airflow.contrib.hooks.gcp_kms_hook

Module Contents

airflow.contrib.hooks.gcp_kms_hook._b64encode(s)[source]
Base 64 encodes a bytes object to a string
airflow.contrib.hooks.gcp_kms_hook._b64decode(s)[source]
Base 64 decodes a string to bytes.
class airflow.contrib.hooks.gcp_kms_hook.GoogleCloudKMSHook(gcp_conn_id='google_cloud_default', delegate_to=None)[source]

Bases: airflow.contrib.hooks.gcp_api_base_hook.GoogleCloudBaseHook

Interact with Google Cloud KMS. This hook uses the Google Cloud Platform connection.

get_conn(self)[source]

Returns a KMS service object.

Return type

googleapiclient.discovery.Resource

encrypt(self, key_name, plaintext, authenticated_data=None)[source]

Encrypts a plaintext message using Google Cloud KMS.

Parameters
  • key_name (str) – The Resource Name for the key (or key version) to be used for encyption. Of the form projects/*/locations/*/keyRings/*/cryptoKeys/**

  • plaintext (bytes) – The message to be encrypted.

  • authenticated_data (bytes) – Optional additional authenticated data that must also be provided to decrypt the message.

Returns

The base 64 encoded ciphertext of the original message.

Return type

str

decrypt(self, key_name, ciphertext, authenticated_data=None)[source]

Decrypts a ciphertext message using Google Cloud KMS.

Parameters
  • key_name (str) – The Resource Name for the key to be used for decyption. Of the form projects/*/locations/*/keyRings/*/cryptoKeys/**

  • ciphertext (str) – The message to be decrypted.

  • authenticated_data (bytes) – Any additional authenticated data that was provided when encrypting the message.

Returns

The original message.

Return type

bytes