airflow.providers.google.cloud.hooks.kms

This module contains a Google Cloud KMS hook

Module Contents

airflow.providers.google.cloud.hooks.kms._b64encode(s: bytes)str[source]
Base 64 encodes a bytes object to a string
airflow.providers.google.cloud.hooks.kms._b64decode(s: str)bytes[source]
Base 64 decodes a string to bytes
class airflow.providers.google.cloud.hooks.kms.CloudKMSHook(gcp_conn_id: str = 'google_cloud_default', delegate_to: Optional[str] = None, impersonation_chain: Optional[Union[str, Sequence[str]]] = None)[source]

Bases: airflow.providers.google.common.hooks.base_google.GoogleBaseHook

Hook for Google Cloud Key Management service.

Parameters
  • gcp_conn_id (str) – The connection ID to use when fetching connection info.

  • delegate_to (str) – The account to impersonate using domain-wide delegation of authority, if any. For this to work, the service account making the request must have domain-wide delegation enabled.

  • impersonation_chain (Union[str, Sequence[str]]) – Optional service account to impersonate using short-term credentials, or chained list of accounts required to get the access_token of the last account in the list, which will be impersonated in the request. If set as a string, the account must grant the originating account the Service Account Token Creator IAM role. If set as a sequence, the identities from the list must grant Service Account Token Creator IAM role to the directly preceding identity, with first account from the list granting this role to the originating account.

get_conn(self)[source]

Retrieves connection to Cloud Key Management service.

Returns

Cloud Key Management service object

Return type

google.cloud.kms_v1.KeyManagementServiceClient

encrypt(self, key_name: str, plaintext: bytes, authenticated_data: Optional[bytes] = None, retry: Optional[Retry] = None, timeout: Optional[float] = None, metadata: Optional[Sequence[Tuple[str, str]]] = None)[source]

Encrypts a plaintext message using Google Cloud KMS.

Parameters
  • key_name (str) – The Resource Name for the key (or key version) to be used for encryption. Of the form projects/*/locations/*/keyRings/*/cryptoKeys/**

  • plaintext (bytes) – The message to be encrypted.

  • authenticated_data (bytes) – Optional additional authenticated data that must also be provided to decrypt the message.

  • retry (google.api_core.retry.Retry) – A retry object used to retry requests. If None is specified, requests will not be retried.

  • timeout (float) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (sequence[tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

The base 64 encoded ciphertext of the original message.

Return type

str

decrypt(self, key_name: str, ciphertext: str, authenticated_data: Optional[bytes] = None, retry: Optional[Retry] = None, timeout: Optional[float] = None, metadata: Optional[Sequence[Tuple[str, str]]] = None)[source]

Decrypts a ciphertext message using Google Cloud KMS.

Parameters
  • key_name (str) – The Resource Name for the key to be used for decryption. Of the form projects/*/locations/*/keyRings/*/cryptoKeys/**

  • ciphertext (str) – The message to be decrypted.

  • authenticated_data (bytes) – Any additional authenticated data that was provided when encrypting the message.

  • retry (google.api_core.retry.Retry) – A retry object used to retry requests. If None is specified, requests will not be retried.

  • timeout (float) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.

  • metadata (sequence[tuple[str, str]]]) – Additional metadata that is provided to the method.

Returns

The original message.

Return type

bytes

Was this entry helpful?