salrashid123

GCS CSEK with Object versioning

The following will upload a file into a bucket with object versioning.

The file will have a CSEK

Then encrypt it with another CSEK and recall the first version using its original CSEK

### create two cseks

or...how to use ADC and run your own STS token broker

An STS server will exchange one token for another. This protocol is used by GCP Workload Federation.

THis example runs your own STS server with GCP where the STS server accepts a source token, validates it and the returns a gcp access_token

For more information about STS servers, see

assume you have a workload federation trusted cert and PEM key (workload3.crt, workload3.key), the following will embed the key into the tpm. Workload federation will use the tpm-based key for mtls.

you can ofcourse create the key inside the tpm or securely import it. those options are described here

sample client/server webapp in python using mtls where the client key is resident on a trusted platform module

# on debian 12

setup of Google Proxies for Enterprise Certificates (GA) with SoftHSM

This sample will embed a device certificate and key into SoftHSM and then access softHSM for mTLS using the GCP proxy.

A default GCS client uses the enterprise proxy transparently to access gcp resources via mTLS

Parsing the x-envoy-peer-metadata field.

eg, in istio outbound

{
  "args": {}, 
  "headers": {
    "Accept-Encoding": "gzip", 
    "Host": "httpbin.org", 

BQ wrapped keyset per row

bq query --nouse_legacy_sql "
DECLARE kms_resource_name STRING;
SET kms_resource_name = 'gcp-kms://projects/srashid-test2/locations/us/keyRings/bqkr/cryptoKeys/k1';