scaleway.key_manager.v1alpha1 package

Submodules

scaleway.key_manager.v1alpha1.api module

class scaleway.key_manager.v1alpha1.api.KeyManagerV1Alpha1API(client: Client, *, bypass_validation: bool = False)

Bases: API

This API allows you to create, manage and use cryptographic keys in a centralized and secure service.

create_key(*, unprotected: bool, region: Optional[str] = None, project_id: Optional[str] = None, name: Optional[str] = None, usage: Optional[KeyUsage] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None, origin: Optional[KeyOrigin] = None) → Key

Create a key. Create a key in a given region specified by the region parameter. Keys only support symmetric encryption. You can use keys to encrypt or decrypt arbitrary payloads, or to generate data encryption keys. Data encryption keys are not stored in Key Manager. :param unprotected: Default value is false. :param region: Region to target. If none is passed will use default region from the config. :param project_id: ID of the Project containing the key. :param name: (Optional) Name of the key. :param usage: See the Key.Algorithm.SymmetricEncryption enum for a description of values. :param description: (Optional) Description of the key. :param tags: (Optional) List of the key’s tags. :param rotation_policy: If not specified, no rotation policy will be applied to the key. :param origin: Refer to the Key.Origin enum for a description of values. :return: Key

Usage:

result = api.create_key(
    unprotected=False,
)

decrypt(*, key_id: str, ciphertext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → DecryptResponse

Decrypt an encrypted payload. Decrypt an encrypted payload using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is equivalent to the encrypted output of 64 KB of data (around 131 KB). :param key_id: ID of the key to decrypt. :param ciphertext: Data size must be between 1 and 131071 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: The additional data must match the value passed in the encryption request. :return: DecryptResponse

Usage:

result = api.decrypt(
    key_id="example",
    ciphertext="example",
)

delete_key(*, key_id: str, region: Optional[str] = None) → None

Delete a key. Permanently delete a key specified by the region and key_id parameters. This action is irreversible. Any data encrypted with this key, including data encryption keys, will no longer be decipherable. :param key_id: ID of the key to delete. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key(
    key_id="example",
)

delete_key_material(*, key_id: str, region: Optional[str] = None) → None

Delete key material. Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key’s origin must be external. :param key_id: ID of the key of which to delete the key material. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key_material(
    key_id="example",
)

disable_key(*, key_id: str, region: Optional[str] = None) → Key

Disable key. Disable a given key, preventing it to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters. :param key_id: ID of the key to disable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.disable_key(
    key_id="example",
)

enable_key(*, key_id: str, region: Optional[str] = None) → Key

Enable key. Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters. :param key_id: ID of the key to enable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.enable_key(
    key_id="example",
)

encrypt(*, key_id: str, plaintext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → EncryptResponse

Encrypt a payload. Encrypt a payload using an existing key, specified by the key_id parameter. Only keys with a usage set to symmetric_encryption are supported by this method. The maximum payload size that can be encrypted is 64 KB of plaintext. :param key_id: ID of the key to encrypt. :param plaintext: Data size must be between 1 and 65535 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. :return: EncryptResponse

Usage:

result = api.encrypt(
    key_id="example",
    plaintext="example",
)

generate_data_key(*, key_id: str, without_plaintext: bool, region: Optional[str] = None, algorithm: Optional[DataKeyAlgorithmSymmetricEncryption] = None) → DataKey

Create a data encryption key. Create a new data encryption key for cryptographic operations outside of Key Manager. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager.

The data encryption key is returned in plaintext and ciphertext but it should only be stored in its encrypted form (ciphertext). Key Manager does not store your data encryption key. To retrieve your key’s plaintext, use the Decrypt method with your key’s ID and ciphertext. :param key_id: ID of the key. :param without_plaintext: Default value is false, meaning that the plaintext is returned. Set it to true if you do not wish the plaintext to be returned in the response object. :param region: Region to target. If none is passed will use default region from the config. :param algorithm: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values. :return: DataKey

Usage:

result = api.generate_data_key(
    key_id="example",
    without_plaintext=False,
)

get_key(*, key_id: str, region: Optional[str] = None) → Key

Get key metadata. Retrieve metadata for a specified key using the region and key_id parameters. :param key_id: ID of the key to target. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.get_key(
    key_id="example",
)

import_key_material(*, key_id: str, key_material: str, region: Optional[str] = None, salt: Optional[str] = None) → Key

Import key material. Import externally generated key material into Key Manager to derive a new cryptographic key. The key’s origin must be external. :param key_id: The key’s origin must be external. :param key_material: The key material The key material is a random sequence of bytes used to derive a cryptographic key. :param region: Region to target. If none is passed will use default region from the config. :param salt: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy). :return: Key

Usage:

result = api.import_key_material(
    key_id="example",
    key_material="example",
)

list_keys(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → ListKeysResponse

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: ListKeysResponse

Usage:

result = api.list_keys()

list_keys_all(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → List[Key]

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: List[Key]

Usage:

result = api.list_keys_all()

protect_key(*, key_id: str, region: Optional[str] = None) → Key

Apply key protection. Apply protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted. :param key_id: ID of the key to apply key protection to. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.protect_key(
    key_id="example",
)

rotate_key(*, key_id: str, region: Optional[str] = None) → Key

Rotate a key. Generate a new version of an existing key with new key material. Previous key versions remain usable to decrypt previously encrypted data, but the key’s new version will be used for subsequent encryption operations and data key generation. :param key_id: ID of the key to rotate. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.rotate_key(
    key_id="example",
)

unprotect_key(*, key_id: str, region: Optional[str] = None) → Key

Remove key protection. Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime. :param key_id: ID of the key to remove key protection from. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.unprotect_key(
    key_id="example",
)

update_key(*, key_id: str, region: Optional[str] = None, name: Optional[str] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None) → Key

Update a key. Modify a key’s metadata including name, description and tags, specified by the key_id and region parameters. :param key_id: ID of the key to update. :param region: Region to target. If none is passed will use default region from the config. :param name: (Optional) Updated name of the key. :param description: (Optional) Updated description of the key. :param tags: (Optional) Updated list of the key’s tags. :param rotation_policy: If not specified, the key’s existing rotation policy applies. :return: Key

Usage:

result = api.update_key(
    key_id="example",
)

scaleway.key_manager.v1alpha1.marshalling module

scaleway.key_manager.v1alpha1.marshalling.marshal_CreateKeyRequest(request: CreateKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_DecryptRequest(request: DecryptRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_EncryptRequest(request: EncryptRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_GenerateDataKeyRequest(request: GenerateDataKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_ImportKeyMaterialRequest(request: ImportKeyMaterialRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_KeyRotationPolicy(request: KeyRotationPolicy, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_KeyUsage(request: KeyUsage, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.marshal_UpdateKeyRequest(request: UpdateKeyRequest, defaults: ProfileDefaults) → Dict[str, Any]

scaleway.key_manager.v1alpha1.marshalling.unmarshal_DataKey(data: Any) → DataKey

scaleway.key_manager.v1alpha1.marshalling.unmarshal_DecryptResponse(data: Any) → DecryptResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_EncryptResponse(data: Any) → EncryptResponse

scaleway.key_manager.v1alpha1.marshalling.unmarshal_Key(data: Any) → Key

scaleway.key_manager.v1alpha1.marshalling.unmarshal_KeyRotationPolicy(data: Any) → KeyRotationPolicy

scaleway.key_manager.v1alpha1.marshalling.unmarshal_KeyUsage(data: Any) → KeyUsage

scaleway.key_manager.v1alpha1.marshalling.unmarshal_ListKeysResponse(data: Any) → ListKeysResponse

scaleway.key_manager.v1alpha1.types module

class scaleway.key_manager.v1alpha1.types.CreateKeyRequest(unprotected: 'bool', region: 'Optional[ScwRegion]', project_id: 'Optional[str]', name: 'Optional[str]', usage: 'Optional[KeyUsage]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]', origin: 'Optional[KeyOrigin]')

Bases: object

description: Optional[str]: (Optional) Description of the key.

name: Optional[str]: (Optional) Name of the key.

origin: Optional[KeyOrigin]: Refer to the Key.Origin enum for a description of values.

project_id: Optional[str]: ID of the Project containing the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, no rotation policy will be applied to the key.

tags: Optional[List[str]]: (Optional) List of the key’s tags.

unprotected: bool: Default value is false.

usage: Optional[KeyUsage]: See the Key.Algorithm.SymmetricEncryption enum for a description of values.

class scaleway.key_manager.v1alpha1.types.DataKey(key_id: 'str', algorithm: 'DataKeyAlgorithmSymmetricEncryption', ciphertext: 'str', plaintext: 'Optional[str]', created_at: 'Optional[datetime]')

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption: Symmetric encryption algorithm of the data encryption key (AES-256-GCM).

ciphertext: str: Your data encryption key’s ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.

created_at: Optional[datetime]: Data encryption key creation date.

key_id: str: ID of the data encryption key.

plaintext: Optional[str]: (Optional) Your data encryption key’s plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.

class scaleway.key_manager.v1alpha1.types.DataKeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.DecryptRequest(key_id: 'str', ciphertext: 'str', region: 'Optional[ScwRegion]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: The additional data must match the value passed in the encryption request.

ciphertext: str: Data size must be between 1 and 131071 bytes.

key_id: str: ID of the key to decrypt.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DecryptResponse(key_id: 'str', plaintext: 'str', ciphertext: 'Optional[str]')

Bases: object

ciphertext: Optional[str]: If the data was already encrypted with the latest key rotation, no output will be returned in the response object.

key_id: str: ID of the key used for decryption.

plaintext: str: Key’s decrypted data.

class scaleway.key_manager.v1alpha1.types.DeleteKeyMaterialRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key of which to delete the key material.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DeleteKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to delete.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.DisableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to disable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EnableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to enable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EncryptRequest(key_id: 'str', plaintext: 'str', region: 'Optional[ScwRegion]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload.

key_id: str: ID of the key to encrypt.

plaintext: str: Data size must be between 1 and 65535 bytes.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.EncryptResponse(key_id: 'str', ciphertext: 'str')

Bases: object

ciphertext: str: Key’s encrypted data.

key_id: str: ID of the key used for encryption.

class scaleway.key_manager.v1alpha1.types.GenerateDataKeyRequest(key_id: 'str', without_plaintext: 'bool', region: 'Optional[ScwRegion]', algorithm: 'Optional[DataKeyAlgorithmSymmetricEncryption]')

Bases: object

algorithm: Optional[DataKeyAlgorithmSymmetricEncryption]: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.

key_id: str: ID of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

without_plaintext: bool: Default value is false, meaning that the plaintext is returned.

Set it to true if you do not wish the plaintext to be returned in the response object.

class scaleway.key_manager.v1alpha1.types.GetKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to target.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.ImportKeyMaterialRequest(key_id: 'str', key_material: 'str', region: 'Optional[ScwRegion]', salt: 'Optional[str]')

Bases: object

key_id: str: The key’s origin must be external.

key_material: str: The key material The key material is a random sequence of bytes used to derive a cryptographic key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

salt: Optional[str]: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy).

class scaleway.key_manager.v1alpha1.types.Key(id: 'str', project_id: 'str', name: 'str', state: 'KeyState', rotation_count: 'int', usage: 'Optional[KeyUsage]', created_at: 'Optional[datetime]', updated_at: 'Optional[datetime]', protected: 'bool', locked: 'bool', tags: 'List[str]', origin: 'KeyOrigin', region: 'ScwRegion', description: 'Optional[str]', rotated_at: 'Optional[datetime]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

created_at: Optional[datetime]: Key creation date.

description: Optional[str]: Description of the key.

id: str: ID of the key.

locked: bool: Returns true if the key is locked.

name: str: Name of the key.

origin: KeyOrigin: Refer to the Key.Origin enum for a description of values.

project_id: str: ID of the Project containing the key.

protected: bool: Returns true if key protection is applied to the key.

region: str: Region where the key is stored.

rotated_at: Optional[datetime]: Key last rotation date.

rotation_count: int: The rotation count tracks the number of times the key has been rotated.

rotation_policy: Optional[KeyRotationPolicy]: Key rotation policy.

state: KeyState: See the Key.State enum for a description of possible values.

tags: List[str]: List of the key’s tags.

updated_at: Optional[datetime]: Key last modification date.

usage: Optional[KeyUsage]: Keys with a usage set to symmetric_encryption can encrypt and decrypt data using the AES-256-GCM key algorithm. Key Manager currently only supports AES-256-GCM.

class scaleway.key_manager.v1alpha1.types.KeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.types.KeyOrigin(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

EXTERNAL = 'external'

SCALEWAY_KMS = 'scaleway_kms'

UNKNOWN_ORIGIN = 'unknown_origin'

class scaleway.key_manager.v1alpha1.types.KeyRotationPolicy(rotation_period: 'Optional[str]', next_rotation_at: 'Optional[datetime]')

Bases: object

next_rotation_at: Optional[datetime]: Timestamp indicating the next scheduled rotation.

rotation_period: Optional[str]: Time interval between two key rotations. The minimum duration is 24 hours and the maximum duration is 1 year (876000 hours).

class scaleway.key_manager.v1alpha1.types.KeyState(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

DISABLED = 'disabled'

ENABLED = 'enabled'

PENDING_KEY_MATERIAL = 'pending_key_material'

UNKNOWN_STATE = 'unknown_state'

class scaleway.key_manager.v1alpha1.types.KeyUsage(symmetric_encryption: 'Optional[KeyAlgorithmSymmetricEncryption]')

Bases: object

symmetric_encryption: Optional[KeyAlgorithmSymmetricEncryption]

class scaleway.key_manager.v1alpha1.types.ListKeysRequest(region: 'Optional[ScwRegion]', organization_id: 'Optional[str]', project_id: 'Optional[str]', order_by: 'Optional[ListKeysRequestOrderBy]', page: 'Optional[int]', page_size: 'Optional[int]', tags: 'Optional[List[str]]', name: 'Optional[str]')

Bases: object

name: Optional[str]: (Optional) Filter by key name.

order_by: Optional[ListKeysRequestOrderBy]

organization_id: Optional[str]: (Optional) Filter by Organization ID.

page: Optional[int]

page_size: Optional[int]

project_id: Optional[str]: (Optional) Filter by Project ID.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

tags: Optional[List[str]]: (Optional) List of tags to filter on.

class scaleway.key_manager.v1alpha1.types.ListKeysRequestOrderBy(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

CREATED_AT_ASC = 'created_at_asc'

CREATED_AT_DESC = 'created_at_desc'

NAME_ASC = 'name_asc'

NAME_DESC = 'name_desc'

UPDATED_AT_ASC = 'updated_at_asc'

UPDATED_AT_DESC = 'updated_at_desc'

class scaleway.key_manager.v1alpha1.types.ListKeysResponse(keys: 'List[Key]', total_count: 'int')

Bases: object

keys: List[Key]: Single page of keys matching the requested criteria.

total_count: int: Total count of keys matching the requested criteria.

class scaleway.key_manager.v1alpha1.types.ProtectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to apply key protection to.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.RotateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to rotate.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.UnprotectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to remove key protection from.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.types.UpdateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]', name: 'Optional[str]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

description: Optional[str]: (Optional) Updated description of the key.

key_id: str: ID of the key to update.

name: Optional[str]: (Optional) Updated name of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, the key’s existing rotation policy applies.

tags: Optional[List[str]]: (Optional) Updated list of the key’s tags.

Module contents

class scaleway.key_manager.v1alpha1.CreateKeyRequest(unprotected: 'bool', region: 'Optional[ScwRegion]', project_id: 'Optional[str]', name: 'Optional[str]', usage: 'Optional[KeyUsage]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]', origin: 'Optional[KeyOrigin]')

Bases: object

description: Optional[str]: (Optional) Description of the key.

name: Optional[str]: (Optional) Name of the key.

origin: Optional[KeyOrigin]: Refer to the Key.Origin enum for a description of values.

project_id: Optional[str]: ID of the Project containing the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, no rotation policy will be applied to the key.

tags: Optional[List[str]]: (Optional) List of the key’s tags.

unprotected: bool: Default value is false.

usage: Optional[KeyUsage]: See the Key.Algorithm.SymmetricEncryption enum for a description of values.

class scaleway.key_manager.v1alpha1.DataKey(key_id: 'str', algorithm: 'DataKeyAlgorithmSymmetricEncryption', ciphertext: 'str', plaintext: 'Optional[str]', created_at: 'Optional[datetime]')

Bases: object

algorithm: DataKeyAlgorithmSymmetricEncryption: Symmetric encryption algorithm of the data encryption key (AES-256-GCM).

ciphertext: str: Your data encryption key’s ciphertext can be stored safely. It can only be decrypted through the keys you create in Key Manager, using the relevant key ID.

created_at: Optional[datetime]: Data encryption key creation date.

key_id: str: ID of the data encryption key.

plaintext: Optional[str]: (Optional) Your data encryption key’s plaintext allows you to use the key immediately upon creation. It must neither be stored or shared.

class scaleway.key_manager.v1alpha1.DataKeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.DecryptRequest(key_id: 'str', ciphertext: 'str', region: 'Optional[ScwRegion]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: The additional data must match the value passed in the encryption request.

ciphertext: str: Data size must be between 1 and 131071 bytes.

key_id: str: ID of the key to decrypt.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DecryptResponse(key_id: 'str', plaintext: 'str', ciphertext: 'Optional[str]')

Bases: object

ciphertext: Optional[str]: If the data was already encrypted with the latest key rotation, no output will be returned in the response object.

key_id: str: ID of the key used for decryption.

plaintext: str: Key’s decrypted data.

class scaleway.key_manager.v1alpha1.DeleteKeyMaterialRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key of which to delete the key material.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DeleteKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to delete.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.DisableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to disable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EnableKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to enable.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EncryptRequest(key_id: 'str', plaintext: 'str', region: 'Optional[ScwRegion]', associated_data: 'Optional[str]')

Bases: object

associated_data: Optional[str]: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload.

key_id: str: ID of the key to encrypt.

plaintext: str: Data size must be between 1 and 65535 bytes.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.EncryptResponse(key_id: 'str', ciphertext: 'str')

Bases: object

ciphertext: str: Key’s encrypted data.

key_id: str: ID of the key used for encryption.

class scaleway.key_manager.v1alpha1.GenerateDataKeyRequest(key_id: 'str', without_plaintext: 'bool', region: 'Optional[ScwRegion]', algorithm: 'Optional[DataKeyAlgorithmSymmetricEncryption]')

Bases: object

algorithm: Optional[DataKeyAlgorithmSymmetricEncryption]: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values.

key_id: str: ID of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

without_plaintext: bool: Default value is false, meaning that the plaintext is returned.

Set it to true if you do not wish the plaintext to be returned in the response object.

class scaleway.key_manager.v1alpha1.GetKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to target.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.ImportKeyMaterialRequest(key_id: 'str', key_material: 'str', region: 'Optional[ScwRegion]', salt: 'Optional[str]')

Bases: object

key_id: str: The key’s origin must be external.

key_material: str: The key material The key material is a random sequence of bytes used to derive a cryptographic key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

salt: Optional[str]: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy).

class scaleway.key_manager.v1alpha1.Key(id: 'str', project_id: 'str', name: 'str', state: 'KeyState', rotation_count: 'int', usage: 'Optional[KeyUsage]', created_at: 'Optional[datetime]', updated_at: 'Optional[datetime]', protected: 'bool', locked: 'bool', tags: 'List[str]', origin: 'KeyOrigin', region: 'ScwRegion', description: 'Optional[str]', rotated_at: 'Optional[datetime]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

created_at: Optional[datetime]: Key creation date.

description: Optional[str]: Description of the key.

id: str: ID of the key.

locked: bool: Returns true if the key is locked.

name: str: Name of the key.

origin: KeyOrigin: Refer to the Key.Origin enum for a description of values.

project_id: str: ID of the Project containing the key.

protected: bool: Returns true if key protection is applied to the key.

region: str: Region where the key is stored.

rotated_at: Optional[datetime]: Key last rotation date.

rotation_count: int: The rotation count tracks the number of times the key has been rotated.

rotation_policy: Optional[KeyRotationPolicy]: Key rotation policy.

state: KeyState: See the Key.State enum for a description of possible values.

tags: List[str]: List of the key’s tags.

updated_at: Optional[datetime]: Key last modification date.

usage: Optional[KeyUsage]: Keys with a usage set to symmetric_encryption can encrypt and decrypt data using the AES-256-GCM key algorithm. Key Manager currently only supports AES-256-GCM.

class scaleway.key_manager.v1alpha1.KeyAlgorithmSymmetricEncryption(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

AES_256_GCM = 'aes_256_gcm'

UNKNOWN_SYMMETRIC_ENCRYPTION = 'unknown_symmetric_encryption'

class scaleway.key_manager.v1alpha1.KeyManagerV1Alpha1API(client: Client, *, bypass_validation: bool = False)

Bases: API

This API allows you to create, manage and use cryptographic keys in a centralized and secure service.

create_key(*, unprotected: bool, region: Optional[str] = None, project_id: Optional[str] = None, name: Optional[str] = None, usage: Optional[KeyUsage] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None, origin: Optional[KeyOrigin] = None) → Key

Create a key. Create a key in a given region specified by the region parameter. Keys only support symmetric encryption. You can use keys to encrypt or decrypt arbitrary payloads, or to generate data encryption keys. Data encryption keys are not stored in Key Manager. :param unprotected: Default value is false. :param region: Region to target. If none is passed will use default region from the config. :param project_id: ID of the Project containing the key. :param name: (Optional) Name of the key. :param usage: See the Key.Algorithm.SymmetricEncryption enum for a description of values. :param description: (Optional) Description of the key. :param tags: (Optional) List of the key’s tags. :param rotation_policy: If not specified, no rotation policy will be applied to the key. :param origin: Refer to the Key.Origin enum for a description of values. :return: Key

Usage:

result = api.create_key(
    unprotected=False,
)

decrypt(*, key_id: str, ciphertext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → DecryptResponse

Decrypt an encrypted payload. Decrypt an encrypted payload using an existing key, specified by the key_id parameter. The maximum payload size that can be decrypted is equivalent to the encrypted output of 64 KB of data (around 131 KB). :param key_id: ID of the key to decrypt. :param ciphertext: Data size must be between 1 and 131071 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: The additional data must match the value passed in the encryption request. :return: DecryptResponse

Usage:

result = api.decrypt(
    key_id="example",
    ciphertext="example",
)

delete_key(*, key_id: str, region: Optional[str] = None) → None

Delete a key. Permanently delete a key specified by the region and key_id parameters. This action is irreversible. Any data encrypted with this key, including data encryption keys, will no longer be decipherable. :param key_id: ID of the key to delete. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key(
    key_id="example",
)

delete_key_material(*, key_id: str, region: Optional[str] = None) → None

Delete key material. Delete previously imported key material. This renders the associated cryptographic key unusable for any operation. The key’s origin must be external. :param key_id: ID of the key of which to delete the key material. :param region: Region to target. If none is passed will use default region from the config.

Usage:

result = api.delete_key_material(
    key_id="example",
)

disable_key(*, key_id: str, region: Optional[str] = None) → Key

Disable key. Disable a given key, preventing it to be used for cryptographic operations. Disabling a key renders it unusable. You must specify the region and key_id parameters. :param key_id: ID of the key to disable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.disable_key(
    key_id="example",
)

enable_key(*, key_id: str, region: Optional[str] = None) → Key

Enable key. Enable a given key to be used for cryptographic operations. Enabling a key allows you to make a disabled key usable again. You must specify the region and key_id parameters. :param key_id: ID of the key to enable. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.enable_key(
    key_id="example",
)

encrypt(*, key_id: str, plaintext: str, region: Optional[str] = None, associated_data: Optional[str] = None) → EncryptResponse

Encrypt a payload. Encrypt a payload using an existing key, specified by the key_id parameter. Only keys with a usage set to symmetric_encryption are supported by this method. The maximum payload size that can be encrypted is 64 KB of plaintext. :param key_id: ID of the key to encrypt. :param plaintext: Data size must be between 1 and 65535 bytes. :param region: Region to target. If none is passed will use default region from the config. :param associated_data: Additional data which will not be encrypted, but authenticated and appended to the encrypted payload. :return: EncryptResponse

Usage:

result = api.encrypt(
    key_id="example",
    plaintext="example",
)

generate_data_key(*, key_id: str, without_plaintext: bool, region: Optional[str] = None, algorithm: Optional[DataKeyAlgorithmSymmetricEncryption] = None) → DataKey

Create a data encryption key. Create a new data encryption key for cryptographic operations outside of Key Manager. The data encryption key is encrypted and must be decrypted using the key you have created in Key Manager.

The data encryption key is returned in plaintext and ciphertext but it should only be stored in its encrypted form (ciphertext). Key Manager does not store your data encryption key. To retrieve your key’s plaintext, use the Decrypt method with your key’s ID and ciphertext. :param key_id: ID of the key. :param without_plaintext: Default value is false, meaning that the plaintext is returned. Set it to true if you do not wish the plaintext to be returned in the response object. :param region: Region to target. If none is passed will use default region from the config. :param algorithm: See the DataKey.Algorithm.SymmetricEncryption enum for a description of values. :return: DataKey

Usage:

result = api.generate_data_key(
    key_id="example",
    without_plaintext=False,
)

get_key(*, key_id: str, region: Optional[str] = None) → Key

Get key metadata. Retrieve metadata for a specified key using the region and key_id parameters. :param key_id: ID of the key to target. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.get_key(
    key_id="example",
)

import_key_material(*, key_id: str, key_material: str, region: Optional[str] = None, salt: Optional[str] = None) → Key

Import key material. Import externally generated key material into Key Manager to derive a new cryptographic key. The key’s origin must be external. :param key_id: The key’s origin must be external. :param key_material: The key material The key material is a random sequence of bytes used to derive a cryptographic key. :param region: Region to target. If none is passed will use default region from the config. :param salt: A salt is random data added to key material to ensure unique derived keys, even if the input is similar. It helps strengthen security when the key material has low randomness (low entropy). :return: Key

Usage:

result = api.import_key_material(
    key_id="example",
    key_material="example",
)

list_keys(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → ListKeysResponse

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: ListKeysResponse

Usage:

result = api.list_keys()

list_keys_all(*, region: Optional[str] = None, organization_id: Optional[str] = None, project_id: Optional[str] = None, order_by: Optional[ListKeysRequestOrderBy] = None, page: Optional[int] = None, page_size: Optional[int] = None, tags: Optional[List[str]] = None, name: Optional[str] = None) → List[Key]

List keys. Retrieve a list of keys across all Projects in an Organization or within a specific Project. You must specify the region, and either the organization_id or the project_id. :param region: Region to target. If none is passed will use default region from the config. :param organization_id: (Optional) Filter by Organization ID. :param project_id: (Optional) Filter by Project ID. :param order_by: :param page: :param page_size: :param tags: (Optional) List of tags to filter on. :param name: (Optional) Filter by key name. :return: List[Key]

Usage:

result = api.list_keys_all()

protect_key(*, key_id: str, region: Optional[str] = None) → Key

Apply key protection. Apply protection to a given key specified by the key_id parameter. Applying key protection means that your key can be used and modified, but it cannot be deleted. :param key_id: ID of the key to apply key protection to. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.protect_key(
    key_id="example",
)

rotate_key(*, key_id: str, region: Optional[str] = None) → Key

Rotate a key. Generate a new version of an existing key with new key material. Previous key versions remain usable to decrypt previously encrypted data, but the key’s new version will be used for subsequent encryption operations and data key generation. :param key_id: ID of the key to rotate. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.rotate_key(
    key_id="example",
)

unprotect_key(*, key_id: str, region: Optional[str] = None) → Key

Remove key protection. Remove key protection from a given key specified by the key_id parameter. Removing key protection means that your key can be deleted anytime. :param key_id: ID of the key to remove key protection from. :param region: Region to target. If none is passed will use default region from the config. :return: Key

Usage:

result = api.unprotect_key(
    key_id="example",
)

update_key(*, key_id: str, region: Optional[str] = None, name: Optional[str] = None, description: Optional[str] = None, tags: Optional[List[str]] = None, rotation_policy: Optional[KeyRotationPolicy] = None) → Key

Update a key. Modify a key’s metadata including name, description and tags, specified by the key_id and region parameters. :param key_id: ID of the key to update. :param region: Region to target. If none is passed will use default region from the config. :param name: (Optional) Updated name of the key. :param description: (Optional) Updated description of the key. :param tags: (Optional) Updated list of the key’s tags. :param rotation_policy: If not specified, the key’s existing rotation policy applies. :return: Key

Usage:

result = api.update_key(
    key_id="example",
)

class scaleway.key_manager.v1alpha1.KeyOrigin(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

EXTERNAL = 'external'

SCALEWAY_KMS = 'scaleway_kms'

UNKNOWN_ORIGIN = 'unknown_origin'

class scaleway.key_manager.v1alpha1.KeyRotationPolicy(rotation_period: 'Optional[str]', next_rotation_at: 'Optional[datetime]')

Bases: object

next_rotation_at: Optional[datetime]: Timestamp indicating the next scheduled rotation.

rotation_period: Optional[str]: Time interval between two key rotations. The minimum duration is 24 hours and the maximum duration is 1 year (876000 hours).

class scaleway.key_manager.v1alpha1.KeyState(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

DISABLED = 'disabled'

ENABLED = 'enabled'

PENDING_KEY_MATERIAL = 'pending_key_material'

UNKNOWN_STATE = 'unknown_state'

class scaleway.key_manager.v1alpha1.KeyUsage(symmetric_encryption: 'Optional[KeyAlgorithmSymmetricEncryption]')

Bases: object

symmetric_encryption: Optional[KeyAlgorithmSymmetricEncryption]

class scaleway.key_manager.v1alpha1.ListKeysRequest(region: 'Optional[ScwRegion]', organization_id: 'Optional[str]', project_id: 'Optional[str]', order_by: 'Optional[ListKeysRequestOrderBy]', page: 'Optional[int]', page_size: 'Optional[int]', tags: 'Optional[List[str]]', name: 'Optional[str]')

Bases: object

name: Optional[str]: (Optional) Filter by key name.

order_by: Optional[ListKeysRequestOrderBy]

organization_id: Optional[str]: (Optional) Filter by Organization ID.

page: Optional[int]

page_size: Optional[int]

project_id: Optional[str]: (Optional) Filter by Project ID.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

tags: Optional[List[str]]: (Optional) List of tags to filter on.

class scaleway.key_manager.v1alpha1.ListKeysRequestOrderBy(value: str, names: Optional[Any] = None, *args: Any, **kwargs: Any)

Bases: str, Enum

An enumeration.

CREATED_AT_ASC = 'created_at_asc'

CREATED_AT_DESC = 'created_at_desc'

NAME_ASC = 'name_asc'

NAME_DESC = 'name_desc'

UPDATED_AT_ASC = 'updated_at_asc'

UPDATED_AT_DESC = 'updated_at_desc'

class scaleway.key_manager.v1alpha1.ListKeysResponse(keys: 'List[Key]', total_count: 'int')

Bases: object

keys: List[Key]: Single page of keys matching the requested criteria.

total_count: int: Total count of keys matching the requested criteria.

class scaleway.key_manager.v1alpha1.ProtectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to apply key protection to.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.RotateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to rotate.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.UnprotectKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]')

Bases: object

key_id: str: ID of the key to remove key protection from.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

class scaleway.key_manager.v1alpha1.UpdateKeyRequest(key_id: 'str', region: 'Optional[ScwRegion]', name: 'Optional[str]', description: 'Optional[str]', tags: 'Optional[List[str]]', rotation_policy: 'Optional[KeyRotationPolicy]')

Bases: object

description: Optional[str]: (Optional) Updated description of the key.

key_id: str: ID of the key to update.

name: Optional[str]: (Optional) Updated name of the key.

region: Optional[str]: Region to target. If none is passed will use default region from the config.

rotation_policy: Optional[KeyRotationPolicy]: If not specified, the key’s existing rotation policy applies.

tags: Optional[List[str]]: (Optional) Updated list of the key’s tags.