Configuring Bucket Encryption
Functions
OBS uses the PUT method to create or update the default server-side encryption for a bucket.
After you configure encryption for a bucket, objects uploaded to this bucket will be encrypted with the bucket encryption settings you specified. Currently, OBS supports server-side encryption with KMS-managed keys (SSE-KMS) and OBS-managed keys (SSE-OBS). For details, see Server-Side Encryption.
To perform this operation, you must have the PutEncryptionConfiguration permission. By default, the bucket owner has this permission and can grant it to others.
For more information about permission control, see the permission control in the OBS Permission Configuration Guide.
Authorization Information
To call this API, you must be the bucket owner or have the permission to configure bucket encryption. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.
- If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:
- If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutEncryptionConfiguration permission. For details, see Creating a Custom IAM Policy.
- If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putEncryptionConfiguration permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.
Action
Access Level
Resource Type (*: Required)
Dependencies
obs:bucket:putEncryptionConfiguration
Write
bucket *
-
-
-
- obs:EpochTime
- obs:SourceIp
- obs:TlsVersion
- obs:CustomDomain
- obs:BucketEncrypted
- If you use bucket policies for authorization, you need to grant the obs:bucket:PutEncryptionConfiguration permission. For details, see Creating a Custom Bucket Policy.
Request Syntax (SSE-KMS AES256)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.myhuaweicloud.com Accept: */* Date: date Authorization: authorization string Content-Length: length <ServerSideEncryptionConfiguration> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>kms</SSEAlgorithm> <KMSMasterKeyID>kmskeyid-value</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> <BucketKeyEnabled>true</BucketKeyEnabled> </Rule> </ServerSideEncryptionConfiguration> |
Request Syntax (SSE-OBS)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.myhuaweicloud.com Accept: */* Date: date Authorization: authorization string Content-Length: length <ServerSideEncryptionConfiguration> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
Request Parameters
This request contains no message parameters.
Request Headers
This request uses common headers. For details, see Table 3.
Request Elements
In this request, you need to carry the bucket encryption configuration in the request body. The bucket encryption configuration information is uploaded in the XML format. Table 1 lists the configuration elements.
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
ServerSideEncryptionConfiguration |
Yes |
Container |
Definition: Root element of the default encryption configuration of a bucket. ServerSideEncryptionConfiguration is the parent node of Rule. Constraints: None Range: None Default value: None |
|
Rule |
Yes |
Container |
Definition: The child element of the default bucket encryption configuration. Rule is the parent node of ApplyServerSideEncryptionByDefault and BucketKeyEnabled. Constraints: None Range: For details, see Rule parameters. Default value: None |
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
ApplyServerSideEncryptionByDefault |
Yes |
Container |
Definition: Child element of the default encryption configuration of a bucket. Constraints: None Range: For details, see Table 3. Default value: None |
|
BucketKeyEnabled |
No |
String |
Definition: Whether to enable the OBS bucket key feature. Constraints:
Range:
Default value: false |
|
Parameter |
Mandatory (Yes/No) |
Type |
Description |
|---|---|---|---|
|
SSEAlgorithm |
Yes |
String |
Definition: Server-side encryption algorithm used for the default encryption configuration of a bucket. Constraints: None Range:
Default value: None |
|
KMSMasterKeyID |
No |
String |
Definition: KMS master key ID used in SSE-KMS encryption. Constraints:
Range:
In the preceding formats:
Default value: None |
|
ProjectID |
No |
String |
Definition: ID of the project where the KMS master key belongs when SSE-KMS is used. Constraints:
Range: Project ID that matches KMSMasterKeyID, that is, the ID of the project to which the master key with the specified KMSMasterKeyID belongs Default value: None |
Response Syntax
1 2 3 |
HTTP/1.1 status_code Date: date Content-Length: length |
Response Headers
The response to the request uses common headers. For details, see Table 1.
Response Elements
This response contains no elements.
Error Responses
No special error responses are returned. For details about error responses, see Table 2.
Sample Request (SSE-KMS AES256)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: examplebucket.obs.region.myhuaweicloud.com Accept: */* Date: Thu, 21 Feb 2019 03:05:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI= Content-Length: 778 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>kms</SSEAlgorithm> <KMSMasterKeyID>4f1cd4de-ab64-4807-920a-47fc42e7f0d0</KMSMasterKeyID> </ApplyServerSideEncryptionByDefault> <BucketKeyEnabled>true</BucketKeyEnabled> </Rule> </ServerSideEncryptionConfiguration> |
Sample Response (SSE-KMS AES256)
1 2 3 4 5 6 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BF26000001643670AC06E7B9A7767921 x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm Date: Thu, 21 Feb 2019 03:05:34 GMT Content-Length: 0 |
Sample Request (SSE-OBS)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
PUT /?encryption HTTP/1.1 User-Agent: curl/7.29.0 Host: bucketname.obs.region.myhuaweicloud.com Accept: */* Date: Thu, 21 Feb 2019 03:05:34 GMT Authorization: OBS H4IPJX0TQTHTHEBQQCEC:DpSAlmLX/BTdjxU5HOEwflhM0WI= Content-Length: 778 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ServerSideEncryptionConfiguration xmlns="http://obs.region.myhuaweicloud.com/doc/2015-06-30/"> <Rule> <ApplyServerSideEncryptionByDefault> <SSEAlgorithm>AES256</SSEAlgorithm> </ApplyServerSideEncryptionByDefault> </Rule> </ServerSideEncryptionConfiguration> |
Sample Response (SSE-OBS)
1 2 3 4 5 6 |
HTTP/1.1 200 OK Server: OBS x-obs-request-id: BF26000001643670AC06E7B9A7767921 x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSvK6z8HV6nrJh49gsB5vqzpgtohkiFm Date: Thu, 21 Feb 2019 03:05:34 GMT Content-Length: 0 |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
