| :py:mod:`airflow.providers.google.cloud.hooks.kms` |
| ================================================== |
| |
| .. py:module:: airflow.providers.google.cloud.hooks.kms |
| |
| .. autoapi-nested-parse:: |
| |
| This module contains a Google Cloud KMS hook |
| |
| |
| |
| Module Contents |
| --------------- |
| |
| Classes |
| ~~~~~~~ |
| |
| .. autoapisummary:: |
| |
| airflow.providers.google.cloud.hooks.kms.CloudKMSHook |
| |
| |
| |
| |
| .. py:class:: CloudKMSHook(gcp_conn_id = 'google_cloud_default', delegate_to = None, impersonation_chain = None) |
| |
| Bases: :py:obj:`airflow.providers.google.common.hooks.base_google.GoogleBaseHook` |
| |
| Hook for Google Cloud Key Management service. |
| |
| :param gcp_conn_id: The connection ID to use when fetching connection info. |
| :param delegate_to: The account to impersonate using domain-wide delegation of authority, |
| if any. For this to work, the service account making the request must have |
| domain-wide delegation enabled. |
| :param impersonation_chain: Optional service account to impersonate using short-term |
| credentials, or chained list of accounts required to get the access_token |
| of the last account in the list, which will be impersonated in the request. |
| If set as a string, the account must grant the originating account |
| the Service Account Token Creator IAM role. |
| If set as a sequence, the identities from the list must grant |
| Service Account Token Creator IAM role to the directly preceding identity, with first |
| account from the list granting this role to the originating account. |
| |
| .. py:method:: get_conn(self) |
| |
| Retrieves connection to Cloud Key Management service. |
| |
| :return: Cloud Key Management service object |
| :rtype: google.cloud.kms_v1.KeyManagementServiceClient |
| |
| |
| .. py:method:: encrypt(self, key_name, plaintext, authenticated_data = None, retry = DEFAULT, timeout = None, metadata = ()) |
| |
| Encrypts a plaintext message using Google Cloud KMS. |
| |
| :param key_name: The Resource Name for the key (or key version) |
| to be used for encryption. Of the form |
| ``projects/*/locations/*/keyRings/*/cryptoKeys/**`` |
| :param plaintext: The message to be encrypted. |
| :param authenticated_data: Optional additional authenticated data that |
| must also be provided to decrypt the message. |
| :param retry: A retry object used to retry requests. If None is specified, requests will not be |
| retried. |
| :param timeout: The amount of time, in seconds, to wait for the request to complete. Note that if |
| retry is specified, the timeout applies to each individual attempt. |
| :param metadata: Additional metadata that is provided to the method. |
| :return: The base 64 encoded ciphertext of the original message. |
| :rtype: str |
| |
| |
| .. py:method:: decrypt(self, key_name, ciphertext, authenticated_data = None, retry = DEFAULT, timeout = None, metadata = ()) |
| |
| Decrypts a ciphertext message using Google Cloud KMS. |
| |
| :param key_name: The Resource Name for the key to be used for decryption. |
| Of the form ``projects/*/locations/*/keyRings/*/cryptoKeys/**`` |
| :param ciphertext: The message to be decrypted. |
| :param authenticated_data: Any additional authenticated data that was |
| provided when encrypting the message. |
| :param retry: A retry object used to retry requests. If None is specified, requests will not be |
| retried. |
| :param timeout: The amount of time, in seconds, to wait for the request to complete. Note that if |
| retry is specified, the timeout applies to each individual attempt. |
| :param metadata: Additional metadata that is provided to the method. |
| :return: The original message. |
| :rtype: bytes |
| |
| |
| |