forked from GoogleCloudPlatform/python-docs-samples
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstorage_rotate_encryption_key.py
More file actions
66 lines (53 loc) · 2 KB
/
storage_rotate_encryption_key.py
File metadata and controls
66 lines (53 loc) · 2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env python
# Copyright 2019 Google, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# [START storage_rotate_encryption_key]
import base64
# [END storage_rotate_encryption_key]
import sys
# [START storage_rotate_encryption_key]
from google.cloud import storage
def rotate_encryption_key(
bucket_name, blob_name, base64_encryption_key, base64_new_encryption_key
):
"""Performs a key rotation by re-writing an encrypted blob with a new
encryption key."""
storage_client = storage.Client()
bucket = storage_client.bucket(bucket_name)
current_encryption_key = base64.b64decode(base64_encryption_key)
new_encryption_key = base64.b64decode(base64_new_encryption_key)
# Both source_blob and destination_blob refer to the same storage object,
# but destination_blob has the new encryption key.
source_blob = bucket.blob(
blob_name, encryption_key=current_encryption_key
)
destination_blob = bucket.blob(
blob_name, encryption_key=new_encryption_key
)
token = None
while True:
token, bytes_rewritten, total_bytes = destination_blob.rewrite(
source_blob, token=token
)
if token is None:
break
print("Key rotation complete for Blob {}".format(blob_name))
# [END storage_rotate_encryption_key]
if __name__ == "__main__":
rotate_encryption_key(
bucket_name=sys.argv[1],
blob_name=sys.argv[2],
base64_encryption_key=sys.argv[3],
base64_new_encryption_key=sys.argv[4],
)