Bigquery Javascript UDF using storage and kms libraries

Question

I am trying to develop a Bigquery Javascript UDF for AES decryption. The key used for AES encryption is encrypted and stored in GCS. I have developed a Javascript code , which will do the following steps:

1. Read the file having encrypted value of AES key from GCS
2. Decrypt the AES key value using kms keyring and kms key
3. Use this key for AES decryption.

I am getting storage and kms libraries using below statements:

const Storage = require('@google-cloud/storage'); const kms = require('@google-cloud/kms');

When I have to call the same functionality from Bigquery UDF, how will I make sure these libraries are available? (I don't want to hard code the AES key in the Bigquery UDF)

I have seen an option for [OPTIONS (library = library_array)] in Bigquery UDF definition, but I am not sure which specific .js files are required for storage and kms integration?

Code snippet

const Storage = require('@google-cloud/storage');
const storage = new Storage.Storage();
const kms = require('@google-cloud/kms');
const client = new kms.KeyManagementServiceClient();
bucketName ="gs://testbucket"
const keyFile = storage.bucket(bucketName).file("key.enc");
'use strict';

  async function decrypt(ciphertext){
   const name=<replace with crypto-key-path>;
   const [result] = await client.decrypt({name, ciphertext});
   return Buffer.from(result.plaintext, 'base64').toString();
  }
   var key=saltFile.download(function(err, contents) { 
     key=decrypt(contents);
     key.then(function (value) {
            key = value.trim();
            console.log(value);     
        });
     return key;
   })

Thank you, Anu

Answer 1

• To answer the question: You can store the key in a GCS file, and read it by importing the file as an additional .js.

But:

• BigQuery UDFs can't call external APIs, so even if '@google-cloud/storage' imports successfully, it won't be able to run and perform additional API calls.