googleapis · shubhangi-google · Mar 3, 2026 · Mar 3, 2026 · Mar 16, 2026 · Mar 25, 2026
@@ -717,6 +717,138 @@ def default_kms_key= new_default_kms_key
           patch_gapi! :encryption
         end
 
+        # The bucket's encryption configuration for customer-managed encryption keys.
+        # This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_managed_encryption_enforcement_config
+          @gapi.encryption&.customer_managed_encryption_enforcement_config
+        end
+
+        # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] new_customer_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.customer_managed_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.customer_managed_encryption_enforcement_config =
+            new_customer_managed_encryption_enforcement_config || {}
+          patch_gapi! :encryption
+        end
+
+        def update_bucket_encryption_enforcement_config incoming_config
+          attr_name = case incoming_config
+                      when Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig
+                        :google_managed_encryption_enforcement_config
+                      when Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig
+                        :customer_managed_encryption_enforcement_config
+                      when Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig
+                        :customer_supplied_encryption_enforcement_config
+                      else
+                        raise ArgumentError, "Unsupported config type: #{incoming_config.class}"
+                      end
+          encryption_patch = Google::Apis::StorageV1::Bucket::Encryption.new
+          encryption_patch.public_send "#{attr_name}=", incoming_config
+          patch_gapi! :encryption, bucket_encryption_config: encryption_patch
+        end
+
+
+        ##
+        # The bucket's encryption configuration for customer-supplied encryption keys. This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements
+        # for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] 
+        # The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.customer_supplied_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted".
+
+        def customer_supplied_encryption_enforcement_config
+          @gapi.encryption&.customer_supplied_encryption_enforcement_config
+        end
+
+        ##
+        # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] new_customer_supplied_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.customer_supplied_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.customer_supplied_encryption_enforcement_config =
+            new_customer_supplied_encryption_enforcement_config || {}
+          patch_gapi! :encryption
+        end
+
+        ##
+        # The bucket's encryption configuration for google-managed encryption keys.
+        # This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption
+        # requirements for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil]
+        # The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.google_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted".
+
+        def google_managed_encryption_enforcement_config
+          @gapi.encryption&.google_managed_encryption_enforcement_config
+        end
+
+        ##
+        # Sets the bucket's encryption configuration for google-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] new_google_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.google_managed_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.google_managed_encryption_enforcement_config =
+            new_google_managed_encryption_enforcement_config || {}
+          patch_gapi! :encryption
+        end
+
         ##
         # The period of time (in seconds) that files in the bucket must be
         # retained, and cannot be deleted, overwritten, or archived.
@@ -3252,13 +3384,18 @@ def ensure_gapi!
 
         def patch_gapi! attributes,
                         if_metageneration_match: nil,
-                        if_metageneration_not_match: nil
+                        if_metageneration_not_match: nil,
+                        bucket_encryption_config: nil
           attributes = Array(attributes)
           attributes.flatten!
           return if attributes.empty?
           ensure_service!
           patch_args = attributes.to_h do |attr|
-            [attr, @gapi.send(attr)]
+            if bucket_encryption_config
+              [attr, bucket_encryption_config]
+            else
+              [attr, @gapi.send(attr)]
+            end
           end
           patch_gapi = API::Bucket.new(**patch_args)
           @gapi = service.patch_bucket name,

@@ -37,17 +37,20 @@
 require_relative "../storage_get_bucket_class_and_location"
 require_relative "../storage_get_bucket_metadata"
 require_relative "../storage_get_default_event_based_hold"
+require_relative "../storage_get_bucket_encryption_enforcement_config"
 require_relative "../storage_get_public_access_prevention"
 require_relative "../storage_get_requester_pays_status"
 require_relative "../storage_get_retention_policy"
 require_relative "../storage_get_uniform_bucket_level_access"
 require_relative "../storage_list_buckets"
 require_relative "../storage_list_buckets_with_partial_success"
 require_relative "../storage_lock_retention_policy"
+require_relative "../storage_update_bucket_encryption_enforcement_config"
 require_relative "../storage_remove_bucket_label"
 require_relative "../storage_remove_cors_configuration"
 require_relative "../storage_remove_retention_policy"
 require_relative "../storage_set_bucket_default_kms_key"
+require_relative "../storage_set_bucket_encryption_enforcement_config"
 require_relative "../storage_set_object_retention_policy"
 require_relative "../storage_set_public_access_prevention_enforced"
 require_relative "../storage_set_public_access_prevention_inherited"
@@ -169,6 +172,53 @@
     end
   end
 
+  describe "storage_bucket_encryption_enforcement_config" do
+    bucket_name = random_bucket_name
+
+    it "gets, sets and clears bucket encryption enforcement config" do
+      # creates bucket with encryption enforcement config
+      expected = "Created bucket #{bucket_name} with Encryption Enforcement Config.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          set_bucket_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      # get encryption enforcement config
+      expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \
+                 "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \
+                 "Customer-supplied encryption enforcement config restriction mode: FullyRestricted\n" \
+                 "Google-managed encryption enforcement config restriction mode: FullyRestricted\n"
+      retry_resource_exhaustion do
+        assert_output expected do
+          get_bucket_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      # update encryption enforcement config
+      expected = "Updated google_managed_config to NotRestricted for bucket #{bucket_name}.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          update_bucket_encryption_enforcement_config bucket_name: bucket_name, bucket_encryption_type: "google_managed_config", restriction_mode: "NotRestricted"
+        end
+      end
+
+      # clears encryption enforcement config
+      expected = "Removed Encryption Enforcement Config from bucket #{bucket_name}.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          remove_all_bucket_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      refute_nil storage_client.bucket bucket_name
+    end
+    delete_bucket_helper bucket_name
+  end
+
   describe "storage_create_bucket_with_object_retention" do
     it "creates a bucket with object retention enabled." do
       bucket_name = random_bucket_name

@@ -0,0 +1,36 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START storage_get_bucket_encryption_enforcement_config]
+def get_bucket_encryption_enforcement_config bucket_name:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  require "google/cloud/storage"
+
+  storage = Google::Cloud::Storage.new
+  bucket = storage.bucket bucket_name
+  puts "Encryption Enforcement Config for bucket #{bucket.name}:"
+  puts "Customer-managed encryption enforcement config restriction mode: " \
+       "#{bucket.customer_managed_encryption_enforcement_config&.restriction_mode}"
+  puts "Customer-supplied encryption enforcement config restriction mode: " \
+       "#{bucket.customer_supplied_encryption_enforcement_config&.restriction_mode}"
+  puts "Google-managed encryption enforcement config restriction mode: " \
+       "#{bucket.google_managed_encryption_enforcement_config&.restriction_mode}"
+end
+# [END storage_get_bucket_encryption_enforcement_config]
+
+if $PROGRAM_NAME == __FILE__
+  get_bucket_encryption_enforcement_config bucket_name: ARGV.shift
+end
@@ -0,0 +1,48 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START storage_set_bucket_encryption_enforcement_config]
+def set_bucket_encryption_enforcement_config bucket_name:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  require "google/cloud/storage"
+
+  storage = Google::Cloud::Storage.new
+
+  customer_managed_config =
+    Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new(
+      restriction_mode: "NotRestricted"
+    )
+  customer_supplied_config =
+    Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new(
+      restriction_mode: "FullyRestricted"
+    )
+  google_managed_config =
+    Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new(
+      restriction_mode: "FullyRestricted"
+    )
+
+  bucket = storage.create_bucket bucket_name do |b|
+    b.customer_managed_encryption_enforcement_config = customer_managed_config
+    b.customer_supplied_encryption_enforcement_config = customer_supplied_config
+    b.google_managed_encryption_enforcement_config = google_managed_config
+  end
+  puts "Created bucket #{bucket.name} with Encryption Enforcement Config."
+end
+# [END storage_set_bucket_encryption_enforcement_config]
+
+if $PROGRAM_NAME == __FILE__
+  set_bucket_encryption_enforcement_config bucket_name: ARGV.shift
+end
@@ -0,0 +1,54 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "google/cloud/storage"
+
+# [START storage_update_bucket_encryption_enforcement_config]
+def remove_all_bucket_encryption_enforcement_config bucket_name:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  storage = Google::Cloud::Storage.new
+  bucket = storage.bucket bucket_name do |b|
+    b.customer_managed_encryption_enforcement_config = nil
+    b.customer_supplied_encryption_enforcement_config = nil
+    b.google_managed_encryption_enforcement_config = nil
+  end
+  puts "Removed Encryption Enforcement Config from bucket #{bucket.name}."
+end
+
+def update_bucket_encryption_enforcement_config bucket_name:, bucket_encryption_type:, restriction_mode:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  google_managed_config =
+    Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new(
+      restriction_mode: restriction_mode
+    )
+
+  storage = Google::Cloud::Storage.new
+  bucket = storage.bucket bucket_name
+  # assuming bucket_encryption_type = google_managed_config
+  bucket.update_bucket_encryption_enforcement_config google_managed_config
+
+  puts "Updated #{bucket_encryption_type} to #{bucket.google_managed_encryption_enforcement_config.restriction_mode} for bucket #{bucket.name}."
+end
+# [END storage_update_bucket_encryption_enforcement_config]
+
+if $PROGRAM_NAME == __FILE__
+  remove_all_bucket_encryption_enforcement_config bucket_name: ARGV.shift
+end
+if $PROGRAM_NAME == __FILE__
+  update_bucket_encryption_enforcement_config bucket_name: ARGV.shift, bucket_encryption_type: ARGV.shift, restriction_mode: ARGV.shift
+end