R\SrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKJ r SSK J r SS K J r SS K Jr SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SSK!J"r" SSK#J$r$ SSK%J&r& SSK'J(r( SSK)J*r* SSK)J+r+ Sr,Sr-Sr.\,\-R_S5-\.R_S5-S-r0Sr1Sr2S r3S!\1\2-\3--r4\"\0\45r5\"\,\15r6\"\-\25r7\"\.\35r8\+"S"S#/\*"S$5\*"S%5S&.S'9r9\+"S"S#/S(\*"S$50S'9r:"S)S*\5r;g)+z/This module provides the kms command to gsutil.)absolute_import)print_function)division)unicode_literalsN)metrics)AccessDeniedException)ServiceException)Command)CommandArgument) ApiSelector)CommandException)NO_URLS_MATCHED_TARGET)CreateHelpText)KmsApi)PopulateProjectId)Binding)storage_v1_messages) text_util)NO_MAX) ValidateCMEK)Retry)GcloudStorageFlag)GcloudStorageMapz4 gsutil kms authorize [-p ] -k zJ gsutil kms encryption [(-d|[-k ])] [-w] gs://... z, gsutil kms serviceaccount [-p ]  a AUTHORIZE The authorize sub-command checks that the default (or supplied) project has a Cloud Storage service agent created for it, and if not, it creates one. It then adds appropriate encrypt/decrypt permissions to Cloud KMS resources such that the service agent can write and read Cloud KMS-encrypted objects in buckets associated with the service agent's project. AUTHORIZE EXAMPLES Authorize "my-project" to use a Cloud KMS key: gsutil kms authorize -p my-project \ -k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key AUTHORIZE OPTIONS -k The path to the KMS key to use. The path has the following form: ``projects/[project-id]/locations/[location]/keyRings/[key-ring]/cryptoKeys/[my-key]`` -p The ID or number of the project being authorized to use the Cloud KMS key. If this flag is not included, your default project is authorized. a ENCRYPTION The encryption sub-command is used to set, display, or clear a bucket's default KMS key, which is used to encrypt newly-written objects if no other key is specified. ENCRYPTION EXAMPLES Set the default KMS key for my-bucket: gsutil kms encryption \ -k projects/key-project/locations/us-east1/keyRings/key-ring/cryptoKeys/my-key \ gs://my-bucket Show the default KMS key for my-bucket, if one is set: gsutil kms encryption gs://my-bucket Clear the default KMS key so newly-written objects are not encrypted using it: gsutil kms encryption -d gs://my-bucket Once you clear the default KMS key, newly-written objects are encrypted with Google-managed encryption keys by default. ENCRYPTION OPTIONS -k Set the default KMS key for my-bucket using the full path to the key, which has the following form: ``projects/[project-id]/locations/[location]/keyRings/[key-ring]/cryptoKeys/[my-key]`` -w (used with -k key) Display a warning rather than failing if gsutil is unable to verify that the specified key contains the correct IAM bindings for encryption/decryption. This is useful for users that do not have getIamPolicy permission but know that the key has the correct IAM policy for encryption in the user's project. -d Clear the default KMS key. a" SERVICEACCOUNT The serviceaccount sub-command displays the Cloud Storage service agent that is used to perform Cloud KMS operations against your default project (or a supplied project). SERVICEACCOUNT EXAMPLES Show the service account for my-project: gsutil kms serviceaccount -p my-project SERVICEACCOUNT OPTIONS -p The ID or number of the project whose Cloud Storage service agent is being requested. If this flag is not included, your default project is used. aS The kms command is used to configure Google Cloud Storage and Cloud KMS resources to support encryption of Cloud Storage objects with `Cloud KMS keys `_. The kms command has three sub-commands that deal with configuring Cloud Storage's integration with Cloud KMS: ``authorize``, ``encryption``, and ``serviceaccount``. Before using this command, read the `prerequisites `_. for using Cloud KMS with Cloud Storage. storagez service-agentz --projectz--authorize-cmek)-p-kgcloud_commandflag_maprcL^\rSrSrSr\R "S\S\SSSS\ R/\ R/\ R"S5//S.S9 r \R"S/S S \\\\S.S 9r\"\\S .0S 9rU4SjrSr\"\SSS9S5rSrSrSrSr Sr!Sr"Sr#Sr#Sr$U=r%$) KmsCommandz!Implements of gsutil kms command.kmszdk:p:wF authorize encryptionserviceaccount) usage_synopsismin_argsmax_argssupported_sub_args file_url_okprovider_url_okurls_start_arggs_api_supportgs_default_apiargparse_arguments command_helpzConfigure Cloud KMS encryption) help_namehelp_name_aliases help_typehelp_one_line_summary help_textsubcommand_help_text)r'r)rc >URSS:Xa[S[SS/[S5[S5[S5S.S 900S 9nS UR;dS UR;a$URS=RS /- slO5URS=R/S Q- slO[R n[ TU]U5$)Nrr(rbucketsz--clear-default-encryption-keyz--default-encryption-key)-dr-wrr>rupdate)describezi--format=value[separator=": "](name, encryption.defaultKmsKeyName.yesno(no="No default encryption key."))z--raw)argsrrrr"gcloud_storage_mapsuperget_gcloud_storage_args)selfrC __class__s %platform/gsutil/gslib/commands/kms.pyrE"KmsCommand.get_gcloud_storage_argss yy||#+ "+Y!7-.NO-.HI-b1 <68 9  ddii/)),7FF K  F )),7FFK  F&88 7 *+= >>c<UR5 SUlSUlSUlUR(adURHTup#US:XaX0lMUS:XaX0l[ UR5 M6US:Xa SUlMEUS:XdMMSUlMV UR(aOURS:wdUR(d.[SR[R"S 555eUR (d[S5Ulgg) NFrrr>Tr?r(rzoThe "-w" option should only be specified for the "encryption" subcommand and must be used with the "-k" option.) CheckArguments clear_kms_keykms_keywarn_on_key_authorize_failuresub_opts project_idrsubcommand_namer jointextwrapwrapr)rFrRoas rH_GatherSubOptionsKmsCommand._GatherSubOptionssDDL).D& }}--$! 9/ $Y, t|| $ $Y#$  $Y/3$ ,  ))  ,DLL TYY --B CD EE ??)$/do rJ)tries timeout_secscbURRUSS9Rn[URS9nURR SU5 UR U5nURR SU5 Sn[SSU-/S 9nXuR;a.URRU5 URX%5 S nX64$![aR UR(a?[R"S R[ R""S 555 US4s$ef=f) aAuthorizes a project's service account to be used with a KMS key. Authorizes the Cloud Storage-owned service account for project_id to be used with kms_key. Args: project_id: (str) Project id string (not number). kms_key: (str) Fully qualified resource name for the KMS key. Returns: (str, bool) A 2-tuple consisting of: 1) The email address for the service account associated with the project, which is authorized to encrypt/decrypt with the specified key. 2) A bool value - True if we had to grant the service account permission to encrypt/decrypt with the given key; False if the required permission was already present. gsprovider)loggerzGetting IAM policy for %szCurrent policy is %sFz*roles/cloudkms.cryptoKeyEncrypterDecrypterzserviceAccount:%s)rolemembersTraWarning: Check that your Cloud Platform project's service account has the "cloudkms.cryptoKeyEncrypterDecrypter" role for the specified key. Without this role, you may not be able to encrypt or decrypt objects using the key which will prevent you from uploading or downloading objects.) gsutil_apiGetProjectServiceAccount email_addressrradebugGetKeyIamPolicyrbindingsappendSetKeyIamPolicyrrOr print_to_fdrSrTrU)rFrQrNservice_accountkms_apipolicyadded_new_bindingbindings rH_AuthorizeProjectKmsCommand._AuthorizeProjects)*oo>>T?##0=DKK(GKK17;&&w/f kk.7 I!4!F GIg  'w'0  11  + +dii MME FG H ''  sAURnURS:wa[STR-5eTRR UR SS/URS9nTR(aTRX!5 gTR(aTRX!T5 g[U5RS5nUR(aCURR(a([SU<S URR<35 g[S U-5 g) z6Set, clear, or get the defaultKmsKeyName for a bucket.r^z7The %s command can only be used with gs:// bucket URLs.r(rrrr~zDefault encryption key for z: z'Bucket %s has no default encryption key) storage_urlrr rwrd GetBucketrrMrrNrrrr(rrx)blrrrbucket_url_stringrFrs rH_EncryptionForBucket4KmsCommand._Encryption.._EncryptionForBuckets??j   d " E      11  0$$2&o      =  7 9j/005  $ $  $ $ 6 6  /"<"<"N"NP Q 7:KKL rJFTr)rXrB$RaiseWrongNumberOfArgumentsExceptionGetBucketUrlIterFromArgr rlist)rFr some_matchedurl_argsurl_str bucket_iterbucket_listing_refrs` @rH _EncryptionKmsCommand._Encryptions<( "!JLyyH  //1009k +  /0!,  3d8nD EE rJcUR5 UR(dS/UlUR(a#URHupUS:XdM X lM UR(d[ S5UlUR R SUR5 URRURSS9Rn[U5 g)Nzgs://rz'Checking service account for project %sr^r_r) rLrBrPrQrrargrdrerfrx)rFrVrWrms rH_ServiceAccountKmsCommand._ServiceAccounts 99)di }}--$! 9/  ??)$/do KK?oo'oo>> $?((5  / rJc([R"URURR5uUlUl[ R "URS9 U"U5$![Ra UR5 gf=f)N)rP) getoptrB command_specr-rPrLogCommandParams GetoptErrorRaiseInvalidArgumentException)rFfuncs rH_RunSubCommandKmsCommand._RunSubCommandsr+!' ))T&&99";dmTY 6 $Z   + ((*+sA'A**$BBcURRSS9[R:wa;[ SR [ R"SUR-555eg)(Command entry point for the kms command.r^r_rzThe "%s" command can only be used with the GCS JSON API. If you have only supplied hmac credentials in your boto file, please instead supply a credential type that can be used with the JSON API.N) rdGetApiSelectorr JSONr rSrTrUrw)rFs rH RunCommandKmsCommand.RunCommandsc  %%t%4 8H8HH TYY --(() *+ ,,IrJcVURRSS9[R:wa;[ SR [ R"SUR-555e[R[R[RS.nURRS5UlURU;a<[ R""UR/S9 UR%XR5$[ SUR<S UR<S 35e) rr^r_rzThe "%s" command can only be used with the GCS JSON API, which cannot use HMAC credentials. Please supply a credential type that is compatible with the JSON API (e.g. OAuth2) in your boto config file.r&r) subcommandszInvalid subcommand "z " for the z command.)rdrr rr rSrTrUrwr"r{rrrBpoprRrrr)rFmethod_for_subcommands rHrrs  %%t%4 8H8HH TYY --"%)$5$56 78 99 ** ,,$44  99==+D 44 D,@,@+AB  !67K7K!L MM "22D4E4EG HHrJ)rBrMrNrQrPrRrO)&__name__ __module__ __qualname____firstlineno____doc__r CreateCommandSpec _SYNOPSISrr rr MakeNCloudBucketURLsArgumentrHelpSpec_DETAILED_HELP_TEXT_authorize_help_text_encryption_help_text_serviceaccount_help_text help_specr_AUTHORIZE_COMMAND_SERVICEACCOUNT_COMMANDrCrErXrr rrr{rrrrrr__static_attributes__ __classcell__)rGs@rHr"r"s)** !!&&' %%(EEaHI ,"<#+-5 )()3  ?:0< 3242h   <rs|6&%' 1,!2(,2. .GW!(6(32!#7#>#>t#D D % , ,T 2359: 2(V$  77"#$ %Y =%&9&<>&';'>@*+C+FH&/ , 23+/  ,[H[HrJ