googleapis · shubhangi-google · Mar 25, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 16, 2026
@@ -25,9 +25,26 @@
     ENV["GCLOUD_TEST_STORAGE_KMS_KEY_2"] ||
       "projects/#{storage.project_id}/locations/#{bucket_location}/keyRings/ruby-test/cryptoKeys/ruby-test-key-2"
   }
+  let(:customer_managed_config) do
+    Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new(
+      restriction_mode: "NotRestricted"
+    )
+  end
+  let(:customer_supplied_config) do
+    Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new(
+      restriction_mode: "FullyRestricted"
+    )
+  end
+  let(:google_managed_config) do
+    Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new(
+      restriction_mode: "FullyRestricted"
+    )
+  end
+
   let :bucket do
-    b = safe_gcs_execute { storage.create_bucket(bucket_name, location: bucket_location) }
+    b = safe_gcs_execute { storage.bucket(bucket_name) || storage.create_bucket(bucket_name, location: bucket_location) }
     b.default_kms_key = kms_key
+    b.customer_managed_encryption_enforcement_config = customer_managed_config
     b
   end
 
@@ -71,4 +88,50 @@
       _(bucket.default_kms_key).must_be :nil?
     end
   end
+
+  describe "Encryption Enforcement Config" do
+    it "knows its encryption enforcement config" do
+      _(bucket.customer_managed_encryption_enforcement_config).wont_be :nil?
+      _(bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted"
+      bucket.reload!
+      _(bucket.customer_managed_encryption_enforcement_config).wont_be :nil?
+      _(bucket.customer_managed_encryption_enforcement_config.restriction_mode).must_equal "NotRestricted"
+    end
+
+    it "updates encryption enforcement configs" do
+      _(bucket.customer_supplied_encryption_enforcement_config).must_be :nil?
+
+      bucket.customer_supplied_encryption_enforcement_config = customer_supplied_config
+      _(bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted"
+
+      bucket.update_bucket_encryption_enforcement_config google_managed_config
+      _(bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted"
+
+      bucket.reload!
+      _(bucket.customer_supplied_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted"
+      _(bucket.google_managed_encryption_enforcement_config.restriction_mode).must_equal "FullyRestricted"
+    end
+
+    it "deletes all encryption enforcement configs" do
+      # For the update, need to specify all three configs
+      bucket.update do |b|
+        b.customer_supplied_encryption_enforcement_config = customer_supplied_config
+        b.google_managed_encryption_enforcement_config = google_managed_config
+      end
+      _(bucket.customer_managed_encryption_enforcement_config).wont_be :nil?
+      _(bucket.customer_supplied_encryption_enforcement_config).wont_be :nil?
+      _(bucket.google_managed_encryption_enforcement_config).wont_be :nil?
+
+      bucket.update do |b|
+        b.customer_managed_encryption_enforcement_config = nil
+        b.customer_supplied_encryption_enforcement_config = nil
+        b.google_managed_encryption_enforcement_config = nil
+      end
+      # Removed all encryption enforcement configs without removing default_kms_key
+      _(bucket.customer_managed_encryption_enforcement_config).must_be :nil?
+      _(bucket.customer_supplied_encryption_enforcement_config).must_be :nil?
+      _(bucket.google_managed_encryption_enforcement_config).must_be :nil?
+      _(bucket.default_kms_key).must_equal kms_key
+    end
+  end
 end
@@ -22,7 +22,7 @@
   let(:bucket_location) { "us-central1" }
 
   let :bucket do
-    safe_gcs_execute {storage.create_bucket bucket_name, location: bucket_location }
+    safe_gcs_execute { storage.bucket(bucket_name) || storage.create_bucket(bucket_name, location: bucket_location) }
   end
 
   let(:file_path) { "acceptance/data/abc.txt" }

@@ -716,6 +716,152 @@ def default_kms_key= new_default_kms_key
             default_kms_key_name: new_default_kms_key
           patch_gapi! :encryption
         end
+        ##
+        # The bucket's encryption configuration for customer-managed encryption keys.
+        # This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.customer_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_managed_encryption_enforcement_config
+          @gapi.encryption&.customer_managed_encryption_enforcement_config
+        end
+        ##
+        # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, nil] new_customer_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.customer_managed_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_managed_encryption_enforcement_config= new_customer_managed_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.customer_managed_encryption_enforcement_config =
+            new_customer_managed_encryption_enforcement_config || {}
+          patch_gapi! :encryption
+        end
+
+        ##
+        # Updates the bucket's encryption enforcement configuration.
+        #
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig, Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig] incoming_config The new encryption enforcement configuration to apply.
+        #
+        # @raise [ArgumentError] If the provided config type is unsupported.
+        #
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.update_bucket_encryption_enforcement_config new_config
+        #
+        def update_bucket_encryption_enforcement_config incoming_config
+          attr_name = case incoming_config
+                      when Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig
+                        :google_managed_encryption_enforcement_config
+                      when Google::Apis::StorageV1::Bucket::Encryption::CustomerManagedEncryptionEnforcementConfig
+                        :customer_managed_encryption_enforcement_config
+                      when Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig
+                        :customer_supplied_encryption_enforcement_config
+                      else
+                        raise ArgumentError, "Unsupported config type: #{incoming_config.class}"
+                      end
+          encryption_patch = Google::Apis::StorageV1::Bucket::Encryption.new
+          encryption_patch.public_send "#{attr_name}=", incoming_config
+          patch_gapi! :encryption, bucket_encryption_config: encryption_patch
+        end
+
+        ##
+        # The bucket's encryption configuration for customer-supplied encryption keys. This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption requirements
+        # for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] 
+        # The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.customer_supplied_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted".
+
+        def customer_supplied_encryption_enforcement_config
+          @gapi.encryption&.customer_supplied_encryption_enforcement_config
+        end
+
+        ##
+        # Sets the bucket's encryption configuration for customer-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig, nil] new_customer_supplied_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::CustomerSuppliedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"
+        #   bucket.customer_supplied_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def customer_supplied_encryption_enforcement_config= new_customer_supplied_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.customer_supplied_encryption_enforcement_config =
+            new_customer_supplied_encryption_enforcement_config || {}
+          patch_gapi! :encryption
+        end
+
+        ##
+        # The bucket's encryption configuration for google-managed encryption keys.
+        # This configuration defines the
+        # default encryption behavior for the bucket and its files, and it can be used to enforce encryption
+        # requirements for the bucket.
+        # For more information, see [Bucket encryption](https://docs.cloud.google.com/storage/docs/encryption/).
+        # @return [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil]
+        # The bucket's encryption configuration, or `nil` if no encryption configuration has been set.
+        # @example
+        #   require "google/cloud/storage"
+        #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   bucket.google_managed_encryption_enforcement_config #=> Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new
+        #     restriction_mode: "NotRestricted"
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted".
+
+        def google_managed_encryption_enforcement_config
+          @gapi.encryption&.google_managed_encryption_enforcement_config
+        end
+
+        ##
+        # Sets the bucket's encryption configuration for google-managed encryption that will be used to protect files.
+        # @param [Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig, nil] new_google_managed_encryption_enforcement_config The bucket's encryption configuration, or `nil` to delete the encryption configuration.
+        # @example
+        #   require "google/cloud/storage"
+        #   #
+        #   storage = Google::Cloud::Storage.new
+        #   bucket = storage.bucket "my-bucket"
+        #   new_config = Google::Apis::StorageV1::Bucket::Encryption::GoogleManagedEncryptionEnforcementConfig.new restriction_mode: "FullyRestricted"        #   bucket.google_managed_encryption_enforcement_config = new_config
+        #   The value for `restriction_mode` can be either "NotRestricted" or "FullyRestricted"
+
+        def google_managed_encryption_enforcement_config= new_google_managed_encryption_enforcement_config
+          @gapi.encryption ||= API::Bucket::Encryption.new
+          @gapi.encryption.google_managed_encryption_enforcement_config =
+            new_google_managed_encryption_enforcement_config || {}
+          patch_gapi! :encryption
+        end
 
         ##
         # The period of time (in seconds) that files in the bucket must be
@@ -3252,13 +3398,18 @@ def ensure_gapi!
 
         def patch_gapi! attributes,
                         if_metageneration_match: nil,
-                        if_metageneration_not_match: nil
+                        if_metageneration_not_match: nil,
+                        bucket_encryption_config: nil
           attributes = Array(attributes)
           attributes.flatten!
           return if attributes.empty?
           ensure_service!
           patch_args = attributes.to_h do |attr|
-            [attr, @gapi.send(attr)]
+            if bucket_encryption_config
+              [attr, bucket_encryption_config]
+            else
+              [attr, @gapi.send(attr)]
+            end
           end
           patch_gapi = API::Bucket.new(**patch_args)
           @gapi = service.patch_bucket name,

@@ -36,3 +36,7 @@ group :test do
   gem "minitest-hooks", "~> 1.5"
   gem "rake"
 end
+# The following gems have been removed from ruby core and are required for testing.
+gem "ostruct"
+gem "cgi"
+gem "irb"
@@ -37,17 +37,20 @@
 require_relative "../storage_get_bucket_class_and_location"
 require_relative "../storage_get_bucket_metadata"
 require_relative "../storage_get_default_event_based_hold"
+require_relative "../storage_get_bucket_encryption_enforcement_config"
 require_relative "../storage_get_public_access_prevention"
 require_relative "../storage_get_requester_pays_status"
 require_relative "../storage_get_retention_policy"
 require_relative "../storage_get_uniform_bucket_level_access"
 require_relative "../storage_list_buckets"
 require_relative "../storage_list_buckets_with_partial_success"
 require_relative "../storage_lock_retention_policy"
+require_relative "../storage_update_bucket_encryption_enforcement_config"
 require_relative "../storage_remove_bucket_label"
 require_relative "../storage_remove_cors_configuration"
 require_relative "../storage_remove_retention_policy"
 require_relative "../storage_set_bucket_default_kms_key"
+require_relative "../storage_set_bucket_encryption_enforcement_config"
 require_relative "../storage_set_object_retention_policy"
 require_relative "../storage_set_public_access_prevention_enforced"
 require_relative "../storage_set_public_access_prevention_inherited"
@@ -169,6 +172,44 @@
     end
   end
 
+  describe "storage_bucket_encryption_enforcement_config" do
+    bucket_name = random_bucket_name
+
+    it "gets, sets and updates bucket encryption enforcement config" do
+      # creates bucket with encryption enforcement config
+      expected = "Created bucket #{bucket_name} with Encryption Enforcement Config.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          set_bucket_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      # get encryption enforcement config
+      expected = "Encryption Enforcement Config for bucket #{bucket_name}:\n" \
+                 "Customer-managed encryption enforcement config restriction mode: NotRestricted\n" \
+                 "Customer-supplied encryption enforcement config restriction mode: FullyRestricted\n" \
+                 "Google-managed encryption enforcement config restriction mode: FullyRestricted\n"
+      retry_resource_exhaustion do
+        assert_output expected do
+          get_bucket_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      # update encryption enforcement config
+      expected = "Updated google_managed_config to NotRestricted for bucket #{bucket_name}.\n"
+
+      retry_resource_exhaustion do
+        assert_output expected do
+          update_bucket_encryption_enforcement_config bucket_name: bucket_name
+        end
+      end
+
+      refute_nil storage_client.bucket bucket_name
+    end
+    delete_bucket_helper bucket_name
+  end
+
   describe "storage_create_bucket_with_object_retention" do
     it "creates a bucket with object retention enabled." do
       bucket_name = random_bucket_name

@@ -0,0 +1,36 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START storage_get_bucket_encryption_enforcement_config]
+def get_bucket_encryption_enforcement_config bucket_name:
+  # The ID to give your GCS bucket
+  # bucket_name = "your-unique-bucket-name"
+
+  require "google/cloud/storage"
+
+  storage = Google::Cloud::Storage.new
+  bucket = storage.bucket bucket_name
+  puts "Encryption Enforcement Config for bucket #{bucket.name}:"
+  puts "Customer-managed encryption enforcement config restriction mode: " \
+       "#{bucket.customer_managed_encryption_enforcement_config&.restriction_mode}"
+  puts "Customer-supplied encryption enforcement config restriction mode: " \
+       "#{bucket.customer_supplied_encryption_enforcement_config&.restriction_mode}"
+  puts "Google-managed encryption enforcement config restriction mode: " \
+       "#{bucket.google_managed_encryption_enforcement_config&.restriction_mode}"
+end
+# [END storage_get_bucket_encryption_enforcement_config]
+
+if $PROGRAM_NAME == __FILE__
+  get_bucket_encryption_enforcement_config bucket_name: ARGV.shift
+end