KmsManagementClient - MissingEndpointForNonRegionalServiceClientError exception about oci-python-sdk HOT 12 CLOSED

Below is a solution how to fetch vault id from the kms_key_id

import oci

config_file="~/.oci/config"
config = oci.config.from_file(config_file,"DEFAULT")

# Get Regions
identity_client = oci.identity.IdentityClient(config)
regions = identity_client.list_regions().data

# KMS
kms_id = "ocid1.key.oc1.iad.bbpqq6iuaacuu.abuwcljrjzehgml2wpiaahmmtnijvqj5tmohs2bsq6waxxxxx"
kms_namespace = kms_id.split(".")[4]
kms_region_key = kms_id.split(".")[3]
kms_region = [x for x in regions if x.key.lower() == kms_region_key][0]
kms_region_name = kms_region.name
kms_management_endpoint = "https://" + kms_namespace + "-management.kms." + kms_region_name + ".oraclecloud.com"

# fetch the key
kms_management_client = oci.key_management.KmsManagementClient(config, kms_management_endpoint)
kms_key = kms_management_client.get_key(kms_id).data
print (kms_key)

# output
{
  "compartment_id": "ocid1.compartment.oc1..aaaaaaaa24b3mfwu6aulib33oan3eqicwm4az65cog7o7xxxxxx",
  "current_key_version": "ocid1.keyversion.oc1.iad.bbpqq6iuaacuu.asqjl4ehwfyaa.abuwcljrerlnng7bxx3cn336f543373zfr4pxxxxx",
  "defined_tags": {},
  "display_name": "adi_master_key",
  "freeform_tags": {},
  "id": "ocid1.key.oc1.iad.bbpqq6iuaacuu.abuwcljrjzehgml2wpiaahmmtnijvqj5tmohs2bsq6walqxxxxx",
  "is_primary": true,
  "key_shape": {
    "algorithm": "AES",
    "curve_id": null,
    "length": 16
  },
  "lifecycle_state": "ENABLED",
  "protection_mode": "HSM",
  "replica_details": null,
  "restored_from_key_id": null,
  "time_created": "2020-07-10T14:28:40.167000+00:00",
  "time_of_deletion": "2020-10-24T01:30:00+00:00",
  "vault_id": "ocid1.vault.oc1.iad.bbpqq6iuaacuu.abuwcljrqlei3dlmyxm43fttfiiod4ttulbc4ifoi73kxxxxx"
}

from oci-python-sdk.

@adizohar Can we re-open this issue as multiple vaults can now be provisioned per tenancy per region?

from oci-python-sdk.

Matt, you are right, There is no option to get the vault id from key_id
We must have an option, I will open this ticket and create as well internal ticket for the KMS team

from oci-python-sdk.

Looks like Obj Storage API is returning only the KMS key id, not the key's version nor the key's vault. I'll ask Obj Storage team to take a look

from oci-python-sdk.

Thanks for the responses!

I wasn't aware that new objects automatically used the new key version if the key has been rotated. It would however still be nice to have a way to check that all objects in a bucket are using the new key.

That code is very helpful, thank you!

from oci-python-sdk.

1. Service endpoint for the KMS Management client as well as KMS Crypto client should not be optional. The endpoint is required parameter. We will fix the documentation to mark it as required parameter.
2. You are required to provide a service endpoint for the KMS Management client. If you don't have the endpoint, you can get it from Vault Details page or by calling GetVault API.
3. List Keys API is always targeting a particular Vault provided via service endpoint, so such filter is actually not needed.

from oci-python-sdk.

Thank you for the info regards 1,3

Regards #2
When I fetch bucket from object storage or block storage I only get kms_key_id (without knowing the vault_id) - see for example - https://oracle-cloud-infrastructure-python-sdk.readthedocs.io/en/latest/api/object_storage/models/oci.object_storage.models.Bucket.html#oci.object_storage.models.Bucket

Now, I need to get the key information but I cannot call get_key because I don't know the endpoint, how do I get the end point ? I don't know the vault_id which used for this bucket

Customer can have several vaults, should customer loop on all vaults to find the key ?

Thank you
Adi

from oci-python-sdk.

Thanks Adi for a great question. As of now, we do not allow more than one Vault per tenancy per region so the problem as you described it does not exist today. You are right that this could be a problem in the future when customer will have more than one Vault. To address this, we are going to release KMS integration with OCI Search (https://docs.cloud.oracle.com/iaas/Content/Search/Concepts/queryoverview.htm) in January-February timeframe that will allow customers to effectively search for resources and their associations.

from oci-python-sdk.

Thank you, appreciate it

from oci-python-sdk.

Hi Matt, I will need to check if the search option can be used and if not I will reopen

from oci-python-sdk.

Also in addition to this - A bucket only exposes the kms_key_id and not the version of the key it is using. Is there any way to find out if a bucket is using a specific version of a key as the API itself does not seem to expose this.

from oci-python-sdk.

Hi Matt,
Bucket and other services may use different versions of the keys
If you created new version the new objects will use the new version, and the old used the previous versions
I will check with the services if they can specify all the key versions that being used
I opened ticket related to finding vault id from key id in order to get the end point, I will update once we have a solution
For your info

from oci-python-sdk.