From 73e0de37d0acb28ac29093d41fe5f14001daad4a Mon Sep 17 00:00:00 2001 From: nidhiii-27 Date: Tue, 28 Oct 2025 10:40:39 +0530 Subject: [PATCH 1/3] samples: add samples for encryption enforcement config feature --- .../GetEncryptionEnforcementConfig.java | 71 ++++++++++ .../RemoveEncryptionEnforcementConfig.java | 59 +++++++++ .../SetBucketEncryptionEnforcementConfig.java | 121 ++++++++++++++++++ 3 files changed, 251 insertions(+) create mode 100644 samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java create mode 100644 samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java create mode 100644 samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java new file mode 100644 index 0000000000..1959f4999b --- /dev/null +++ b/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java @@ -0,0 +1,71 @@ +/* + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.example.storage.bucket; + +// [START storage_get_encryption_enforcement_config] + +import com.google.cloud.storage.Bucket; +import com.google.cloud.storage.BucketInfo.CustomerManagedEncryptionEnforcementConfig; +import com.google.cloud.storage.BucketInfo.CustomerSuppliedEncryptionEnforcementConfig; +import com.google.cloud.storage.BucketInfo.GoogleManagedEncryptionEnforcementConfig; +import com.google.cloud.storage.Storage; +import com.google.cloud.storage.StorageOptions; + +public class GetEncryptionEnforcementConfig { + public static void getEncryptionEnforcementConfig(String projectId, String bucketName) + throws Exception { + // The ID of your GCP project + // String projectId = "your-project-id"; + + // The ID of your GCS bucket + // String bucketName = "your-unique-bucket-name"; + + try (Storage storage = + StorageOptions.newBuilder().setProjectId(projectId).build().getService()) { + System.out.println( + "\n--- Getting Encryption Enforcement Policy for bucket " + bucketName + " ---"); + + Bucket bucket = storage.get(bucketName); + + if (bucket == null) { + System.out.println("Bucket " + bucketName + " not found."); + return; + } + + System.out.println(" Bucket Name: " + bucket.getName()); + System.out.println(" Default KMS Key: " + bucket.getDefaultKmsKeyName()); + + GoogleManagedEncryptionEnforcementConfig gmekConfig = + bucket.getGoogleManagedEncryptionEnforcementConfig(); + CustomerManagedEncryptionEnforcementConfig cmekConfig = + bucket.getCustomerManagedEncryptionEnforcementConfig(); + CustomerSuppliedEncryptionEnforcementConfig csekConfig = + bucket.getCustomerSuppliedEncryptionEnforcementConfig(); + + System.out.println( + " GMEK Enforcement: " + + (gmekConfig != null ? gmekConfig.getRestrictionMode() : "NOT SET (Default)")); + System.out.println( + " CMEK Enforcement: " + + (cmekConfig != null ? cmekConfig.getRestrictionMode() : "NOT SET (Default)")); + System.out.println( + " CSEK Enforcement: " + + (csekConfig != null ? csekConfig.getRestrictionMode() : "NOT SET (Default)")); + } + } +} +// [END storage_get_encryption_enforcement_config] diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java new file mode 100644 index 0000000000..c4bda1f5e1 --- /dev/null +++ b/samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java @@ -0,0 +1,59 @@ +/* + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.example.storage.bucket; + +// [START storage_remove_encryption_enforcement_config] + +import com.google.cloud.storage.Bucket; +import com.google.cloud.storage.BucketInfo; +import com.google.cloud.storage.Storage; +import com.google.cloud.storage.StorageOptions; + +public class RemoveEncryptionEnforcementConfig { + public static void removeEncryptionEnforcementConfig(String projectId, String bucketName) + throws Exception { + // The ID of your GCP project + // String projectId = "your-project-id"; + + // The ID of your GCS bucket + // String bucketName = "your-unique-bucket-name"; + + try (Storage storage = + StorageOptions.newBuilder().setProjectId(projectId).build().getService()) { + Bucket bucket = storage.get(bucketName); + if (bucket == null) { + System.out.println("Bucket " + bucketName + " does not exist."); + return; + } + // To remove an existing policy, the corresponding field must be explicitly set to 'null' + // in the BucketInfo object passed to the update call. + BucketInfo bucketInfo = + bucket.toBuilder() + .setGoogleManagedEncryptionEnforcementConfig(null) + .setCustomerManagedEncryptionEnforcementConfig(null) + .setCustomerSuppliedEncryptionEnforcementConfig(null) + .build(); + + storage.update(bucketInfo); + System.out.println( + "Encryption enforcement policy removed from bucket " + + bucketName + + ". Bucket reverted to default behavior."); + } + } +} +// [END storage_remove_encryption_enforcement_config] diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java new file mode 100644 index 0000000000..6d2cbf1d2e --- /dev/null +++ b/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java @@ -0,0 +1,121 @@ +/* + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.example.storage.bucket; + +// [START storage_set_encryption_enforcement_config] + +import com.google.cloud.storage.Bucket; +import com.google.cloud.storage.BucketInfo; +import com.google.cloud.storage.BucketInfo.CustomerManagedEncryptionEnforcementConfig; +import com.google.cloud.storage.BucketInfo.CustomerSuppliedEncryptionEnforcementConfig; +import com.google.cloud.storage.BucketInfo.EncryptionEnforcementRestrictionMode; +import com.google.cloud.storage.BucketInfo.GoogleManagedEncryptionEnforcementConfig; +import com.google.cloud.storage.Storage; +import com.google.cloud.storage.StorageOptions; + +public class SetBucketEncryptionEnforcementConfig { + public static void setBucketEncryptionEnforcementConfig( + String projectId, String bucketName, String kmsKeyName) throws Exception { + // The ID of your GCP project + // String projectId = "your-project-id"; + + // The ID of your GCS bucket + // String bucketName = "your-unique-bucket-name"; + + // The name of the KMS key to use + // String kmsKeyName = + // "projects/your-project-id/locations/us/keyRings/my_key_ring/cryptoKeys/my_key" + + try (Storage storage = + StorageOptions.newBuilder().setProjectId(projectId).build().getService()) { + + // Example 1: Enforce GMEK Only + setGmekOnlyPolicy(storage, bucketName + "_gmek_only"); + + // Example 2: Enforce CMEK Only + setCmekOnlyPolicy(storage, bucketName + "_cmek_only", kmsKeyName); + + // Example 3: Restrict CSEK (Ransomware Protection) + restrictCsekPolicy(storage, bucketName + "_restrict_csek"); + } + } + + public static void setGmekOnlyPolicy(Storage storage, String bucketName) { + System.out.println("--- Setting GMEK-Only Policy on bucket " + bucketName + " ---"); + GoogleManagedEncryptionEnforcementConfig gmekConfig = + GoogleManagedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.NOT_RESTRICTED); + CustomerManagedEncryptionEnforcementConfig cmekConfig = + CustomerManagedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED); + CustomerSuppliedEncryptionEnforcementConfig csekConfig = + CustomerSuppliedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED); + + BucketInfo bucketInfo = + BucketInfo.newBuilder(bucketName) + .setGoogleManagedEncryptionEnforcementConfig(gmekConfig) + .setCustomerManagedEncryptionEnforcementConfig(cmekConfig) + .setCustomerSuppliedEncryptionEnforcementConfig(csekConfig) + .build(); + + Bucket bucket = storage.create(bucketInfo); + System.out.println( + "Bucket " + bucket.getName() + " created with GMEK-only enforcement policy."); + } + + public static void setCmekOnlyPolicy(Storage storage, String bucketName, String kmsKeyName) { + System.out.println("--- Setting CMEK-Only Policy on bucket " + bucketName + " ---"); + GoogleManagedEncryptionEnforcementConfig gmekConfig = + GoogleManagedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED); + CustomerManagedEncryptionEnforcementConfig cmekConfig = + CustomerManagedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.NOT_RESTRICTED); + CustomerSuppliedEncryptionEnforcementConfig csekConfig = + CustomerSuppliedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED); + + BucketInfo bucketInfo = + BucketInfo.newBuilder(bucketName) + .setDefaultKmsKeyName(kmsKeyName) + .setGoogleManagedEncryptionEnforcementConfig(gmekConfig) + .setCustomerManagedEncryptionEnforcementConfig(cmekConfig) + .setCustomerSuppliedEncryptionEnforcementConfig(csekConfig) + .build(); + + Bucket bucket = storage.create(bucketInfo); + System.out.println( + "Bucket " + bucket.getName() + " created with CMEK-only enforcement policy."); + } + + public static void restrictCsekPolicy(Storage storage, String bucketName) { + System.out.println("--- Setting Restrict-CSEK Policy on bucket " + bucketName + " ---"); + CustomerSuppliedEncryptionEnforcementConfig csekConfig = + CustomerSuppliedEncryptionEnforcementConfig.of( + EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED); + + BucketInfo bucketInfo = + BucketInfo.newBuilder(bucketName) + .setCustomerSuppliedEncryptionEnforcementConfig(csekConfig) + .build(); + + Bucket bucket = storage.create(bucketInfo); + System.out.println("Bucket " + bucket.getName() + " created with a policy to restrict CSEK."); + } +} +// [END storage_get_encryption_enforcement_config] From b02b150272dfe71690da28452503d418ac7071d4 Mon Sep 17 00:00:00 2001 From: nidhiii-27 Date: Thu, 30 Oct 2025 19:24:55 +0530 Subject: [PATCH 2/3] fix region tag --- .../storage/bucket/SetBucketEncryptionEnforcementConfig.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java index 6d2cbf1d2e..5f912c56b0 100644 --- a/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java +++ b/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java @@ -118,4 +118,4 @@ public static void restrictCsekPolicy(Storage storage, String bucketName) { System.out.println("Bucket " + bucket.getName() + " created with a policy to restrict CSEK."); } } -// [END storage_get_encryption_enforcement_config] +// [END storage_set_encryption_enforcement_config] From 3b6fdd5647018205c7e88faeb6e6c05207f2239f Mon Sep 17 00:00:00 2001 From: nidhiii-27 Date: Wed, 5 Nov 2025 12:10:50 +0530 Subject: [PATCH 3/3] review fixes --- .../GetEncryptionEnforcementConfig.java | 21 ++++++++++++++----- ...RemoveAllEncryptionEnforcementConfig.java} | 6 +++--- .../SetBucketEncryptionEnforcementConfig.java | 20 ++++++------------ 3 files changed, 25 insertions(+), 22 deletions(-) rename samples/snippets/src/main/java/com/example/storage/bucket/{RemoveEncryptionEnforcementConfig.java => RemoveAllEncryptionEnforcementConfig.java} (92%) diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java index 1959f4999b..54f9889474 100644 --- a/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java +++ b/samples/snippets/src/main/java/com/example/storage/bucket/GetEncryptionEnforcementConfig.java @@ -46,8 +46,7 @@ public static void getEncryptionEnforcementConfig(String projectId, String bucke return; } - System.out.println(" Bucket Name: " + bucket.getName()); - System.out.println(" Default KMS Key: " + bucket.getDefaultKmsKeyName()); + System.out.println("Bucket Name: " + bucket.getName()); GoogleManagedEncryptionEnforcementConfig gmekConfig = bucket.getGoogleManagedEncryptionEnforcementConfig(); @@ -58,13 +57,25 @@ public static void getEncryptionEnforcementConfig(String projectId, String bucke System.out.println( " GMEK Enforcement: " - + (gmekConfig != null ? gmekConfig.getRestrictionMode() : "NOT SET (Default)")); + + (gmekConfig != null + ? String.format( + "Mode: %s, Effective Time: %s", + gmekConfig.getRestrictionMode(), gmekConfig.getEffectiveTime()) + : "NOT SET (Default)")); System.out.println( " CMEK Enforcement: " - + (cmekConfig != null ? cmekConfig.getRestrictionMode() : "NOT SET (Default)")); + + (cmekConfig != null + ? String.format( + "Mode: %s, Effective Time: %s", + cmekConfig.getRestrictionMode(), cmekConfig.getEffectiveTime()) + : "NOT SET (Default)")); System.out.println( " CSEK Enforcement: " - + (csekConfig != null ? csekConfig.getRestrictionMode() : "NOT SET (Default)")); + + (csekConfig != null + ? String.format( + "Mode: %s, Effective Time: %s", + csekConfig.getRestrictionMode(), csekConfig.getEffectiveTime()) + : "NOT SET (Default)")); } } } diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/RemoveAllEncryptionEnforcementConfig.java similarity index 92% rename from samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java rename to samples/snippets/src/main/java/com/example/storage/bucket/RemoveAllEncryptionEnforcementConfig.java index c4bda1f5e1..19159b29e7 100644 --- a/samples/snippets/src/main/java/com/example/storage/bucket/RemoveEncryptionEnforcementConfig.java +++ b/samples/snippets/src/main/java/com/example/storage/bucket/RemoveAllEncryptionEnforcementConfig.java @@ -16,14 +16,14 @@ package com.example.storage.bucket; -// [START storage_remove_encryption_enforcement_config] +// [START storage_remove_all_encryption_enforcement_config] import com.google.cloud.storage.Bucket; import com.google.cloud.storage.BucketInfo; import com.google.cloud.storage.Storage; import com.google.cloud.storage.StorageOptions; -public class RemoveEncryptionEnforcementConfig { +public class RemoveAllEncryptionEnforcementConfig { public static void removeEncryptionEnforcementConfig(String projectId, String bucketName) throws Exception { // The ID of your GCP project @@ -56,4 +56,4 @@ public static void removeEncryptionEnforcementConfig(String projectId, String bu } } } -// [END storage_remove_encryption_enforcement_config] +// [END storage_remove_all_encryption_enforcement_config] diff --git a/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java b/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java index 5f912c56b0..4a99ef1b82 100644 --- a/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java +++ b/samples/snippets/src/main/java/com/example/storage/bucket/SetBucketEncryptionEnforcementConfig.java @@ -28,34 +28,29 @@ import com.google.cloud.storage.StorageOptions; public class SetBucketEncryptionEnforcementConfig { - public static void setBucketEncryptionEnforcementConfig( - String projectId, String bucketName, String kmsKeyName) throws Exception { + public static void setBucketEncryptionEnforcementConfig(String projectId, String bucketName) + throws Exception { // The ID of your GCP project // String projectId = "your-project-id"; // The ID of your GCS bucket // String bucketName = "your-unique-bucket-name"; - // The name of the KMS key to use - // String kmsKeyName = - // "projects/your-project-id/locations/us/keyRings/my_key_ring/cryptoKeys/my_key" - try (Storage storage = StorageOptions.newBuilder().setProjectId(projectId).build().getService()) { // Example 1: Enforce GMEK Only - setGmekOnlyPolicy(storage, bucketName + "_gmek_only"); + setGmekEnforcedPolicy(storage, bucketName + "_gmek_only"); // Example 2: Enforce CMEK Only - setCmekOnlyPolicy(storage, bucketName + "_cmek_only", kmsKeyName); + setCmekEnforcedPolicy(storage, bucketName + "_cmek_only"); // Example 3: Restrict CSEK (Ransomware Protection) restrictCsekPolicy(storage, bucketName + "_restrict_csek"); } } - public static void setGmekOnlyPolicy(Storage storage, String bucketName) { - System.out.println("--- Setting GMEK-Only Policy on bucket " + bucketName + " ---"); + public static void setGmekEnforcedPolicy(Storage storage, String bucketName) { GoogleManagedEncryptionEnforcementConfig gmekConfig = GoogleManagedEncryptionEnforcementConfig.of( EncryptionEnforcementRestrictionMode.NOT_RESTRICTED); @@ -78,8 +73,7 @@ public static void setGmekOnlyPolicy(Storage storage, String bucketName) { "Bucket " + bucket.getName() + " created with GMEK-only enforcement policy."); } - public static void setCmekOnlyPolicy(Storage storage, String bucketName, String kmsKeyName) { - System.out.println("--- Setting CMEK-Only Policy on bucket " + bucketName + " ---"); + public static void setCmekEnforcedPolicy(Storage storage, String bucketName) { GoogleManagedEncryptionEnforcementConfig gmekConfig = GoogleManagedEncryptionEnforcementConfig.of( EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED); @@ -92,7 +86,6 @@ public static void setCmekOnlyPolicy(Storage storage, String bucketName, String BucketInfo bucketInfo = BucketInfo.newBuilder(bucketName) - .setDefaultKmsKeyName(kmsKeyName) .setGoogleManagedEncryptionEnforcementConfig(gmekConfig) .setCustomerManagedEncryptionEnforcementConfig(cmekConfig) .setCustomerSuppliedEncryptionEnforcementConfig(csekConfig) @@ -104,7 +97,6 @@ public static void setCmekOnlyPolicy(Storage storage, String bucketName, String } public static void restrictCsekPolicy(Storage storage, String bucketName) { - System.out.println("--- Setting Restrict-CSEK Policy on bucket " + bucketName + " ---"); CustomerSuppliedEncryptionEnforcementConfig csekConfig = CustomerSuppliedEncryptionEnforcementConfig.of( EncryptionEnforcementRestrictionMode.FULLY_RESTRICTED);