server-side encryption for python - Object Storage Service

OSS encrypts data on the server side when you upload it and automatically decrypts it when you download it. The HTTP response header indicates that server-side encryption was applied.

Notes

Before you configure server-side encryption, make sure that you understand this feature. For more information, see Server-side encryption.
The sample code in this topic uses the China (Hangzhou) region ID cn-hangzhou and a public endpoint. To access OSS from other Alibaba Cloud services in the same region, use an internal endpoint. For more information about supported regions and endpoints, see Regions and endpoints.
In this topic, access credentials are obtained from environment variables. For more information, see Configure access credentials.
To configure bucket encryption, you must have the oss:PutBucketEncryption permission. To retrieve the bucket encryption configuration, you must have the oss:GetBucketEncryption permission. To delete the bucket encryption configuration, you must have the oss:DeleteBucketEncryption permission. For more information, see Grant custom permissions to a RAM user.

Sample code

Configure bucket encryption

The following code sets the default encryption method for a bucket. After the configuration, objects uploaded without a specified encryption method are encrypted using this default method.

import argparse
import alibabacloud_oss_v2 as oss

# Create a command-line argument parser to receive user-entered parameters.
parser = argparse.ArgumentParser(description="put bucket encryption sample")

# Add the --region command-line argument, which specifies the region where the bucket is located. This argument is required.
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)

# Add the --bucket command-line argument, which specifies the name of the bucket. This argument is required.
parser.add_argument('--bucket', help='The name of the bucket.', required=True)

# Add the --endpoint command-line argument, which specifies the domain names that other services can use to access OSS. This argument is optional.
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')

# Add the --sse_algorithm command-line argument, which specifies the default server-side encryption method. The default value is 'KMS'.
# Valid values: KMS (encryption using KMS), AES256 (encryption using AES-256), and SM4 (encryption using the Chinese cryptographic algorithm SM4).
parser.add_argument('--sse_algorithm', help='The default server-side encryption method. Valid values: KMS, AES256, and SM4.', default='KMS')

# Add the --kms_master_key_id command-line argument, which specifies the ID of the master key when SSEAlgorithm is set to KMS and a specified CMK is used for encryption.
# If you do not use a specified CMK, leave this parameter empty.
parser.add_argument('--kms_master_key_id', help='The CMK ID that is specified when SSEAlgorithm is set to KMS and a specified CMK is used for encryption. In other cases, leave this parameter empty.', default='')

# Add the --kms_data_encryption command-line argument, which specifies the algorithm that is used to encrypt objects.
# The default value is 'SM4'. This parameter is valid only when SSEAlgorithm is set to KMS.
parser.add_argument('--kms_data_encryption', help='The algorithm that is used to encrypt objects. If this parameter is not specified, objects are encrypted using AES256. This parameter is valid only when SSEAlgorithm is set to KMS. Valid value: SM4', default='SM4')

def main():
    # Parse command-line arguments.
    args = parser.parse_args()

    # Load credentials (AccessKeyId and AccessKeySecret) from environment variables.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    # Load the default configurations of the SDK.
    cfg = oss.config.load_default()

    # Set the credential provider.
    cfg.credentials_provider = credentials_provider

    # Set the region where the bucket is located.
    cfg.region = args.region

    # If a custom endpoint is provided, set it in the configuration.
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    # Initialize the OSS client using the configuration object.
    client = oss.Client(cfg)

    # Call the put_bucket_encryption method to set the encryption configuration for the bucket.
    result = client.put_bucket_encryption(
        oss.PutBucketEncryptionRequest(
            bucket=args.bucket,  # Specify the name of the destination bucket.
            server_side_encryption_rule=oss.ServerSideEncryptionRule(
                apply_server_side_encryption_by_default=oss.ApplyServerSideEncryptionByDefault(
                    kms_master_key_id=args.kms_master_key_id,  # The master key ID. This parameter is valid only when SSEAlgorithm is set to KMS.
                    kms_data_encryption=args.kms_data_encryption,  # The object encryption algorithm. This parameter is valid only when SSEAlgorithm is set to KMS.
                    sse_algorithm=args.sse_algorithm,  # The server-side encryption algorithm, such as KMS, AES256, or SM4.
                ),
            ),
        )
    )

    # Print the status code and request ID of the operation result.
    print(f'status code: {result.status_code}, '  # The HTTP status code, which indicates whether the request is successful.
          f'request id: {result.request_id}')     # The request ID, which is used to track request logs and for debugging.


if __name__ == "__main__":
    # The program entry point. Call the main function to execute the logic.
    main()

Get bucket encryption configuration

The following code retrieves the bucket encryption configuration.

import argparse
import alibabacloud_oss_v2 as oss

# Create a command-line argument parser to receive user-entered parameters.
parser = argparse.ArgumentParser(description="get bucket encryption sample")

# Add the --region command-line argument, which specifies the region where the bucket is located. This argument is required.
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)

# Add the --bucket command-line argument, which specifies the name of the bucket. This argument is required.
parser.add_argument('--bucket', help='The name of the bucket.', required=True)

# Add the --endpoint command-line argument, which specifies the domain names that other services can use to access OSS. This argument is optional.
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')

def main():
    # Parse command-line arguments.
    args = parser.parse_args()

    # Load credentials (AccessKeyId and AccessKeySecret) from environment variables.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    # Load the default configurations of the SDK.
    cfg = oss.config.load_default()

    # Set the credential provider.
    cfg.credentials_provider = credentials_provider

    # Set the region where the bucket is located.
    cfg.region = args.region

    # If a custom endpoint is provided, set it in the configuration.
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    # Initialize the OSS client using the configuration object.
    client = oss.Client(cfg)

    # Call the get_bucket_encryption method to obtain the encryption configuration of the bucket.
    result = client.get_bucket_encryption(
        oss.GetBucketEncryptionRequest(
            bucket=args.bucket,  # Specify the name of the destination bucket.
        )
    )

    # Print the status code and request ID of the operation result.
    print(f'status code: {result.status_code}, '
          f'request id: {result.request_id}, '
    )


if __name__ == "__main__":
    # The program entry point. Call the main function to execute the logic.
    main()

Delete bucket encryption configuration

The following code deletes the bucket encryption configuration.

import argparse
import alibabacloud_oss_v2 as oss

# Create a command-line argument parser to receive user-entered parameters.
parser = argparse.ArgumentParser(description="delete bucket encryption sample")

# Add the --region command-line argument, which specifies the region where the bucket is located. This argument is required.
parser.add_argument('--region', help='The region in which the bucket is located.', required=True)

# Add the --bucket command-line argument, which specifies the name of the bucket. This argument is required.
parser.add_argument('--bucket', help='The name of the bucket.', required=True)

# Add the --endpoint command-line argument, which specifies the domain names that other services can use to access OSS. This argument is optional.
parser.add_argument('--endpoint', help='The domain names that other services can use to access OSS')

def main():
    # Parse command-line arguments.
    args = parser.parse_args()

    # Load credentials (AccessKeyId and AccessKeySecret) from environment variables.
    credentials_provider = oss.credentials.EnvironmentVariableCredentialsProvider()

    # Load the default configurations of the SDK.
    cfg = oss.config.load_default()

    # Set the credential provider.
    cfg.credentials_provider = credentials_provider

    # Set the region where the bucket is located.
    cfg.region = args.region

    # If a custom endpoint is provided, set it in the configuration.
    if args.endpoint is not None:
        cfg.endpoint = args.endpoint

    # Initialize the OSS client using the configuration object.
    client = oss.Client(cfg)

    # Call the delete_bucket_encryption method to delete the encryption configuration of the bucket.
    result = client.delete_bucket_encryption(
        oss.DeleteBucketEncryptionRequest(
            bucket=args.bucket,  # Specify the name of the destination bucket.
        )
    )

    # Print the status code and request ID of the operation result.
    print(f'status code: {result.status_code}, '  # The HTTP status code, which indicates whether the request is successful.
          f'request id: {result.request_id}')     # The request ID, which is used to track requests.


if __name__ == "__main__":
    # The program entry point. Call the main function to execute the logic.
    main()

References

For the API operation that configures server-side encryption, see PutBucketEncryption.
For the API operation that retrieves the server-side encryption configuration, see GetBucketEncryption.
For the API operation that deletes the server-side encryption configuration, see DeleteBucketEncryption.