feat(storage): Bucket encryption config

google-cloud-storage/acceptance/storage/bucket_encryption_test.rb

@@ -31,14 +31,14 @@
     b
   end
 
-  before do
+  before(:all) do
     # always create the bucket
-    bucket
+    @bucket = bucket
   end
 
-  after do
-    bucket.files.all &:delete
-    safe_gcs_execute { bucket.delete }
+  after(:all) do
+    @bucket.files.all &:delete
+    safe_gcs_execute { @bucket.delete }
   end
 
   let(:files) do
@@ -48,27 +48,92 @@
   describe "KMS customer-managed encryption key (CMEK)" do
 
     it "knows its encryption configuration" do
-      _(bucket.default_kms_key).wont_be :nil?
-      _(bucket.default_kms_key).must_equal kms_key
-      bucket.reload!
-      _(bucket.default_kms_key).wont_be :nil?
-      _(bucket.default_kms_key).must_equal kms_key
+      _(@bucket.default_kms_key).wont_be :nil?
+      _(@bucket.default_kms_key).must_equal kms_key
+      @bucket.reload!
+      _(@bucket.default_kms_key).wont_be :nil?
+      _(@bucket.default_kms_key).must_equal kms_key
     end
 
     it "can update its default kms key to another key" do
-      _(bucket.default_kms_key).must_equal kms_key
-      bucket.default_kms_key = kms_key_2
-      _(bucket.default_kms_key).must_equal kms_key_2
-      bucket.reload!
-      _(bucket.default_kms_key).must_equal kms_key_2
+      _(@bucket.default_kms_key).must_equal kms_key
+      @bucket.default_kms_key = kms_key_2
+      _(@bucket.default_kms_key).must_equal kms_key_2
+      @bucket.reload!
+      _(@bucket.default_kms_key).must_equal kms_key_2
     end
 
     it "can remove its default kms key by setting encryption to nil" do
-      _(bucket.default_kms_key).must_equal kms_key
-      bucket.default_kms_key = nil
-      _(bucket.default_kms_key).must_be :nil?
-      bucket.reload!
-      _(bucket.default_kms_key).must_be :nil?
+      _(@bucket.default_kms_key).must_equal kms_key
+      @bucket.default_kms_key = nil
+      _(@bucket.default_kms_key).must_be :nil?
+      @bucket.reload!
+      _(@bucket.default_kms_key).must_be :nil?
+    end
+  end
+
+  describe "bucket encryption enforcement config" do
+    customer_supplied_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+    customer_managed_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "NotRestricted"
+    google_managed_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+
+    it "gets, sets and clears customer supplied encryption enforcement config" do
+      # set customer supplied encryption enforcement config to bucket
+      @bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config
+      @bucket.reload!
+      # get customer supplied encryption enforcement config from bucket and verify its values
+      _(@bucket.customer_supplied_encryption_enforcement_config).wont_be_nil
+      _(@bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted"
+      # clear customer supplied encryption enforcement config from bucket
+      @bucket.customer_supplied_encryption_enforcement_config = nil
+      @bucket.reload!
+      _(@bucket.customer_supplied_encryption_enforcement_config).must_be_nil
+    end
+
+    it "gets, sets and clears customer managed encryption enforcement config" do
+      # set customer managed encryption enforcement config to bucket   
+      @bucket.customer_managed_encryption_enforcement_config = customer_managed_config
+      @bucket.reload!
+      # get customer managed encryption enforcement config from bucket and verify its values
+      _(@bucket.customer_managed_encryption_enforcement_config).wont_be_nil
+      _(@bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted"
+      # clear customer managed encryption enforcement config from bucket
+      @bucket.customer_managed_encryption_enforcement_config = nil
+      @bucket.reload!
+      _(@bucket.customer_managed_encryption_enforcement_config).must_be_nil
+    end
+
+    it "gets, sets and clears google managed encryption enforcement config" do
+      # set google managed encryption enforcement config to bucket    
+      @bucket.google_managed_encryption_enforcement_config = google_managed_config
+      @bucket.reload!
+      # get google managed encryption enforcement config from bucket and verify its values
+      _(@bucket.google_managed_encryption_enforcement_config).wont_be_nil
+      _(@bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted"
+      # clear google managed encryption enforcement config from bucket
+      @bucket.google_managed_encryption_enforcement_config = nil
+      @bucket.reload!
+      _(@bucket.google_managed_encryption_enforcement_config).must_be_nil
+    end
+
+    it "raises error when setting invalid encryption enforcement config" do
+      customer_supplied_config1 = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "test"
+      expect {@bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config1}.must_raise Google::Cloud::InvalidArgumentError
+    end
+
+    it "setting and clearing encryption enforcement config does not affect bucket's default kms key" do
+      # set default kms key to bucket
+      @bucket.google_managed_encryption_enforcement_config = google_managed_config
+      @bucket.reload!
+      # verify default kms key is set
+      _(@bucket.default_kms_key).must_equal kms_key
+      # clear encryption enforcement config
+      @bucket.customer_supplied_encryption_enforcement_config = nil
+      @bucket.customer_managed_encryption_enforcement_config = nil
+      @bucket.google_managed_encryption_enforcement_config = nil
+      @bucket.reload!
+      # verify default kms key is still set
+      _(@bucket.default_kms_key).must_equal kms_key
     end
   end
 end

google-cloud-storage/lib/google/cloud/storage/bucket.rb

@@ -717,6 +717,121 @@ def default_kms_key= new_default_kms_key
           patch_gapi! :encryption
         end
 
+        # The bucket's encryption configuration for customer-managed encryption keys.
+        # This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_managed_encryption_enforcement_config
+          @gapi.encryption&.customer_managed_encryption_enforcement_config
+        end
+
+        # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] new_customer_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.customer_managed_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.customer_managed_encryption_enforcement_config =
+            new_customer_managed_encryption_enforcement_config
+          patch_gapi! :encryption
+        end
+
+        ##
+        # The bucket's encryption configuration for customer-supplied encryption keys. This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements
+        # for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] 
+        # The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.customer_supplied_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted".
+
+        def customer_supplied_encryption_enforcement_config
+          @gapi.encryption&.customer_supplied_encryption_enforcement_config
+        end
+
+        ##
+        # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] new_customer_supplied_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.customer_supplied_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.customer_supplied_encryption_enforcement_config =
+            new_customer_supplied_encryption_enforcement_config
+          patch_gapi! :encryption
+        end
+
+        ##
+        # The bucket's encryption configuration for google-managed encryption keys.
+        # This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption
+        # requirements for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil]
+        # The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.google_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted".
+
+        def google_managed_encryption_enforcement_config
+          @gapi.encryption&.google_managed_encryption_enforcement_config
+        end
+
+        ##
+        # Sets the bucket's encryption configuration for google-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] new_google_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.google_managed_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.google_managed_encryption_enforcement_config =
+            new_google_managed_encryption_enforcement_config
+          patch_gapi! :encryption
+        end
+
         ##
         # The period of time (in seconds) that files in the bucket must be
         # retained, and cannot be deleted, overwritten, or archived.

google-cloud-storage/samples/acceptance/buckets_test.rb

@@ -37,6 +37,7 @@
 require_relative "../storage_get_bucket_class_and_location"
 require_relative "../storage_get_bucket_metadata"
 require_relative "../storage_get_default_event_based_hold"
+require_relative "../storage_get_encryption_enforcement_config"
 require_relative "../storage_get_public_access_prevention"
 require_relative "../storage_get_requester_pays_status"
 require_relative "../storage_get_retention_policy"
@@ -48,6 +49,8 @@
 require_relative "../storage_remove_cors_configuration"
 require_relative "../storage_remove_retention_policy"
 require_relative "../storage_set_bucket_default_kms_key"
+require_relative "../storage_set_encryption_enforcement_config"
+require_relative "../storage_remove_all_encryption_enforcement_config"
 require_relative "../storage_set_object_retention_policy"
 require_relative "../storage_set_public_access_prevention_enforced"
 require_relative "../storage_set_public_access_prevention_inherited"
@@ -169,6 +172,44 @@
     end
   end
 
+  describe "storage_encryption_enforcement_config" do
+    bucket_name = random_bucket_name
+
+    it "gets, sets and clears bucket encryption enforcement config" do
+      # creates bucket with encryption enforcement config
+      expected = "Created bucket #{bucket_name} with Encryption Enforcement Config.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          set_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      # get encryption enforcement config
+      expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \
+                 "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \
+                 "Customer-supplied encryption enforcement config restriction mode: FullyRestricted\n" \
+                 "Google-managed encryption enforcement config restriction mode: FullyRestricted\n"
+      retry_resource_exhaustion do
+        assert_output expected do
+          get_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      # clears encryption enforcement config
+      expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          remove_all_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      refute_nil storage_client.bucket bucket_name
+    end
+    delete_bucket_helper bucket_name
+  end
+
   describe "storage_create_bucket_with_object_retention" do
     it "creates a bucket with object retention enabled." do
       bucket_name = random_bucket_name

google-cloud-storage/samples/storage_get_encryption_enforcement_config.rb

@@ -0,0 +1,36 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START storage_get_encryption_enforcement_config]
+def get_encryption_enforcement_config bucket_name:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  require "google/cloud/storage"
+
+  storage = Google::Cloud::Storage.new
+  bucket = storage.bucket bucket_name
+  puts "Encryption Enforcement Config for bucket #{bucket.name}:"
+  puts "Customer-managed encryption enforcement config restriction mode: " \
+       "#{bucket.customer_managed_encryption_enforcement_config&.restriction_mode}"
+  puts "Customer-supplied encryption enforcement config restriction mode: " \
+       "#{bucket.customer_supplied_encryption_enforcement_config&.restriction_mode}"
+  puts "Google-managed encryption enforcement config restriction mode: " \
+       "#{bucket.google_managed_encryption_enforcement_config&.restriction_mode}"
+end
+# [END storage_get_encryption_enforcement_config]
+
+if $PROGRAM_NAME == __FILE__
+  get_encryption_enforcement_config bucket_name: ARGV.shift
+end

google-cloud-storage/samples/storage_remove_all_encryption_enforcement_config.rb

@@ -0,0 +1,34 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START storage_remove_all_encryption_enforcement_config]
+def remove_all_encryption_enforcement_config bucket_name:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  require "google/cloud/storage"
+
+  storage = Google::Cloud::Storage.new
+  bucket = storage.bucket bucket_name do |b|
+    b.customer_managed_encryption_enforcement_config = nil
+    b.customer_supplied_encryption_enforcement_config = nil
+    b.google_managed_encryption_enforcement_config = nil
+  end
+  puts "Removed Encryption Enforcement Config from bucket #{bucket.name}."
+end
+# [END storage_remove_all_encryption_enforcement_config]
+
+if $PROGRAM_NAME == __FILE__
+  remove_all_encryption_enforcement_config bucket_name: ARGV.shift
+end