CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-google-cloud-kms

Google Cloud Key Management Service client library for managing cryptographic keys in the cloud

Pending
Overview
Eval results
Files

autokey-service.mddocs/

Autokey Service

The Autokey Service provides automated key provisioning for Customer-Managed Encryption Keys (CMEK) that creates and manages keys automatically based on resource needs. It includes both key handle management through AutokeyClient and administrative configuration through AutokeyAdminClient.

Capabilities

Key Handle Management

Key handles represent automated key provisioning requests that trigger the creation of new CryptoKeys for CMEK use.

class AutokeyClient:
    def create_key_handle(self, request: CreateKeyHandleRequest) -> KeyHandle:
        """
        Creates a new KeyHandle, triggering provisioning of a new CryptoKey for CMEK use.
        
        Parameters:
        - request.parent: Required. Project path (projects/{project}/locations/{location})
        - request.key_handle_id: Required. Unique ID for the KeyHandle
        - request.key_handle: Required. KeyHandle object to create
        
        Returns:
        Created KeyHandle object
        """

    def get_key_handle(self, request: GetKeyHandleRequest) -> KeyHandle:
        """
        Returns the KeyHandle.
        
        Parameters:
        - request.name: Required. KeyHandle resource name
        
        Returns:
        KeyHandle object with metadata
        """

    def list_key_handles(self, request: ListKeyHandlesRequest) -> ListKeyHandlesResponse:
        """
        Lists KeyHandles.
        
        Parameters:
        - request.parent: Required. Project path
        - request.page_size: Optional. Maximum results per page
        - request.page_token: Optional. Pagination token
        - request.filter: Optional. Filter expression
        
        Returns:
        List of KeyHandle objects with pagination
        """

Autokey Configuration Management

Administrative configuration for Autokey functionality at the folder level.

class AutokeyAdminClient:
    def update_autokey_config(self, request: UpdateAutokeyConfigRequest) -> AutokeyConfig:
        """
        Updates the AutokeyConfig for a folder.
        
        Parameters:
        - request.autokey_config: Required. Updated AutokeyConfig object
        - request.update_mask: Required. Fields to update
        
        Returns:
        Updated AutokeyConfig object
        """

    def get_autokey_config(self, request: GetAutokeyConfigRequest) -> AutokeyConfig:
        """
        Returns the AutokeyConfig for a folder.
        
        Parameters:
        - request.name: Required. AutokeyConfig resource name (folders/{folder}/autokeyConfig)
        
        Returns:
        AutokeyConfig object
        """

    def show_effective_autokey_config(self, request: ShowEffectiveAutokeyConfigRequest) -> ShowEffectiveAutokeyConfigResponse:
        """
        Returns the effective Cloud KMS Autokey configuration for a given project.
        
        Parameters:
        - request.parent: Required. Project path (projects/{project})
        
        Returns:
        ShowEffectiveAutokeyConfigResponse with effective configuration
        """

Resource Types

KeyHandle

class KeyHandle:
    """
    Resource-oriented representation of an Autokey request.
    
    Attributes:
    - name: str - Resource name of the KeyHandle
    - kms_key: str - Name of the CryptoKey created for this KeyHandle
    - resource_type_selector: str - Selector for resource types that use this key
    """

AutokeyConfig

class AutokeyConfig:
    """
    Cloud KMS Autokey configuration for a folder.
    
    Attributes:
    - name: str - Resource name of the AutokeyConfig
    - key_project: str - Project that will host Autokey-created keys
    - state: State - Current state of the configuration
    """
    
    class State:
        """
        State of AutokeyConfig.
        
        Values:
        - STATE_UNSPECIFIED: Unspecified state
        - ACTIVE: Currently active and ready to provision keys
        - KEY_PROJECT_DELETED: Key project deleted, config unusable
        - UNINITIALIZED: Not initialized or reset to default
        """

Request/Response Types

class CreateKeyHandleRequest:
    """
    Request to create a KeyHandle.
    
    Attributes:
    - parent: str - Required. Project location path
    - key_handle_id: str - Required. Unique ID for KeyHandle
    - key_handle: KeyHandle - Required. KeyHandle to create
    """

class CreateKeyHandleMetadata:
    """
    Metadata for CreateKeyHandle long-running operation.
    """

class ListKeyHandlesRequest:
    """
    Request to list KeyHandles.
    
    Attributes:
    - parent: str - Required. Project path
    - page_size: int - Optional. Maximum results per page
    - page_token: str - Optional. Pagination token
    - filter: str - Optional. Filter expression
    """

class ListKeyHandlesResponse:
    """
    Response from listing KeyHandles.
    
    Attributes:
    - key_handles: List[KeyHandle] - List of KeyHandle objects
    - next_page_token: str - Token for next page
    """

class UpdateAutokeyConfigRequest:
    """
    Request to update AutokeyConfig.
    
    Attributes:
    - autokey_config: AutokeyConfig - Required. Updated config
    - update_mask: FieldMask - Required. Fields to update
    """

class ShowEffectiveAutokeyConfigRequest:
    """
    Request to show effective AutokeyConfig.
    
    Attributes:
    - parent: str - Required. Project path
    """

class ShowEffectiveAutokeyConfigResponse:
    """
    Response showing effective AutokeyConfig.
    
    Attributes:
    - key_project: str - Project hosting Autokey-created keys
    """

Usage Examples

Setting Up Autokey Configuration

from google.cloud import kms

# Initialize the Autokey Admin client
admin_client = kms.AutokeyAdminClient()

# Configure Autokey for a folder
folder_id = "123456789"
key_project_id = "my-key-project"

autokey_config = kms.AutokeyConfig()
autokey_config.key_project = f"projects/{key_project_id}"

# Update the configuration
config_path = f"folders/{folder_id}/autokeyConfig"
updated_config = admin_client.update_autokey_config(
    request={
        "autokey_config": {
            "name": config_path,
            "key_project": f"projects/{key_project_id}",
        },
        "update_mask": {"paths": ["key_project"]},
    }
)

print(f"Autokey configured for folder {folder_id}")
print(f"Keys will be created in project: {updated_config.key_project}")

Creating a Key Handle

from google.cloud import kms

# Initialize the Autokey client
client = kms.AutokeyClient()

# Create a key handle for automatic key provisioning
project_id = "my-project"
location_id = "global"
key_handle_id = "example-key-handle"

key_handle = kms.KeyHandle()
key_handle.resource_type_selector = "compute.googleapis.com/Disk"

# Create the key handle
parent = f"projects/{project_id}/locations/{location_id}"
created_handle = client.create_key_handle(
    request={
        "parent": parent,
        "key_handle_id": key_handle_id,
        "key_handle": key_handle,
    }
)

print(f"Created KeyHandle: {created_handle.name}")
print(f"Associated CryptoKey: {created_handle.kms_key}")

Listing Key Handles

from google.cloud import kms

# Initialize the Autokey client
client = kms.AutokeyClient()

# List all key handles in a project
project_id = "my-project"
parent = f"projects/{project_id}/locations/-"

# Get all key handles
response = client.list_key_handles(
    request={
        "parent": parent,
        "page_size": 100,
    }
)

for key_handle in response.key_handles:
    print(f"KeyHandle: {key_handle.name}")
    print(f"  Associated Key: {key_handle.kms_key}")
    print(f"  Resource Type: {key_handle.resource_type_selector}")

Checking Effective Autokey Configuration

from google.cloud import kms

# Initialize the Autokey Admin client
admin_client = kms.AutokeyAdminClient()

# Check effective configuration for a project
project_id = "my-project"
project_path = f"projects/{project_id}"

effective_config = admin_client.show_effective_autokey_config(
    request={"parent": project_path}
)

if effective_config.key_project:
    print(f"Autokey is configured for project {project_id}")
    print(f"Keys will be created in: {effective_config.key_project}")
else:
    print(f"No Autokey configuration found for project {project_id}")

Common Patterns

Error Handling

from google.cloud import kms
from google.api_core import exceptions

client = kms.AutokeyClient()

try:
    key_handle = client.get_key_handle(
        request={"name": "projects/my-project/locations/global/keyHandles/nonexistent"}
    )
except exceptions.NotFound:
    print("KeyHandle not found")
except exceptions.PermissionDenied:
    print("Permission denied - check IAM roles")
except Exception as e:
    print(f"Unexpected error: {e}")

Long-running Operations

from google.cloud import kms

client = kms.AutokeyClient()

# Create key handle (returns a long-running operation)
operation = client.create_key_handle(
    request={
        "parent": f"projects/{project_id}/locations/{location_id}",
        "key_handle_id": key_handle_id,
        "key_handle": key_handle,
    }
)

# Wait for completion
print("Waiting for key handle creation...")
result = operation.result()
print(f"KeyHandle created: {result.name}")

Install with Tessl CLI

npx tessl i tessl/pypi-google-cloud-kms

docs

autokey-service.md

external-key-management.md

index.md

key-management-service.md

types-and-enums.md

tile.json