server-side encryption for python - Object Storage Service

OSS supports server-side encryption for uploaded data. When you upload data, OSS encrypts it and stores the encrypted data. When you download data, OSS automatically decrypts the stored data and returns the raw data. The HTTP response header indicates that the data was encrypted on the server.

Notes

Before you configure server-side encryption, make sure that you understand this feature. For more information, see Server-side encryption.
The sample code in this topic uses the China (Hangzhou) region ID cn-hangzhou as an example. By default, a public endpoint is used. If you want to access OSS from other Alibaba Cloud products in the same region, you can use an internal endpoint. For more information about the regions and endpoints that OSS supports, see Regions and endpoints.
In this topic, access credentials are retrieved from environment variables. For more information about how to configure access credentials, see Configure access credentials.
To configure bucket encryption, you must have the oss:PutBucketEncryption permission. To retrieve the bucket encryption configuration, you must have the oss:GetBucketEncryption permission. To delete the bucket encryption configuration, you must have the oss:DeleteBucketEncryption permission. For more information, see Grant custom permissions to a RAM user.

Sample code

Configure bucket encryption

You can use the following code to set the default encryption method for a bucket. After this configuration is complete, any object uploaded to the bucket without a specified encryption method is encrypted using the bucket's default encryption method.

import argparse
import alibabacloud_oss_v2 as oss

# Create a command-line argument parser to receive user-entered parameters.
parser = argparse.ArgumentParser(description="put bucket encryption sample")

# Add the --region command-line argument, which specifies the region where the bucket is located. This argument is required.
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)

# Add the --bucket command-line argument, which specifies the name of the bucket. This argument is required.
parser.add_argument('--bucket', help='The name of the bucket.', required=True)

# Add the --endpoint command-line argument, which specifies the domain names that other services can use to access OSS. This argument is optional.
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')

# Add the --sse_algorithm command-line argument, which specifies the default server-side encryption method. The default value is 'KMS'.
# Valid values: KMS (encryption using KMS), AES256 (encryption using AES-256), and SM4 (encryption using the Chinese cryptographic algorithm SM4).
parser.add_argument('--sse_algorithm', help='The default server-side encryption method. Valid values: KMS, AES256, and SM4.', default='KMS')

# Add the --kms_master_key_id command-line argument, which specifies the ID of the master key when SSEAlgorithm is set to KMS and a specified CMK is used for encryption.
# If you do not use a specified CMK, leave this parameter empty.
parser.add_argument('--kms_master_key_id', help='The CMK ID that is specified when SSEAlgorithm is set to KMS and a specified CMK is used for encryption. In other cases, leave this parameter empty.', default='')

# Add the --kms_data_encryption command-line argument, which specifies the algorithm that is used to encrypt objects.
# The default value is 'SM4'. This parameter is valid only when SSEAlgorithm is set to KMS.
parser.add_argument('--kms_data_encryption', help='The algorithm that is used to encrypt objects. If this parameter is not specified, objects are encrypted using AES256. This parameter is valid only when SSEAlgorithm is set to KMS. Valid value: SM4', default='SM4')

def main():
    # Parse command-line arguments.
    args = parser.parse_args()

    # Load credentials (AccessKeyId and AccessKeySecret) from environment variables.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    # Load the default configurations of the SDK.
    cfg = oss.config.load_default()

    # Set the credential provider.
    cfg.credentials_provider = credentials_provider

    # Set the region where the bucket is located.
    cfg.region = args.region

    # If a custom endpoint is provided, set it in the configuration.
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    # Initialize the OSS client using the configuration object.
    client = oss.Client(cfg)

    # Call the put_bucket_encryption method to set the encryption configuration for the bucket.
    result = client.put_bucket_encryption(
        oss.PutBucketEncryptionRequest(
            bucket=args.bucket,  # Specify the name of the destination bucket.
            server_side_encryption_rule=oss.ServerSideEncryptionRule(
                apply_server_side_encryption_by_default=oss.ApplyServerSideEncryptionByDefault(
                    kms_master_key_id=args.kms_master_key_id,  # The master key ID. This parameter is valid only when SSEAlgorithm is set to KMS.
                    kms_data_encryption=args.kms_data_encryption,  # The object encryption algorithm. This parameter is valid only when SSEAlgorithm is set to KMS.
                    sse_algorithm=args.sse_algorithm,  # The server-side encryption algorithm, such as KMS, AES256, or SM4.
                ),
            ),
        )
    )

    # Print the status code and request ID of the operation result.
    print(f'status code: {result.status_code}, '  # The HTTP status code, which indicates whether the request is successful.
          f'request id: {result.request_id}')     # The request ID, which is used to track request logs and for debugging.


if __name__ == "__main__":
    # The program entry point. Call the main function to execute the logic.
    main()

Get bucket encryption configuration

You can use the following code to retrieve the bucket encryption configuration.

import argparse
import alibabacloud_oss_v2 as oss

# Create a command-line argument parser to receive user-entered parameters.
parser = argparse.ArgumentParser(description="get bucket encryption sample")

# Add the --region command-line argument, which specifies the region where the bucket is located. This argument is required.
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)

# Add the --bucket command-line argument, which specifies the name of the bucket. This argument is required.
parser.add_argument('--bucket', help='The name of the bucket.', required=True)

# Add the --endpoint command-line argument, which specifies the domain names that other services can use to access OSS. This argument is optional.
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')

def main():
    # Parse command-line arguments.
    args = parser.parse_args()

    # Load credentials (AccessKeyId and AccessKeySecret) from environment variables.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    # Load the default configurations of the SDK.
    cfg = oss.config.load_default()

    # Set the credential provider.
    cfg.credentials_provider = credentials_provider

    # Set the region where the bucket is located.
    cfg.region = args.region

    # If a custom endpoint is provided, set it in the configuration.
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    # Initialize the OSS client using the configuration object.
    client = oss.Client(cfg)

    # Call the get_bucket_encryption method to obtain the encryption configuration of the bucket.
    result = client.get_bucket_encryption(
        oss.GetBucketEncryptionRequest(
            bucket=args.bucket,  # Specify the name of the destination bucket.
        )
    )

    # Print the status code and request ID of the operation result.
    print(f'status code: {result.status_code}, '
          f'request id: {result.request_id}, '
    )


if __name__ == "__main__":
    # The program entry point. Call the main function to execute the logic.
    main()

Delete bucket encryption configuration

You can use the following code to delete the bucket encryption configuration.

import argparse
import alibabacloud_oss_v2 as oss

# Create a command-line argument parser to receive user-entered parameters.
parser = argparse.ArgumentParser(description="delete bucket encryption sample")

# Add the --region command-line argument, which specifies the region where the bucket is located. This argument is required.
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)

# Add the --bucket command-line argument, which specifies the name of the bucket. This argument is required.
parser.add_argument('--bucket', help='The name of the bucket.', required=True)

# Add the --endpoint command-line argument, which specifies the domain names that other services can use to access OSS. This argument is optional.
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')

def main():
    # Parse command-line arguments.
    args = parser.parse_args()

    # Load credentials (AccessKeyId and AccessKeySecret) from environment variables.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    # Load the default configurations of the SDK.
    cfg = oss.config.load_default()

    # Set the credential provider.
    cfg.credentials_provider = credentials_provider

    # Set the region where the bucket is located.
    cfg.region = args.region

    # If a custom endpoint is provided, set it in the configuration.
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    # Initialize the OSS client using the configuration object.
    client = oss.Client(cfg)

    # Call the delete_bucket_encryption method to delete the encryption configuration of the bucket.
    result = client.delete_bucket_encryption(
        oss.DeleteBucketEncryptionRequest(
            bucket=args.bucket,  # Specify the name of the destination bucket.
        )
    )

    # Print the status code and request ID of the operation result.
    print(f'status code: {result.status_code}, '  # The HTTP status code, which indicates whether the request is successful.
          f'request id: {result.request_id}')     # The request ID, which is used to track requests.


if __name__ == "__main__":
    # The program entry point. Call the main function to execute the logic.
    main()

References

For more information about the API operation for configuring server-side encryption, see PutBucketEncryption.
For more information about the API operation for obtaining the server-side encryption configuration, see GetBucketEncryption.
For more information about the API operation for deleting the server-side encryption configuration, see DeleteBucketEncryption.