(bucket_name) - # 1. Update a specific type (e.g., change GMEK to FULLY_RESTRICTED) - bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FULLY_RESTRICTED") - bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NOT_RESTRICTED") + # 1. Update a specific type (e.g., change GMEK to FullyRestricted) + bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FullyRestricted") + bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NotRestricted") # 2. Remove a specific type (e.g., remove CSEK enforcement) bucket.customer_supplied_encryption_enforcement_config = None From 7eb6b939584745beedc53611ddefd7e8dc29d4b2 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 20 Mar 2026 08:59:07 +0000 Subject: [PATCH 5/5] samples: add samples for bucket encryption enforcement config Co-authored-by: nidhiii-27 <224584462+nidhiii-27@users.noreply.github.com> --- samples/snippets/encryption_test.py | 73 +++++++++++-------- ...et_bucket_encryption_enforcement_config.py | 21 +++++- 2 files changed, 59 insertions(+), 35 deletions(-) diff --git a/samples/snippets/encryption_test.py b/samples/snippets/encryption_test.py index ad6ed1f8d..9229ea607 100644 --- a/samples/snippets/encryption_test.py +++ b/samples/snippets/encryption_test.py @@ -131,37 +131,48 @@ def test_object_csek_to_cmek(test_blob): assert cmek_blob.download_as_bytes(), test_blob_content -def test_bucket_encryption_enforcement_config(capsys): +@pytest.fixture(scope="module") +def enforcement_bucket(): bucket_name = f"test_encryption_enforcement_{uuid.uuid4().hex}" + yield bucket_name + storage_client = storage.Client() try: - # Create - storage_set_bucket_encryption_enforcement_config.set_bucket_encryption_enforcement_config(bucket_name) - out, _ = capsys.readouterr() - assert f"Created bucket {bucket_name} with Encryption Enforcement Config." in out - - # Get - storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) - out, _ = capsys.readouterr() - assert f"Encryption Enforcement Config for bucket {bucket_name}:" in out - assert "Customer-managed encryption enforcement config restriction mode: NotRestricted" in out - assert "Customer-supplied encryption enforcement config restriction mode: FullyRestricted" in out - assert "Google-managed encryption enforcement config restriction mode: FullyRestricted" in out - - # Update - storage_update_encryption_enforcement_config.update_encryption_enforcement_config(bucket_name) - out, _ = capsys.readouterr() - assert f"Encryption enforcement policy updated for bucket {bucket_name}." in out - - # Get after update - storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config(bucket_name) - out, _ = capsys.readouterr() - assert "Customer-managed encryption enforcement config restriction mode: NotRestricted" in out - assert "Customer-supplied encryption enforcement config restriction mode: None" in out - assert "Google-managed encryption enforcement config restriction mode: FullyRestricted" in out - - finally: - try: - storage.Client().get_bucket(bucket_name).delete(force=True) - except Exception: - pass + bucket = storage_client.get_bucket(bucket_name) + bucket.delete(force=True) + except Exception: + pass + + +def test_set_bucket_encryption_enforcement_config(enforcement_bucket): + storage_set_bucket_encryption_enforcement_config.set_bucket_encryption_enforcement_config( + enforcement_bucket + ) + + storage_client = storage.Client() + bucket = storage_client.get_bucket(enforcement_bucket) + + assert bucket.google_managed_encryption_enforcement_config.restriction_mode == "FullyRestricted" + assert bucket.customer_managed_encryption_enforcement_config.restriction_mode == "NotRestricted" + assert bucket.customer_supplied_encryption_enforcement_config.restriction_mode == "FullyRestricted" + + +def test_get_bucket_encryption_enforcement_config(enforcement_bucket): + # This just exercises the get snippet. If it crashes, the test fails. + # The assertions on the state were done in the set test. + storage_get_bucket_encryption_enforcement_config.get_bucket_encryption_enforcement_config( + enforcement_bucket + ) + + +def test_update_encryption_enforcement_config(enforcement_bucket): + storage_update_encryption_enforcement_config.update_encryption_enforcement_config( + enforcement_bucket + ) + + storage_client = storage.Client() + bucket = storage_client.get_bucket(enforcement_bucket) + + assert bucket.google_managed_encryption_enforcement_config.restriction_mode == "FullyRestricted" + assert bucket.customer_managed_encryption_enforcement_config.restriction_mode == "NotRestricted" + assert bucket.customer_supplied_encryption_enforcement_config is None diff --git a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py index e4a251793..ac10eb44d 100644 --- a/samples/snippets/storage_set_bucket_encryption_enforcement_config.py +++ b/samples/snippets/storage_set_bucket_encryption_enforcement_config.py @@ -25,10 +25,23 @@ def set_bucket_encryption_enforcement_config(bucket_name): storage_client = storage.Client() bucket = storage_client.bucket(bucket_name) - # Restriction mode can be "FullyRestricted" or "NotRestricted" - bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="NotRestricted") - bucket.customer_supplied_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FullyRestricted") - bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig(restriction_mode="FullyRestricted") + # Setting restriction_mode to "FullyRestricted" for Google-managed encryption (GMEK) + # means objects cannot be created using the default Google-managed keys. + bucket.google_managed_encryption_enforcement_config = EncryptionEnforcementConfig( + restriction_mode="FullyRestricted" + ) + + # Setting restriction_mode to "NotRestricted" for Customer-managed encryption (CMEK) + # ensures that objects ARE permitted to be created using Cloud KMS keys. + bucket.customer_managed_encryption_enforcement_config = EncryptionEnforcementConfig( + restriction_mode="NotRestricted" + ) + + # Setting restriction_mode to "FullyRestricted" for Customer-supplied encryption (CSEK) + # prevents objects from being created using raw, client-side provided keys. + bucket.customer_supplied_encryption_enforcement_config = EncryptionEnforcementConfig( + restriction_mode="FullyRestricted" + ) bucket.create()