Comments (12)
Below is a solution how to fetch vault id from the kms_key_id
import oci
config_file="~/.oci/config"
config = oci.config.from_file(config_file,"DEFAULT")
# Get Regions
identity_client = oci.identity.IdentityClient(config)
regions = identity_client.list_regions().data
# KMS
kms_id = "ocid1.key.oc1.iad.bbpqq6iuaacuu.abuwcljrjzehgml2wpiaahmmtnijvqj5tmohs2bsq6waxxxxx"
kms_namespace = kms_id.split(".")[4]
kms_region_key = kms_id.split(".")[3]
kms_region = [x for x in regions if x.key.lower() == kms_region_key][0]
kms_region_name = kms_region.name
kms_management_endpoint = "https://" + kms_namespace + "-management.kms." + kms_region_name + ".oraclecloud.com"
# fetch the key
kms_management_client = oci.key_management.KmsManagementClient(config, kms_management_endpoint)
kms_key = kms_management_client.get_key(kms_id).data
print (kms_key)
# output
{
"compartment_id": "ocid1.compartment.oc1..aaaaaaaa24b3mfwu6aulib33oan3eqicwm4az65cog7o7xxxxxx",
"current_key_version": "ocid1.keyversion.oc1.iad.bbpqq6iuaacuu.asqjl4ehwfyaa.abuwcljrerlnng7bxx3cn336f543373zfr4pxxxxx",
"defined_tags": {},
"display_name": "adi_master_key",
"freeform_tags": {},
"id": "ocid1.key.oc1.iad.bbpqq6iuaacuu.abuwcljrjzehgml2wpiaahmmtnijvqj5tmohs2bsq6walqxxxxx",
"is_primary": true,
"key_shape": {
"algorithm": "AES",
"curve_id": null,
"length": 16
},
"lifecycle_state": "ENABLED",
"protection_mode": "HSM",
"replica_details": null,
"restored_from_key_id": null,
"time_created": "2020-07-10T14:28:40.167000+00:00",
"time_of_deletion": "2020-10-24T01:30:00+00:00",
"vault_id": "ocid1.vault.oc1.iad.bbpqq6iuaacuu.abuwcljrqlei3dlmyxm43fttfiiod4ttulbc4ifoi73kxxxxx"
}
from oci-python-sdk.
@adizohar Can we re-open this issue as multiple vaults can now be provisioned per tenancy per region?
from oci-python-sdk.
Matt, you are right, There is no option to get the vault id from key_id
We must have an option, I will open this ticket and create as well internal ticket for the KMS team
from oci-python-sdk.
Looks like Obj Storage API is returning only the KMS key id, not the key's version nor the key's vault. I'll ask Obj Storage team to take a look
from oci-python-sdk.
Thanks for the responses!
I wasn't aware that new objects automatically used the new key version if the key has been rotated. It would however still be nice to have a way to check that all objects in a bucket are using the new key.
That code is very helpful, thank you!
from oci-python-sdk.
- Service endpoint for the KMS Management client as well as KMS Crypto client should not be optional. The endpoint is required parameter. We will fix the documentation to mark it as required parameter.
- You are required to provide a service endpoint for the KMS Management client. If you don't have the endpoint, you can get it from Vault Details page or by calling GetVault API.
- List Keys API is always targeting a particular Vault provided via service endpoint, so such filter is actually not needed.
from oci-python-sdk.
Thank you for the info regards 1,3
Regards #2
When I fetch bucket from object storage or block storage I only get kms_key_id (without knowing the vault_id) - see for example - https://oracle-cloud-infrastructure-python-sdk.readthedocs.io/en/latest/api/object_storage/models/oci.object_storage.models.Bucket.html#oci.object_storage.models.Bucket
Now, I need to get the key information but I cannot call get_key because I don't know the endpoint, how do I get the end point ? I don't know the vault_id which used for this bucket
Customer can have several vaults, should customer loop on all vaults to find the key ?
Thank you
Adi
from oci-python-sdk.
Thanks Adi for a great question. As of now, we do not allow more than one Vault per tenancy per region so the problem as you described it does not exist today. You are right that this could be a problem in the future when customer will have more than one Vault. To address this, we are going to release KMS integration with OCI Search (https://docs.cloud.oracle.com/iaas/Content/Search/Concepts/queryoverview.htm) in January-February timeframe that will allow customers to effectively search for resources and their associations.
from oci-python-sdk.
Thank you, appreciate it
from oci-python-sdk.
Hi Matt, I will need to check if the search option can be used and if not I will reopen
from oci-python-sdk.
Also in addition to this - A bucket only exposes the kms_key_id and not the version of the key it is using. Is there any way to find out if a bucket is using a specific version of a key as the API itself does not seem to expose this.
from oci-python-sdk.
Hi Matt,
Bucket and other services may use different versions of the keys
If you created new version the new objects will use the new version, and the old used the previous versions
I will check with the services if they can specify all the key versions that being used
I opened ticket related to finding vault id from key id in order to get the end point, I will update once we have a solution
For your info
from oci-python-sdk.
Related Issues (20)
- Tags - using usage_api call HOT 3
- oci raw-request doesn't honor environment variable OCI_CLI_USE_INSTANCE_METADATA_SERVICE HOT 1
- resource level billing type not gave api call HOT 6
- audit trails in datasafe library fails to return HOT 5
- how to get the resource state in the tenancy HOT 11
- Regression: installation of oci 2.118.1 requires GCC and Python headers which are not available in all environments HOT 7
- Support Async HOT 1
- Cryptography security vulnerabilities CVE-2023-50782, CVE-2023-5678, CVE-2023-6129, CVE-2023-6237 HOT 6
- IDCS Users and group repot aren't generating fully HOT 3
- MissingHeaderBodySeparatorDefect when uploading items to OSS HOT 5
- oci module component is treated as a dictionary object HOT 5
- oci.pagination.list_call_get_all_results fails when using identity domain client HOT 2
- Missing Composite Operations for Identity Domains
- Generate bypass code with python OCI HOT 2
- Packaging Metadata: Classifiers specify as supported already dead python and not mark modern versions HOT 1
- showoci stuck while running for all resources HOT 3
- resource name not getting cost analysis (Usageapi cllent) HOT 13
- Private IP addresses for the db_nodes in ExaCS is not the correct one HOT 21
- problems running in CLI OCI HOT 3
- metrics are geting 429 error when we calling the api filter maximum , minimum and average metrics HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oci-python-sdk.