Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to upload new object when CMEK is enabled for a bucket. #155

Closed
frankyn opened this issue May 21, 2020 · 2 comments · Fixed by #158
Closed

Unable to upload new object when CMEK is enabled for a bucket. #155

frankyn opened this issue May 21, 2020 · 2 comments · Fixed by #158
Assignees
@HemangChothani
Labels
api: storage Issues related to the googleapis/python-storage API. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@frankyn
Copy link
Member

frankyn commented May 21, 2020

Tracking issue for a customer.

The issue is the Python library does a metadata get on an Object which includes kmsKeyName version resource ID metadata.
If you use the same Blob instance to perform an upload the Python library will use the kmsKeyName version resource ID instead of the kmsKeyName resource ID.
Cloud Storage API expects the kmsKeyName kmsKeyName without version information.

Here's an example for illustration:
kmsKeyName version resource ID:

projects/project-id/us/keyRings/testmrbucket/cryptoKeys/testkey/cryptoKeyVersions/1

kmsKeyName resource ID:

projects/project-id/locations/us/keyRings/testmrbucket/cryptoKeys/testkey

Reproduction

from google.cloud import storage
 
bucket_name = 'your-bucket-name'
blob_name = 'your-object-name'
 
client = storage.Client()
bucket = client.bucket(bucket_name)

# Creates a random encrypted blob.
blob = bucket.blob(blob_name)
blob.upload_from_string("oldcontent")
blob.upload_from_string("newcontent", if_generation_match=blob.generation)

Workaround

from google.cloud import storage
 
bucket_name = 'your-bucket-name'
blob_name = 'your-object-name'
 
client = storage.Client()
bucket = client.bucket(bucket_name)

# Creates a random encrypted blob.
blob = bucket.blob(blob_name)
blob.upload_from_string("oldcontent")
# Store the generation
saved_generation = blob.generation

# Get a new instance of Blob to unset value of kmsKeyName
blob = bucket.blob(blob_name)
blob.upload_from_string("newcontent", if_generation_match=saved_generation)

Potential Fix:

  • blob.upload_from_* should only use kmsKeyName if it doesn't end with a version.
@product-auto-label product-auto-label bot added the api: storage Issues related to the googleapis/python-storage API. label May 21, 2020
@frankyn frankyn added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels May 21, 2020
@HemangChothani
Copy link
Contributor

@frankyn May i look in to it?

@frankyn
Copy link
Member Author

frankyn commented May 21, 2020

I'm available through chat for the next few hours if you'd like to discuss this more. Thanks @HemangChothani

@HemangChothani HemangChothani mentioned this issue May 21, 2020
Merged
@cojenco cojenco mentioned this issue Jun 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HemangChothani HemangChothani

Labels
api: storage Issues related to the googleapis/python-storage API. priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(storage): fix upload object with bucket cmek enabled MaxxleLLC/python-storage
2 participants
@frankyn @HemangChothani