scaleway.key_manager.v1alpha1 package

Submodules

scaleway.key_manager.v1alpha1.api module

class scaleway.key_manager.v1alpha1.api.KeyManagerV1Alpha1API(client: Client, *, bypass_validation: bool = False)

Bases: API

This API allows you to create, manage and use cryptographic keys in a centralized and secure service.

create_key(*, unprotected: bool, region: Optional[str] = None, project_id: Optional[str] = None, name: Optional[str] = None, usage: Optional[KeyUsage] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None, origin: Optional[KeyOrigin] = None) → Key

Create a key. Create a key in a given region specified by the region parameter. Keys only support symmetric encryption. You can use keys to encrypt or decrypt arbitrary payloads, or to generate data encryption keys that can be used without being stored in Key Manager. :param unprotected: Default value is false. :param region: Region to target. If none is passed will use default region from the config. :param project_id: ID of the Project containing the key. :param name: (Optional) Name of the key. :param usage: See the Key.Algorithm.SymmetricEncryption enum for a description of values. :param description: (Optional) Description of the key. :param tags: (Optional) List of the key’s tags. :param rotation_policy: If not specified, no rotation policy will be applied to the key. :param origin: Refer to the Key.Origin enum for a description of values. :return: Key

Usage:

result = api.create_key(
    unprotected=False,
)

decrypt(*, key_id: str, ciphertext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → DecryptResponse

Decrypt data. Decrypt data using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is the result of the encryption of 64KB of data (around 131KB). :param key_id: ID of the key to decrypt. :param ciphertext: Data size must be between 1 and 131071 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: The additional data must match the value passed in the encryption request. :return: DecryptResponse

Usage:

result = api.decrypt(
    key_id="example",
    ciphertext="example",
)

delete_key(*, key_id: str, region: Optional[str] = None) → None

Delete a key. Delete an existing key specified by the region and key_id parameters. Deleting a key is permanent and cannot be undone. All data encrypted using this key, including data encryption keys, will become unusable. :param key_id: ID of the key to delete. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key(
    key_id="example",
)

delete_key_material(*, key_id: str, region: Optional[str] = None) → None

Delete key material. Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key’s origin must be external. :param key_id: ID of the key of which to delete the key material. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key_material(
    key_id="example",
)

disable_key(*, key_id: str, region: Optional[str] = None) → Key

Disable key. Disable a given key to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters. :param key_id: ID of the key to disable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.disable_key(
    key_id="example",
)

enable_key(*, key_id: str, region: Optional[str] = None) → Key

Enable key. Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters. :param key_id: ID of the key to enable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.enable_key(
    key_id="example",
)

encrypt(*, key_id: str, plaintext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → EncryptResponse

Encrypt data. Encrypt data using an existing key, specified by the key_id parameter. Only keys with a usage set to symmetric_encryption are supported by this method. The maximum payload size that can be encrypted is 64KB of plaintext. :param key_id: ID of the key to encrypt. :param plaintext: Data size must be between 1 and 65535 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. :return: EncryptResponse

Usage:

result = api.encrypt(
    key_id="example",
    plaintext="example",
)

generate_data_key(*, key_id: str, without_plaintext: bool, region: Optional[str] = None, algorithm: Optional[DataKeyAlgorithmSymmetricEncryption] = None) → DataKey

Generate a data encryption key. Generate a new data encryption key to use for cryptographic operations outside of Key Manager. Note that Key Manager does not store your data encryption key. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager. The data encryption key’s plaintext is returned in the response object, for immediate usage.

Always store the data encryption key’s ciphertext, rather than its plaintext, which must not be stored. To retrieve your key’s plaintext, call the Decrypt endpoint with your key’s ID and ciphertext. :param key_id: ID of the key. :param without_plaintext: Default value is false, meaning that the plaintext is returned. Set it to true if you do not wish the plaintext to be returned in the response object. :param region: Region to target. If none is passed will use default region from the config. :param algorithm: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values. :return: DataKey

Usage:

result = api.generate_data_key(
    key_id="example",
    without_plaintext=False,
)

get_key(*, key_id: str, region: Optional[str] = None) → Key

Get key metadata. Retrieve the metadata of a key specified by the region and key_id parameters. :param key_id: ID of the key to target. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.get_key(
    key_id="example",
)

import_key_material(*, key_id: str, key_material: str, region: Optional[str] = None, salt: Optional[str] = None) → Key

Import key material. Import key material to use to derive a new cryptographic key. The key’s origin must be external. :param key_id: The key’s origin must be ‘external’. :param key_material: The key material The key material is a random sequence of bytes used to derive a cryptographic key. :param region: Region to target. If none is passed will use default region from the config. :param salt: A salt can be used to improve the quality of randomness when the key material is generated from a low entropy source. :return: Key

Usage:

result = api.import_key_material(
    key_id="example",
    key_material="example",
)

list_keys(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → ListKeysResponse

List keys. Retrieve the list of keys created within all Projects of an Organization or in a given Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: ListKeysResponse

Usage:

result = api.list_keys()

list_keys_all(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → List[Key]

List keys. Retrieve the list of keys created within all Projects of an Organization or in a given Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: List[Key]

Usage:

result = api.list_keys_all()

protect_key(*, key_id: str, region: Optional[str] = None) → Key

Apply key protection. Apply key protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted. :param key_id: ID of the key to apply key protection to. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.protect_key(
    key_id="example",
)

rotate_key(*, key_id: str, region: Optional[str] = None) → Key

Rotate a key. Generate a new version of an existing key with randomly generated key material. Rotated keys can still be used to decrypt previously encrypted data. The key’s new material will be used for subsequent encryption operations and data key generation. :param key_id: ID of the key to rotate. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.rotate_key(
    key_id="example",
)

unprotect_key(*, key_id: str, region: Optional[str] = None) → Key

Remove key protection. Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime. :param key_id: ID of the key to remove key protection from. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.unprotect_key(
    key_id="example",
)

update_key(*, key_id: str, region: Optional[str] = None, name: Optional[str] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None) → Key

Update a key. Update a key’s metadata (name, description and tags), specified by the key_id and region parameters. :param key_id: ID of the key to update. :param region: Region to target. If none is passed will use default region from the config. :param name: (Optional) Updated name of the key. :param description: (Optional) Updated description of the key. :param tags: (Optional) Updated list of the key’s tags. :param rotation_policy: If not specified, the key’s existing rotation policy applies. :return: Key

Usage:

result = api.update_key(
    key_id="example",
)

scaleway.key_manager.v1alpha1.marshalling module

scaleway.key_manager.v1alpha1.marshalling.marshal_CreateKeyRequest(request: CreateKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_DecryptRequest(request: DecryptRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_EncryptRequest(request: EncryptRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_GenerateDataKeyRequest(request: GenerateDataKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_ImportKeyMaterialRequest(request: ImportKeyMaterialRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_KeyRotationPolicy(request: KeyRotationPolicy, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_KeyUsage(request: KeyUsage, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_UpdateKeyRequest(request: UpdateKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.unmarshal_DataKey(data: Any) → DataKey

scaleway.key_manager.v1alpha1.marshalling.unmarshal_DecryptResponse(data: Any) → DecryptResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_EncryptResponse(data: Any) → EncryptResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_Key(data: Any) → Key

scaleway.key_manager.v1alpha1.marshalling.unmarshal_KeyRotationPolicy(data: Any) → KeyRotationPolicy

scaleway.key_manager.v1alpha1.marshalling.unmarshal_KeyUsage(data: Any) → KeyUsage

scaleway.key_manager.v1alpha1.marshalling.unmarshal_ListKeysResponse(data: Any) → ListKeysResponse

scaleway.key_manager.v1alpha1.types module

class scaleway.key_manager.v1alpha1.types.CreateKeyRequest(unprotected: 'bool', region: 'Optional[Region]', project_id: 'Optional[str]', name: 'Optional[str]', usage: 'Optional[KeyUsage]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]', origin: 'Optional[KeyOrigin]')

Bases: object

description: Optional[str]: (Optional) Description of the key.

name: Optional[str]: (Optional) Name of the key.

origin: Optional[KeyOrigin]: Refer to the Key.Origin enum for a description of values.

project_id: Optional[str]: ID of the Project containing the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, no rotation policy will be applied to the key.

tags: Optional[List[str]]: (Optional) List of the key’s tags.

unprotected: bool: Default value is false.

usage: Optional[KeyUsage]: See the Key.Algorithm.SymmetricEncryption enum for a description of values.

class scaleway.key_manager.v1alpha1.types.DataKey(key_id: 'str', algorithm: 'DataKeyAlgorithmSymmetricEncryption', ciphertext: 'str', plaintext: 'Optional[str]', created_at: 'Optional[datetime]')

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption: Symmetric encryption algorithm of the data encryption key.

ciphertext: str: Your data encryption key’s ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.

created_at: Optional[datetime]: Data encryption key creation date.

key_id: str: ID of the data encryption key.

plaintext: Optional[str]: (Optional) Your data encryption key’s plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.

class scaleway.key_manager.v1alpha1.types.DataKeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.DecryptRequest(key_id: 'str', ciphertext: 'str', region: 'Optional[Region]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: The additional data must match the value passed in the encryption request.

ciphertext: str: Data size must be between 1 and 131071 bytes.

key_id: str: ID of the key to decrypt.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DecryptResponse(key_id: 'str', plaintext: 'str', ciphertext: 'Optional[str]')

Bases: object

ciphertext: Optional[str]: If the data was already encrypted with the latest key rotation, no output will be returned in the response object.

key_id: str: ID of the key used for decryption.

plaintext: str: Key’s decrypted data.

class scaleway.key_manager.v1alpha1.types.DeleteKeyMaterialRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key of which to delete the key material.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DeleteKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to delete.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DisableKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to disable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EnableKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to enable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EncryptRequest(key_id: 'str', plaintext: 'str', region: 'Optional[Region]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload.

key_id: str: ID of the key to encrypt.

plaintext: str: Data size must be between 1 and 65535 bytes.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EncryptResponse(key_id: 'str', ciphertext: 'str')

Bases: object

ciphertext: str: Key’s encrypted data.

key_id: str: ID of the key used for encryption.

class scaleway.key_manager.v1alpha1.types.GenerateDataKeyRequest(key_id: 'str', without_plaintext: 'bool', region: 'Optional[Region]', algorithm: 'Optional[DataKeyAlgorithmSymmetricEncryption]')

Bases: object

algorithm: Optional[DataKeyAlgorithmSymmetricEncryption]: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.

key_id: str: ID of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

without_plaintext: bool: Default value is false, meaning that the plaintext is returned.

Set it to true if you do not wish the plaintext to be returned in the response object.

class scaleway.key_manager.v1alpha1.types.GetKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to target.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.ImportKeyMaterialRequest(key_id: 'str', key_material: 'str', region: 'Optional[Region]', salt: 'Optional[str]')

Bases: object

key_id: str: The key’s origin must be ‘external’.

key_material: str: The key material The key material is a random sequence of bytes used to derive a cryptographic key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

salt: Optional[str]: A salt can be used to improve the quality of randomness when the key material is generated from a low entropy source.

class scaleway.key_manager.v1alpha1.types.Key(id: 'str', project_id: 'str', name: 'str', state: 'KeyState', rotation_count: 'int', usage: 'Optional[KeyUsage]', created_at: 'Optional[datetime]', updated_at: 'Optional[datetime]', protected: 'bool', locked: 'bool', tags: 'List[str]', origin: 'KeyOrigin', region: 'Region', description: 'Optional[str]', rotated_at: 'Optional[datetime]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

created_at: Optional[datetime]: Key creation date.

description: Optional[str]: Description of the key.

id: str: ID of the key.

locked: bool: Returns true if the key is locked.

name: str: Name of the key.

origin: KeyOrigin: Refer to the Key.Origin enum for a description of values.

project_id: str: ID of the Project containing the key.

protected: bool: Returns true if key protection is applied to the key.

region: str: Region of the key.

rotated_at: Optional[datetime]: Key last rotation date.

rotation_count: int: The rotation count tracks the amount of times that the key was rotated.

rotation_policy: Optional[KeyRotationPolicy]: Key rotation policy.

state: KeyState: See the Key.State enum for a description of values.

tags: List[str]: List of the key’s tags.

updated_at: Optional[datetime]: Key last modification date.

usage: Optional[KeyUsage]: Keys with a usage set to symmetric_encryption are used to encrypt and decrypt data. The only key algorithm currently supported by Key Manager is AES-256-GCM.

class scaleway.key_manager.v1alpha1.types.KeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.KeyOrigin(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

EXTERNAL = 'external'

SCALEWAY_KMS = 'scaleway_kms'

UNKNOWN_ORIGIN = 'unknown_origin'

class scaleway.key_manager.v1alpha1.types.KeyRotationPolicy(rotation_period: 'Optional[str]', next_rotation_at: 'Optional[datetime]')

Bases: object

next_rotation_at: Optional[datetime]: Date at which the key will be rotated next.

rotation_period: Optional[str]: Duration between two key rotations. The minimum duration is 24 hours and the maximum duration is 876000 hours (1 year).

class scaleway.key_manager.v1alpha1.types.KeyState(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

DISABLED = 'disabled'

ENABLED = 'enabled'

PENDING_KEY_MATERIAL = 'pending_key_material'

UNKNOWN_STATE = 'unknown_state'

class scaleway.key_manager.v1alpha1.types.KeyUsage(symmetric_encryption: 'Optional[KeyAlgorithmSymmetricEncryption]')

Bases: object

symmetric_encryption: Optional[KeyAlgorithmSymmetricEncryption]

class scaleway.key_manager.v1alpha1.types.ListKeysRequest(region: 'Optional[Region]', organization_id: 'Optional[str]', project_id: 'Optional[str]', order_by: 'Optional[ListKeysRequestOrderBy]', page: 'Optional[int]', page_size: 'Optional[int]', tags: 'Optional[List[str]]', name: 'Optional[str]')

Bases: object

name: Optional[str]: (Optional) Filter by key name.

order_by: Optional[ListKeysRequestOrderBy]

organization_id: Optional[str]: (Optional) Filter by Organization ID.

page: Optional[int]

page_size: Optional[int]

project_id: Optional[str]: (Optional) Filter by Project ID.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

tags: Optional[List[str]]: (Optional) List of tags to filter on.

class scaleway.key_manager.v1alpha1.types.ListKeysRequestOrderBy(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

CREATED_AT_ASC = 'created_at_asc'

CREATED_AT_DESC = 'created_at_desc'

NAME_ASC = 'name_asc'

NAME_DESC = 'name_desc'

UPDATED_AT_ASC = 'updated_at_asc'

UPDATED_AT_DESC = 'updated_at_desc'

class scaleway.key_manager.v1alpha1.types.ListKeysResponse(keys: 'List[Key]', total_count: 'int')

Bases: object

keys: List[Key]: Single page of keys matching the requested criteria.

total_count: int: Total count of keys matching the requested criteria.

class scaleway.key_manager.v1alpha1.types.ProtectKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to apply key protection to.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.RotateKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to rotate.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.UnprotectKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to remove key protection from.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.UpdateKeyRequest(key_id: 'str', region: 'Optional[Region]', name: 'Optional[str]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

description: Optional[str]: (Optional) Updated description of the key.

key_id: str: ID of the key to update.

name: Optional[str]: (Optional) Updated name of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, the key’s existing rotation policy applies.

tags: Optional[List[str]]: (Optional) Updated list of the key’s tags.

Module contents

class scaleway.key_manager.v1alpha1.CreateKeyRequest(unprotected: 'bool', region: 'Optional[Region]', project_id: 'Optional[str]', name: 'Optional[str]', usage: 'Optional[KeyUsage]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]', origin: 'Optional[KeyOrigin]')

Bases: object

description: Optional[str]: (Optional) Description of the key.

name: Optional[str]: (Optional) Name of the key.

origin: Optional[KeyOrigin]: Refer to the Key.Origin enum for a description of values.

project_id: Optional[str]: ID of the Project containing the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, no rotation policy will be applied to the key.

tags: Optional[List[str]]: (Optional) List of the key’s tags.

unprotected: bool: Default value is false.

usage: Optional[KeyUsage]: See the Key.Algorithm.SymmetricEncryption enum for a description of values.

class scaleway.key_manager.v1alpha1.DataKey(key_id: 'str', algorithm: 'DataKeyAlgorithmSymmetricEncryption', ciphertext: 'str', plaintext: 'Optional[str]', created_at: 'Optional[datetime]')

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption: Symmetric encryption algorithm of the data encryption key.

ciphertext: str: Your data encryption key’s ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.

created_at: Optional[datetime]: Data encryption key creation date.

key_id: str: ID of the data encryption key.

plaintext: Optional[str]: (Optional) Your data encryption key’s plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.

class scaleway.key_manager.v1alpha1.DataKeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.DecryptRequest(key_id: 'str', ciphertext: 'str', region: 'Optional[Region]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: The additional data must match the value passed in the encryption request.

ciphertext: str: Data size must be between 1 and 131071 bytes.

key_id: str: ID of the key to decrypt.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DecryptResponse(key_id: 'str', plaintext: 'str', ciphertext: 'Optional[str]')

Bases: object

ciphertext: Optional[str]: If the data was already encrypted with the latest key rotation, no output will be returned in the response object.

key_id: str: ID of the key used for decryption.

plaintext: str: Key’s decrypted data.

class scaleway.key_manager.v1alpha1.DeleteKeyMaterialRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key of which to delete the key material.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DeleteKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to delete.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DisableKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to disable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EnableKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to enable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EncryptRequest(key_id: 'str', plaintext: 'str', region: 'Optional[Region]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload.

key_id: str: ID of the key to encrypt.

plaintext: str: Data size must be between 1 and 65535 bytes.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EncryptResponse(key_id: 'str', ciphertext: 'str')

Bases: object

ciphertext: str: Key’s encrypted data.

key_id: str: ID of the key used for encryption.

class scaleway.key_manager.v1alpha1.GenerateDataKeyRequest(key_id: 'str', without_plaintext: 'bool', region: 'Optional[Region]', algorithm: 'Optional[DataKeyAlgorithmSymmetricEncryption]')

Bases: object

algorithm: Optional[DataKeyAlgorithmSymmetricEncryption]: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.

key_id: str: ID of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

without_plaintext: bool: Default value is false, meaning that the plaintext is returned.

Set it to true if you do not wish the plaintext to be returned in the response object.

class scaleway.key_manager.v1alpha1.GetKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to target.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.ImportKeyMaterialRequest(key_id: 'str', key_material: 'str', region: 'Optional[Region]', salt: 'Optional[str]')

Bases: object

key_id: str: The key’s origin must be ‘external’.

key_material: str: The key material The key material is a random sequence of bytes used to derive a cryptographic key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

salt: Optional[str]: A salt can be used to improve the quality of randomness when the key material is generated from a low entropy source.

class scaleway.key_manager.v1alpha1.Key(id: 'str', project_id: 'str', name: 'str', state: 'KeyState', rotation_count: 'int', usage: 'Optional[KeyUsage]', created_at: 'Optional[datetime]', updated_at: 'Optional[datetime]', protected: 'bool', locked: 'bool', tags: 'List[str]', origin: 'KeyOrigin', region: 'Region', description: 'Optional[str]', rotated_at: 'Optional[datetime]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

created_at: Optional[datetime]: Key creation date.

description: Optional[str]: Description of the key.

id: str: ID of the key.

locked: bool: Returns true if the key is locked.

name: str: Name of the key.

origin: KeyOrigin: Refer to the Key.Origin enum for a description of values.

project_id: str: ID of the Project containing the key.

protected: bool: Returns true if key protection is applied to the key.

region: str: Region of the key.

rotated_at: Optional[datetime]: Key last rotation date.

rotation_count: int: The rotation count tracks the amount of times that the key was rotated.

rotation_policy: Optional[KeyRotationPolicy]: Key rotation policy.

state: KeyState: See the Key.State enum for a description of values.

tags: List[str]: List of the key’s tags.

updated_at: Optional[datetime]: Key last modification date.

usage: Optional[KeyUsage]: Keys with a usage set to symmetric_encryption are used to encrypt and decrypt data. The only key algorithm currently supported by Key Manager is AES-256-GCM.

class scaleway.key_manager.v1alpha1.KeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.KeyManagerV1Alpha1API(client: Client, *, bypass_validation: bool = False)

Bases: API

This API allows you to create, manage and use cryptographic keys in a centralized and secure service.

create_key(*, unprotected: bool, region: Optional[str] = None, project_id: Optional[str] = None, name: Optional[str] = None, usage: Optional[KeyUsage] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None, origin: Optional[KeyOrigin] = None) → Key

Create a key. Create a key in a given region specified by the region parameter. Keys only support symmetric encryption. You can use keys to encrypt or decrypt arbitrary payloads, or to generate data encryption keys that can be used without being stored in Key Manager. :param unprotected: Default value is false. :param region: Region to target. If none is passed will use default region from the config. :param project_id: ID of the Project containing the key. :param name: (Optional) Name of the key. :param usage: See the Key.Algorithm.SymmetricEncryption enum for a description of values. :param description: (Optional) Description of the key. :param tags: (Optional) List of the key’s tags. :param rotation_policy: If not specified, no rotation policy will be applied to the key. :param origin: Refer to the Key.Origin enum for a description of values. :return: Key

Usage:

result = api.create_key(
    unprotected=False,
)

decrypt(*, key_id: str, ciphertext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → DecryptResponse

Decrypt data. Decrypt data using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is the result of the encryption of 64KB of data (around 131KB). :param key_id: ID of the key to decrypt. :param ciphertext: Data size must be between 1 and 131071 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: The additional data must match the value passed in the encryption request. :return: DecryptResponse

Usage:

result = api.decrypt(
    key_id="example",
    ciphertext="example",
)

delete_key(*, key_id: str, region: Optional[str] = None) → None

Delete a key. Delete an existing key specified by the region and key_id parameters. Deleting a key is permanent and cannot be undone. All data encrypted using this key, including data encryption keys, will become unusable. :param key_id: ID of the key to delete. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key(
    key_id="example",
)

delete_key_material(*, key_id: str, region: Optional[str] = None) → None

Delete key material. Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key’s origin must be external. :param key_id: ID of the key of which to delete the key material. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key_material(
    key_id="example",
)

disable_key(*, key_id: str, region: Optional[str] = None) → Key

Disable key. Disable a given key to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters. :param key_id: ID of the key to disable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.disable_key(
    key_id="example",
)

enable_key(*, key_id: str, region: Optional[str] = None) → Key

Enable key. Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters. :param key_id: ID of the key to enable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.enable_key(
    key_id="example",
)

encrypt(*, key_id: str, plaintext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → EncryptResponse

Encrypt data. Encrypt data using an existing key, specified by the key_id parameter. Only keys with a usage set to symmetric_encryption are supported by this method. The maximum payload size that can be encrypted is 64KB of plaintext. :param key_id: ID of the key to encrypt. :param plaintext: Data size must be between 1 and 65535 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. :return: EncryptResponse

Usage:

result = api.encrypt(
    key_id="example",
    plaintext="example",
)

generate_data_key(*, key_id: str, without_plaintext: bool, region: Optional[str] = None, algorithm: Optional[DataKeyAlgorithmSymmetricEncryption] = None) → DataKey

Generate a data encryption key. Generate a new data encryption key to use for cryptographic operations outside of Key Manager. Note that Key Manager does not store your data encryption key. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager. The data encryption key’s plaintext is returned in the response object, for immediate usage.

Always store the data encryption key’s ciphertext, rather than its plaintext, which must not be stored. To retrieve your key’s plaintext, call the Decrypt endpoint with your key’s ID and ciphertext. :param key_id: ID of the key. :param without_plaintext: Default value is false, meaning that the plaintext is returned. Set it to true if you do not wish the plaintext to be returned in the response object. :param region: Region to target. If none is passed will use default region from the config. :param algorithm: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values. :return: DataKey

Usage:

result = api.generate_data_key(
    key_id="example",
    without_plaintext=False,
)

get_key(*, key_id: str, region: Optional[str] = None) → Key

Get key metadata. Retrieve the metadata of a key specified by the region and key_id parameters. :param key_id: ID of the key to target. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.get_key(
    key_id="example",
)

import_key_material(*, key_id: str, key_material: str, region: Optional[str] = None, salt: Optional[str] = None) → Key

Import key material. Import key material to use to derive a new cryptographic key. The key’s origin must be external. :param key_id: The key’s origin must be ‘external’. :param key_material: The key material The key material is a random sequence of bytes used to derive a cryptographic key. :param region: Region to target. If none is passed will use default region from the config. :param salt: A salt can be used to improve the quality of randomness when the key material is generated from a low entropy source. :return: Key

Usage:

result = api.import_key_material(
    key_id="example",
    key_material="example",
)

list_keys(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → ListKeysResponse

List keys. Retrieve the list of keys created within all Projects of an Organization or in a given Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: ListKeysResponse

Usage:

result = api.list_keys()

list_keys_all(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → List[Key]

List keys. Retrieve the list of keys created within all Projects of an Organization or in a given Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: List[Key]

Usage:

result = api.list_keys_all()

protect_key(*, key_id: str, region: Optional[str] = None) → Key

Apply key protection. Apply key protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted. :param key_id: ID of the key to apply key protection to. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.protect_key(
    key_id="example",
)

rotate_key(*, key_id: str, region: Optional[str] = None) → Key

Rotate a key. Generate a new version of an existing key with randomly generated key material. Rotated keys can still be used to decrypt previously encrypted data. The key’s new material will be used for subsequent encryption operations and data key generation. :param key_id: ID of the key to rotate. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.rotate_key(
    key_id="example",
)

unprotect_key(*, key_id: str, region: Optional[str] = None) → Key

Remove key protection. Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime. :param key_id: ID of the key to remove key protection from. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.unprotect_key(
    key_id="example",
)

update_key(*, key_id: str, region: Optional[str] = None, name: Optional[str] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None) → Key

Update a key. Update a key’s metadata (name, description and tags), specified by the key_id and region parameters. :param key_id: ID of the key to update. :param region: Region to target. If none is passed will use default region from the config. :param name: (Optional) Updated name of the key. :param description: (Optional) Updated description of the key. :param tags: (Optional) Updated list of the key’s tags. :param rotation_policy: If not specified, the key’s existing rotation policy applies. :return: Key

Usage:

result = api.update_key(
    key_id="example",
)

class scaleway.key_manager.v1alpha1.KeyOrigin(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

EXTERNAL = 'external'

SCALEWAY_KMS = 'scaleway_kms'

UNKNOWN_ORIGIN = 'unknown_origin'

class scaleway.key_manager.v1alpha1.KeyRotationPolicy(rotation_period: 'Optional[str]', next_rotation_at: 'Optional[datetime]')

Bases: object

next_rotation_at: Optional[datetime]: Date at which the key will be rotated next.

rotation_period: Optional[str]: Duration between two key rotations. The minimum duration is 24 hours and the maximum duration is 876000 hours (1 year).

class scaleway.key_manager.v1alpha1.KeyState(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

DISABLED = 'disabled'

ENABLED = 'enabled'

PENDING_KEY_MATERIAL = 'pending_key_material'

UNKNOWN_STATE = 'unknown_state'

class scaleway.key_manager.v1alpha1.KeyUsage(symmetric_encryption: 'Optional[KeyAlgorithmSymmetricEncryption]')

Bases: object

symmetric_encryption: Optional[KeyAlgorithmSymmetricEncryption]

class scaleway.key_manager.v1alpha1.ListKeysRequest(region: 'Optional[Region]', organization_id: 'Optional[str]', project_id: 'Optional[str]', order_by: 'Optional[ListKeysRequestOrderBy]', page: 'Optional[int]', page_size: 'Optional[int]', tags: 'Optional[List[str]]', name: 'Optional[str]')

Bases: object

name: Optional[str]: (Optional) Filter by key name.

order_by: Optional[ListKeysRequestOrderBy]

organization_id: Optional[str]: (Optional) Filter by Organization ID.

page: Optional[int]

page_size: Optional[int]

project_id: Optional[str]: (Optional) Filter by Project ID.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

tags: Optional[List[str]]: (Optional) List of tags to filter on.

class scaleway.key_manager.v1alpha1.ListKeysRequestOrderBy(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

CREATED_AT_ASC = 'created_at_asc'

CREATED_AT_DESC = 'created_at_desc'

NAME_ASC = 'name_asc'

NAME_DESC = 'name_desc'

UPDATED_AT_ASC = 'updated_at_asc'

UPDATED_AT_DESC = 'updated_at_desc'

class scaleway.key_manager.v1alpha1.ListKeysResponse(keys: 'List[Key]', total_count: 'int')

Bases: object

keys: List[Key]: Single page of keys matching the requested criteria.

total_count: int: Total count of keys matching the requested criteria.

class scaleway.key_manager.v1alpha1.ProtectKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to apply key protection to.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.RotateKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to rotate.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.UnprotectKeyRequest(key_id: 'str', region: 'Optional[Region]')

Bases: object

key_id: str: ID of the key to remove key protection from.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.UpdateKeyRequest(key_id: 'str', region: 'Optional[Region]', name: 'Optional[str]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

description: Optional[str]: (Optional) Updated description of the key.

key_id: str: ID of the key to update.

name: Optional[str]: (Optional) Updated name of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, the key’s existing rotation policy applies.

tags: Optional[List[str]]: (Optional) Updated list of the key’s tags.