As of January 1, 2020 this library no longer supports Python 2 on the latest released version.
Library versions released prior to that date will continue to be available. For more information please
visit Python 2 support on Google Cloud.
Using Customer Managed Encryption KeysΒΆ
Table data is always encrypted at rest, but BigQuery also provides a way for you to control what keys it uses to encrypt they data. See Protecting data with Cloud KMS keys in the BigQuery documentation for more details.
Create a new table, using a customer-managed encryption key from Cloud KMS to encrypt it.
# from google.cloud import bigquery
# client = bigquery.Client()
# dataset_id = 'my_dataset'
table_ref = dataset.table("my_table")
table = bigquery.Table(table_ref)
# Set the encryption key to use for the table.
# TODO: Replace this key with a key you have created in Cloud KMS.
kms_key_name = "projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}".format(
"cloud-samples-tests", "us", "test", "test"
)
table.encryption_configuration = bigquery.EncryptionConfiguration(
kms_key_name=kms_key_name
)
table = client.create_table(table) # API request
assert table.encryption_configuration.kms_key_name == kms_key_name
Change the key used to encrypt a table.
# from google.cloud import bigquery
# client = bigquery.Client()
assert table.encryption_configuration.kms_key_name == original_kms_key_name
# Set a new encryption key to use for the destination.
# TODO: Replace this key with a key you have created in KMS.
updated_kms_key_name = (
"projects/cloud-samples-tests/locations/us/keyRings/test/cryptoKeys/otherkey"
)
table.encryption_configuration = bigquery.EncryptionConfiguration(
kms_key_name=updated_kms_key_name
)
table = client.update_table(table, ["encryption_configuration"]) # API request
assert table.encryption_configuration.kms_key_name == updated_kms_key_name
assert original_kms_key_name != updated_kms_key_name
Load a file from Cloud Storage, using a customer-managed encryption key from Cloud KMS for the destination table.
from google.cloud import bigquery
# Construct a BigQuery client object.
client = bigquery.Client()
# TODO(developer): Set table_id to the ID of the table to create.
# table_id = "your-project.your_dataset.your_table_name
# Set the encryption key to use for the destination.
# TODO: Replace this key with a key you have created in KMS.
# kms_key_name = "projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}".format(
# "cloud-samples-tests", "us", "test", "test"
# )
job_config = bigquery.LoadJobConfig(
autodetect=True,
source_format=bigquery.SourceFormat.NEWLINE_DELIMITED_JSON,
destination_encryption_configuration=bigquery.EncryptionConfiguration(
kms_key_name=kms_key_name
),
)
uri = "gs://cloud-samples-data/bigquery/us-states/us-states.json"
load_job = client.load_table_from_uri(
uri,
table_id,
location="US", # Must match the destination dataset location.
job_config=job_config,
) # Make an API request.
assert load_job.job_type == "load"
load_job.result() # Waits for the job to complete.
assert load_job.state == "DONE"
table = client.get_table(table_id)
if table.encryption_configuration.kms_key_name == kms_key_name:
print("A table loaded with encryption configuration key")
Copy a table, using a customer-managed encryption key from Cloud KMS for the destination table.
from google.cloud import bigquery
# Construct a BigQuery client object.
client = bigquery.Client()
# TODO(developer): Set dest_table_id to the ID of the destination table.
# dest_table_id = "your-project.your_dataset.your_table_name"
# TODO(developer): Set orig_table_id to the ID of the original table.
# orig_table_id = "your-project.your_dataset.your_table_name"
# Set the encryption key to use for the destination.
# TODO(developer): Replace this key with a key you have created in KMS.
# kms_key_name = "projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}".format(
# your-project, location, your-ring, your-key
# )
job_config = bigquery.CopyJobConfig(
destination_encryption_configuration=bigquery.EncryptionConfiguration(
kms_key_name=kms_key_name
)
)
job = client.copy_table(orig_table_id, dest_table_id, job_config=job_config)
job.result() # Wait for the job to complete.
dest_table = client.get_table(dest_table_id) # Make an API request.
if dest_table.encryption_configuration.kms_key_name == kms_key_name:
print("A copy of the table created")
Write query results to a table, using a customer-managed encryption key from Cloud KMS for the destination table.
from google.cloud import bigquery
# Construct a BigQuery client object.
client = bigquery.Client()
# TODO(developer): Set table_id to the ID of the destination table.
# table_id = "your-project.your_dataset.your_table_name"
# Set the encryption key to use for the destination.
# TODO(developer): Replace this key with a key you have created in KMS.
# kms_key_name = "projects/{}/locations/{}/keyRings/{}/cryptoKeys/{}".format(
# your-project, location, your-ring, your-key
# )
job_config = bigquery.QueryJobConfig(
destination=table_id,
destination_encryption_configuration=bigquery.EncryptionConfiguration(
kms_key_name=kms_key_name
),
)
# Start the query, passing in the extra configuration.
query_job = client.query(
"SELECT 17 AS my_col;", job_config=job_config
) # Make an API request.
query_job.result() # Wait for the job to complete.
table = client.get_table(table_id) # Make an API request.
if table.encryption_configuration.kms_key_name == kms_key_name:
print("The destination table is written using the encryption configuration")