airflow.gcp.hooks.kms

This module contains a Google Cloud KMS hook.

Module Contents

airflow.gcp.hooks.kms._b64encode(s)[source]

Base 64 encodes a bytes object to a string

airflow.gcp.hooks.kms._b64decode(s)[source]

Base 64 decodes a string to bytes.

class airflow.gcp.hooks.kms.GoogleCloudKMSHook(gcp_conn_id:str='google_cloud_default', delegate_to:str=None)[source]

Bases: airflow.contrib.hooks.gcp_api_base_hook.GoogleCloudBaseHook

Interact with Google Cloud KMS. This hook uses the Google Cloud Platform connection.

get_conn(self)[source]

Returns a KMS service object.

Return type

googleapiclient.discovery.Resource

encrypt(self, key_name:str, plaintext:bytes, authenticated_data:bytes=None)[source]

Encrypts a plaintext message using Google Cloud KMS.

Parameters
  • key_name (str) – The Resource Name for the key (or key version) to be used for encyption. Of the form projects/*/locations/*/keyRings/*/cryptoKeys/**

  • plaintext (bytes) – The message to be encrypted.

  • authenticated_data (bytes) – Optional additional authenticated data that must also be provided to decrypt the message.

Returns

The base 64 encoded ciphertext of the original message.

Return type

str

decrypt(self, key_name:str, ciphertext:str, authenticated_data:bytes=None)[source]

Decrypts a ciphertext message using Google Cloud KMS.

Parameters
  • key_name (str) – The Resource Name for the key to be used for decyption. Of the form projects/*/locations/*/keyRings/*/cryptoKeys/**

  • ciphertext (str) – The message to be decrypted.

  • authenticated_data (bytes) – Any additional authenticated data that was provided when encrypting the message.

Returns

The original message.

Return type

bytes