给出一个使用默认的Google管理的加密功能的现有BigQuery表,是否可以通过API(补丁)或Python客户端库(client.update_table)将加密更改为使用客户管理的加密密钥(CMEK)?使用API浏览器和python客户端不会引发任何错误,但是该表仍使用默认加密方式保留。 documentation参考中的所有示例均会复制该表。我试图了解是否可以在适当的位置更改encryption_configuration。下面的示例python代码:
from google.cloud import bigquery
import warnings
warnings.filterwarnings("ignore")
PROJECT = 'x'
DATASET = 'x'
TABLE = 'x'
KMSKEY = 'x'
client = bigquery.Client(project=PROJECT)
dataset_ref = client.dataset(DATASET)
table_ref = dataset_ref.table(TABLE)
bq_table = client.get_table(table_ref)
bq_table.encryption_configuration = bigquery.EncryptionConfiguration(kms_key_name=KMSKEY)
bq_table = client.update_table(bq_table, ['encryption_configuration'])
assert bq_table.encryption_configuration.kms_key_name == KMSKEY
输出:
Traceback (most recent call last):
File "test_cmek_update.py", line 20, in <module>
assert bq_table.encryption_configuration.kms_key_name == KMSKEY
AttributeError: 'NoneType' object has no attribute 'kms_key_name'
答案 0 :(得分:0)
您基本上可以通过将表复制到自身来更改为KMS保护。在相关的Python example中,应将dest_dataset_ref和dest_table_ref设置为与source相同,然后将复制作业配置为具有
WRITE_TRUNCATE编写处置,并添加以下行:
job_config.write_disposition = 'WRITE_TRUNCATE'
要通过REST API执行相同操作,请运行:
alias gcurl='curl -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" -H "Content-Type: application/json" '
gcurl -X POST -T "kms_request.json" https://www.googleapis.com/bigquery/v2/projects/$PROJECT/jobs
其中kms_request.json将是:
{
"configuration": {
"jobType": "COPY",
"copy": {
"sourceTable": {
"projectId": "[PROJECT]",
"datasetId": "[DATASET]",
"tableId": "[TABLE]"
},
"destinationTable": {
"projectId": "[PROJECT]",
"datasetId": "[DATASET]",
"tableId": "[TABLE]"
},
"writeDisposition": "WRITE_TRUNCATE",
"destinationEncryptionConfiguration": {
"kmsKeyName": "projects/[PROJECT]/locations/[KMS_KEY_LOCATION]/keyRings/[KMS_KEY_RING]/cryptoKeys/[KMS_KEY]"
}
}
}
}