airflow.providers.google.cloud.hooks.kms
¶
This module contains a Google Cloud KMS hook
Module Contents¶
-
airflow.providers.google.cloud.hooks.kms.
_b64encode
(s: bytes) → str[source]¶ -
Base 64 encodes a bytes object to a string
-
airflow.providers.google.cloud.hooks.kms.
_b64decode
(s: str) → bytes[source]¶ -
Base 64 decodes a string to bytes
-
class
airflow.providers.google.cloud.hooks.kms.
CloudKMSHook
(gcp_conn_id: str = 'google_cloud_default', delegate_to: Optional[str] = None, impersonation_chain: Optional[Union[str, Sequence[str]]] = None)[source]¶ Bases:
airflow.providers.google.common.hooks.base_google.GoogleBaseHook
Hook for Google Cloud Key Management service.
- Parameters
gcp_conn_id (str) – The connection ID to use when fetching connection info.
delegate_to (str) – The account to impersonate using domain-wide delegation of authority, if any. For this to work, the service account making the request must have domain-wide delegation enabled.
impersonation_chain (Union[str, Sequence[str]]) – Optional service account to impersonate using short-term credentials, or chained list of accounts required to get the access_token of the last account in the list, which will be impersonated in the request. If set as a string, the account must grant the originating account the Service Account Token Creator IAM role. If set as a sequence, the identities from the list must grant Service Account Token Creator IAM role to the directly preceding identity, with first account from the list granting this role to the originating account.
-
get_conn
(self)[source]¶ Retrieves connection to Cloud Key Management service.
- Returns
Cloud Key Management service object
- Return type
google.cloud.kms_v1.KeyManagementServiceClient
-
encrypt
(self, key_name: str, plaintext: bytes, authenticated_data: Optional[bytes] = None, retry: Optional[Retry] = None, timeout: Optional[float] = None, metadata: Optional[Sequence[Tuple[str, str]]] = None)[source]¶ Encrypts a plaintext message using Google Cloud KMS.
- Parameters
key_name (str) – The Resource Name for the key (or key version) to be used for encryption. Of the form
projects/*/locations/*/keyRings/*/cryptoKeys/**
plaintext (bytes) – The message to be encrypted.
authenticated_data (bytes) – Optional additional authenticated data that must also be provided to decrypt the message.
retry (google.api_core.retry.Retry) – A retry object used to retry requests. If None is specified, requests will not be retried.
timeout (float) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.
metadata (sequence[tuple[str, str]]]) – Additional metadata that is provided to the method.
- Returns
The base 64 encoded ciphertext of the original message.
- Return type
-
decrypt
(self, key_name: str, ciphertext: str, authenticated_data: Optional[bytes] = None, retry: Optional[Retry] = None, timeout: Optional[float] = None, metadata: Optional[Sequence[Tuple[str, str]]] = None)[source]¶ Decrypts a ciphertext message using Google Cloud KMS.
- Parameters
key_name (str) – The Resource Name for the key to be used for decryption. Of the form
projects/*/locations/*/keyRings/*/cryptoKeys/**
ciphertext (str) – The message to be decrypted.
authenticated_data (bytes) – Any additional authenticated data that was provided when encrypting the message.
retry (google.api_core.retry.Retry) – A retry object used to retry requests. If None is specified, requests will not be retried.
timeout (float) – The amount of time, in seconds, to wait for the request to complete. Note that if retry is specified, the timeout applies to each individual attempt.
metadata (sequence[tuple[str, str]]]) – Additional metadata that is provided to the method.
- Returns
The original message.
- Return type