Add CMEK directly in Gemini Batch Job Configuration

[matt-davis27]

Feature Request

I am facing an issue with my company's Org policy that requires a Customer Managed Encryption Key (CMEK) in place to use some features (i.e. Gemini Batch Inference). I'd like a clean way to enter our CMEK directly into the configuration of a batch job types.CreateBatchJobConfig(...) similar to the existing encryption_spec parameter in types.CreateCachedContentConfig(...) and types.CreateTuningJobConfig(...), which utilize the kms_key_name field in types.EncryptionSpec(...).

Background

For a normal client.models.generate_content(...) request, you cannot pass CMEK(s) directly, as GenerateContentConfig has no kms_key_name / encryption_spec field. Therefore, client.batches.create(...) in google-genai does not currently expose a CMEK field for Gemini batch jobs.

So this does not work:

genai.types.CreateBatchJobConfig(
    display_name="example_job",
    dest="gs://bucket/blob_name",
    encryption_spec=genai.types.EncryptionSpec(
                    kms_key_name="projects/<project_id>/locations/<location>/keyRings/<key_ring>/cryptoKeys/<key_name>",
                )
)

And the only alternatives are to:

1. use the Vertex AI batch prediction API surface instead of google-genai as Vertex BatchPredictionJob supports an encryption spec / encryption key field
2. use gcloud command line to enable default CMEK on your existing project resources (i.e. cloud storage buckets) BEFORE you use google-genai

gcloud storage buckets update gs://YOUR_OUTPUT_BUCKET --default-kms-key=projects/YOUR_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING/cryptoKeys/YOUR_KEY

3. Register the CMEK in your current session (i.e. with a curl command) (Reference: Google Docs)