Content-Length: 291892 | pFad | https://github.com/googleapis/python-storage/issues/155

A1 Unable to upload new object when CMEK is enabled for a bucket. · Issue #155 · googleapis/python-storage · GitHub
Skip to content

Unable to upload new object when CMEK is enabled for a bucket. #155

New issue
New issue
Closed
#158
Closed
Unable to upload new object when CMEK is enabled for a bucket.#155
#158
Assignees
HemangChothani
Labels
api: storageIssues related to the googleapis/python-storage API.priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@frankyn

Description

@frankyn
frankyn
opened on May 21, 2020

Tracking issue for a customer.

The issue is the Python library does a metadata get on an Object which includes kmsKeyName version resource ID metadata.
If you use the same Blob instance to perform an upload the Python library will use the kmsKeyName version resource ID instead of the kmsKeyName resource ID.
Cloud Storage API expects the kmsKeyName kmsKeyName without version information.

Here's an example for illustration:
kmsKeyName version resource ID:

projects/project-id/us/keyRings/testmrbucket/cryptoKeys/testkey/cryptoKeyVersions/1

kmsKeyName resource ID:

projects/project-id/locations/us/keyRings/testmrbucket/cryptoKeys/testkey

Reproduction

from google.cloud import storage
 
bucket_name = 'your-bucket-name'
blob_name = 'your-object-name'
 
client = storage.Client()
bucket = client.bucket(bucket_name)

# Creates a random encrypted blob.
blob = bucket.blob(blob_name)
blob.upload_from_string("oldcontent")
blob.upload_from_string("newcontent", if_generation_match=blob.generation)

Workaround

from google.cloud import storage
 
bucket_name = 'your-bucket-name'
blob_name = 'your-object-name'
 
client = storage.Client()
bucket = client.bucket(bucket_name)

# Creates a random encrypted blob.
blob = bucket.blob(blob_name)
blob.upload_from_string("oldcontent")
# Store the generation
saved_generation = blob.generation

# Get a new instance of Blob to unset value of kmsKeyName
blob = bucket.blob(blob_name)
blob.upload_from_string("newcontent", if_generation_match=saved_generation)

Potential Fix:

  • blob.upload_from_* should only use kmsKeyName if it doesn't end with a version.

Metadata

Metadata

Assignees

Labels

api: storageIssues related to the googleapis/python-storage API.priority: p1Important issue which blocks shipping the next release. Will be fixed prior to next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions








    ApplySandwichStrip

    pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


    --- a PPN by Garber Painting Akron. With Image Size Reduction included!

    Fetched URL: https://github.com/googleapis/python-storage/issues/155

    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy