Skip to content

GCP: KeyManagementClient implementation that works with Google Cloud KMS #13334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

GCP: KeyManagementClient implementation that works with Google Cloud KMS #13334

wants to merge 1 commit into from
+429 −25

Conversation

szlta
Copy link
Contributor

@szlta szlta commented Jun 17, 2025

  • To be used in table encryption for wrapping/unwrapping encryption keys.
  • Refactored common OAuth2 token and refresh handler setup logic into GCPAuthUtils.

Added integration tests for verification.

@github-actions github-actions bot added the core label Jun 17, 2025
@szlta
GCP: KeyManagementClient implementation that works with Google Cloud KMS
9d24bb2 
- To be used in table encryption for wrapping/unwrapping encryption keys.
- Refactored common OAuth2 token and refresh handler setup logic into
GCPAuthUtils.

Added integration tests for verification.
szlta
szlta commented Jul 21, 2025
View reviewed changes
gcp-bundle/build.gradle
@@ -28,6 +28,7 @@ project(":iceberg-gcp-bundle") {
implementation "com.google.cloud:google-cloud-storage"
implementation "com.google.cloud:google-cloud-bigquery"
implementation "com.google.cloud:google-cloud-core"
implementation "com.google.cloud:google-cloud-kms"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is meant for engines that use our Iceberg GCP bundle to be able to work with the proposed GcpKeyManagementClient.

However, when I tested this with Spark, I noticed an issue:

com.google.cloud.kms.v1.DecryptRequest$Builder.setCiphertext(Lcom/google/protobuf/ByteString;)Lcom/google/cloud/kms/v1/DecryptRequest$Builder;
java.lang.NoSuchMethodError: com.google.cloud.kms.v1.DecryptRequest$Builder.setCiphertext(Lcom/google/protobuf/ByteString;)Lcom/google/cloud/kms/v1/DecryptRequest$Builder;
	at org.apache.iceberg.gcp.GcpKeyManagementClient.unwrapKey(GcpKeyManagementClient.java:80)

This happens because DecryptRequest$Builder.setCiphertext takes a ByteString object, whose class is shaded and relocated in the gcp-bundle (check line 53 in this file). This results in changing the signature of
com.google.cloud.kms.v1.DecryptRequest$Builder.setCiphertext(Lcom/google/protobuf/ByteString;)Lcom/google/cloud/kms/v1/DecryptRequest$Builder;
to
com.google.cloud.kms.v1.DecryptRequest$Builder.setCiphertext(Lorg/apache/iceberg/gpc/shaded/com/google/protobuf/ByteString;)Lcom/google/cloud/kms/v1/DecryptRequest$Builder; in the bundle jar, hence the above error.

Engine apps not making use of the gcp-bundle jar (i.e. bringing their own google-cloud-kms and protobuf dependencies) work without issues.

I was considering the application of the same relocation logic in gcp module, and although that fixes the issue for gcp-bundle consumers, it causes a NoSuchMethodError for non-bundle consumers, so I can't seem to find way that ensures that the implementation works in both cases (like how the recently merged AwsKeyManagementClient does work). That is, without removing the relocation in line 53.

Please let me know what your opinion is @nastra, @amogh-jahagirdar, @pvary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build core GCP
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@szlta