Support KMS in Google Cloud Storage Repository plugin #43962
Description
Please add support for Cloud KMS/Customer-Managed-Key encrypted Google Cloud Storage bucket in GCS Repository plugin.
Elasticsearch version (bin/elasticsearch --version):
5.2.2
Plugins installed: []
GCS Repository 5.2.2
GCE Discovery 5.2.2
JVM version (java -version):
openjdk version "1.8.0_212"
OS version (uname -a if on a Unix-like system):
Linux xxx 3.10.0-957.12.1.e17.x86_64 #1 SNP Wed Mar 20 11:34:37 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Description of the problem including expected versus actual behavior:
Currently, attempt to initialize repository with a CMK encrypted bucket
curl XPUT $HOST:9201/_snapshot/my_gcs_repository -d
{
"type": "gcs"
"settings": {
"bucket": "my-bucket",
"service_account": "_default_"
}
}
fail with the following
{
"error" : {
"root_cause": [
"type": "repository_verification_exception",
"reason": "[my_gcs_repository] path is not accessible on master node"
],
"type": "repository_verification_exception",
"reason": "[my_gcs_repository] path is not accessible on master node",
"caused_by": {
"type": "i_o_exception",
"reason": "400 Bad Request\n{\n \"code\" : 400, \n \"errors\" : [ {\n \"domain\" : \"global\", \n, \"message\" : \"Operation with Cloud KMS is not supported.\", \"reason\" : \"invalid\"\n }], \n \"message\": \"Operation with Cloud KMS is not supported.\" \n}"
}
}
}
The same operation works fine with a Google-managed-key GCS bucket.