Alibaba Cloud KMS SDK for Python can help Python developers to use the KMS.
Read this in other languages:English,简体中文
Alibaba Cloud KMS SDK helps Python developers quickly use all APIs of Alibaba Cloud KMS products: - KMS resource management and key operations can be performed through KMS public gateway access - You can perform key operations through KMS instance gateway
- Python 3.6 or later
pip install alibabacloud-kms-python-sdk
Introduction to KMS Client
KMS client classes | Introduction | Usage scenarios |
---|---|---|
alibabacloud_kms_k ms20160120.client.Client | KMS resource management and key operations for KMS instance gateways are supported | 1. Scenarios where key operations are performed only through VPC gateways. 2. KMS resource management scenarios that only use public gateways. 3. Scenarios where you want to perform key operations through VPC gateways and manage KMS resources through public gateways. |
al ibabacloud_kms_kms201601 20.client.TransferClient | Users can migrate from KMS 1.0 key operations to KMS 3.0 key operations | Users who use Alibaba Cloud SDK to access KMS 1.0 key operations need to migrate to KMS 3.0 |
Refer to the following sample code to call the KMS AdvanceEncrypt API. For more API examples, seeoperation samples
import sys
from typing import List
from openapi import models as dedicated_kms_openapi_models
from alibabacloud_kms_kms20160120.client import Client as KmsSdkClient
from sdk import models as dedicated_kms_sdk_models
from alibabacloud_tea_util.client import Client as UtilClient
from alibabacloud_darabonba_env.client import Client as EnvClient
class AdvanceEncrypt:
def __init__(self):
pass
@staticmethod
def create_kms_instance_config(
client_key_file: str,
password: str,
endpoint: str,
ca_file_path: str,
) -> dedicated_kms_openapi_models.Config:
config = dedicated_kms_openapi_models.Config(
client_key_file=client_key_file,
password=password,
endpoint=endpoint,
ca_file_path=ca_file_path
)
return config
@staticmethod
def create_client(
kms_instance_config: dedicated_kms_openapi_models.Config,
) -> KmsSdkClient:
return KmsSdkClient(kms_instance_config=kms_instance_config)
@staticmethod
def advance_encrypt(
client: KmsSdkClient,
key_id: str,
plaintext: bytes,
) -> dedicated_kms_sdk_models.AdvanceEncryptResponse:
request = dedicated_kms_sdk_models.AdvanceEncryptRequest(
key_id=key_id,
plaintext=plaintext
)
return client.advance_encrypt(request)
@staticmethod
def main(
args: List[str],
) -> None:
kms_instance_config = AdvanceEncrypt.create_kms_instance_config(EnvClient.get_env('your client key file path env'), EnvClient.get_env('your client key password env'), 'your kms instance endpoint', 'your ca file path')
client = AdvanceEncrypt.create_client(kms_instance_config)
key_id = 'your keyId'
plaintext = UtilClient.to_bytes('your plaintext')
response = AdvanceEncrypt.advance_encrypt(client, key_id, plaintext)
print(response)
if __name__ == '__main__':
AdvanceEncrypt.main(sys.argv[1:])
Refer to the following sample code to call the KMS CreateKey API. For more API examples, seemanage samples
import sys
from typing import List
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_kms_kms20160120.client import Client as KmsSdkClient
from alibabacloud_kms20160120 import models as kms_20160120_models
from alibabacloud_darabonba_env.client import Client as EnvClient
class CreateKey:
def __init__(self):
pass
@staticmethod
def create_open_api_config(
access_key_id: str,
access_key_secret: str,
region_id: str,
) -> open_api_models.Config:
config = open_api_models.Config(
access_key_id=access_key_id,
access_key_secret=access_key_secret,
region_id=region_id
)
return config
@staticmethod
def create_client(
open_api_config: open_api_models.Config,
) -> KmsSdkClient:
return KmsSdkClient(open_api_config=open_api_config)
@staticmethod
def create_key(
client: KmsSdkClient,
enable_automatic_rotation: bool,
rotation_interval: str,
key_usage: str,
origin: str,
description: str,
dkmsinstance_id: str,
protection_level: str,
key_spec: str,
) -> kms_20160120_models.CreateKeyResponse:
request = kms_20160120_models.CreateKeyRequest(
enable_automatic_rotation=enable_automatic_rotation,
rotation_interval=rotation_interval,
key_usage=key_usage,
origin=origin,
description=description,
dkmsinstance_id=dkmsinstance_id,
protection_level=protection_level,
key_spec=key_spec
)
return client.create_key(request)
@staticmethod
def main(
args: List[str],
) -> None:
#Make sure that the environment in which the code runs has environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET set.
#Project code leakage may cause AccessKey to be leaked and threaten the security of all resources under the account. The following code example uses an environment variable to obtain the AccessKey for reference only, it is recommended to use the more secure STS mode, for more authentication access methods, see https://help.aliyun.com/document_detail/378657.html
open_api_config = CreateKey.create_open_api_config(EnvClient.get_env('ALIBABA_CLOUD_ACCESS_KEY_ID'), EnvClient.get_env('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), 'your region id')
client = CreateKey.create_client(open_api_config)
enable_automatic_rotation = False
rotation_interval = 'your rotationInterval'
key_usage = 'your keyUsage'
origin = 'your origin'
description = 'your description'
d_kmsinstance_id = 'your dKMSInstanceId'
protection_level = 'your protectionLevel'
key_spec = 'your keySpec'
response = CreateKey.create_key(client, enable_automatic_rotation, rotation_interval, key_usage, origin, description, d_kmsinstance_id, protection_level, key_spec)
print(response)
if __name__ == '__main__':
CreateKey.main(sys.argv[1:])
3. You must not only perform key operations through a VPC gateway, but also manage KMS resources through a public gateway.
Refer to the following sample code to call the KMS CreateKey API and the AdvanceEncrypt API. For more API examples, see operation samples 和 manage samples
import sys
from typing import List
from openapi import models as dedicated_kms_openapi_models
from alibabacloud_kms_kms20160120.client import Client as KmsSdkClient
from sdk import models as dedicated_kms_sdk_models
from alibabacloud_tea_util.client import Client as UtilClient
from alibabacloud_darabonba_env.client import Client as EnvClient
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_kms20160120 import models as kms_20160120_models
class Sample:
def __init__(self):
pass
@staticmethod
def create_kms_instance_config(
client_key_file: str,
password: str,
endpoint: str,
ca_file_path: str,
) -> dedicated_kms_openapi_models.Config:
config = dedicated_kms_openapi_models.Config(
client_key_file=client_key_file,
password=password,
endpoint=endpoint,
ca_file_path=ca_file_path
)
return config
@staticmethod
def create_open_api_config(
access_key_id: str,
access_key_secret: str,
region_id: str,
) -> open_api_models.Config:
config = open_api_models.Config(
access_key_id=access_key_id,
access_key_secret=access_key_secret,
region_id=region_id
)
return config
@staticmethod
def create_client(kms_instance_config: dedicated_kms_openapi_models.Config,
open_api_config: open_api_models.Config
) -> KmsSdkClient:
return KmsSdkClient(kms_instance_config=kms_instance_config, open_api_config=open_api_config)
@staticmethod
def create_key(
client: KmsSdkClient,
enable_automatic_rotation: bool,
rotation_interval: str,
key_usage: str,
origin: str,
description: str,
dkmsinstance_id: str,
protection_level: str,
key_spec: str,
) -> kms_20160120_models.CreateKeyResponse:
request = kms_20160120_models.CreateKeyRequest(
enable_automatic_rotation=enable_automatic_rotation,
rotation_interval=rotation_interval,
key_usage=key_usage,
origin=origin,
description=description,
dkmsinstance_id=dkmsinstance_id,
protection_level=protection_level,
key_spec=key_spec
)
return client.create_key(request)
@staticmethod
def advance_encrypt(
client: KmsSdkClient,
key_id: str,
plaintext: bytes,
) -> dedicated_kms_sdk_models.AdvanceEncryptResponse:
request = dedicated_kms_sdk_models.AdvanceEncryptRequest(
key_id=key_id,
plaintext=plaintext
)
return client.advance_encrypt(request)
@staticmethod
def main(
args: List[str],
) -> None:
kms_instance_config = Sample.create_kms_instance_config(EnvClient.get_env('your client key file path env'), EnvClient.get_env('your client key password env'), 'your kms instance endpoint', 'your ca file path')
#Make sure that the environment in which the code runs has environment variables ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET set.
#Project code leakage may cause AccessKey to be leaked and threaten the security of all resources under the account. The following code example uses an environment variable to obtain the AccessKey for reference only, it is recommended to use the more secure STS mode, for more authentication access methods, see https://help.aliyun.com/document_detail/378657.html
open_api_config = Sample.create_open_api_config(EnvClient.get_env('ALIBABA_CLOUD_ACCESS_KEY_ID'), EnvClient.get_env('ALIBABA_CLOUD_ACCESS_KEY_SECRET'), 'your region id')
client = Sample.create_client(kms_instance_config, open_api_config)
#CreateKey
enable_automatic_rotation = False
rotation_interval = 'your rotationInterval'
key_usage = 'your keyUsage'
origin = 'your origin'
description = 'your description'
d_kmsinstance_id = 'your dKMSInstanceId'
protection_level = 'your protectionLevel'
key_spec = 'your keySpec'
create_key_resp = Sample.create_key(client, enable_automatic_rotation, rotation_interval, key_usage, origin, description, d_kmsinstance_id, protection_level, key_spec)
print(create_key_resp)
#Advance Encrypt
key_id = 'your keyId'
plaintext = UtilClient.to_bytes('your plaintext')
encrypt_resp = Sample.advance_encrypt(client, key_id, plaintext)
print(encrypt_resp)
if __name__ == '__main__':
Sample.main(sys.argv[1:])
Refer to the following sample code to call the KMS API. For more API examples, see kms transfer samples
import os
from alibabacloud_kms20160120 import models as kms_20160120_models
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_kms_kms20160120.models import KmsConfig, KmsRuntimeOptions
from alibabacloud_kms_kms20160120.transfer_client import TransferClient
def create_client():
# set config
openapi_config = open_api_models.Config(
# set region id
region_id='<your-region-id>',
# set access key id
access_key_id=os.getenv('ACCESS_KEY_ID'),
# set access key secret
access_key_secret=os.getenv('ACCESS_KEY_SECRET')
)
# set kms config
kms_config = KmsConfig(
# set the request protocol to https
protocol='https',
# set client key file path
client_key_file='<your-client-key-file-path>',
# set client key password
password='<your-password>',
# set kms instance endpoint
endpoint='<your-kms-instance-endpoint>'
)
# create transfer client
return TransferClient(config=config, kms_config=kms_config)
def create_key(client):
request = kms_20160120_models.CreateKeyRequest(
key_spec='<your-key-spec>',
key_usage='<your-key-usage>'
)
# If verify server CA certificate,you can set CA certificate file path with RuntimeOptions
runtime = KmsRuntimeOptions(
ca='<your-ca-certificate-file-path>'
)
# If you ignore ssl verification,you can set ignore_ssl with True related to the RuntimeOptions parameter
# runtime = KmsRuntimeOptions(
# ignore_ssl=True
# )
try:
response = client.create_key_with_options(request, runtime)
print(str(response.body))
except Exception as e:
print(str(e))
def generate_data_key(client):
request = kms_20160120_models.GenerateDataKeyRequest(
key_id='<your-key-id>',
)
# If verify server CA certificate,you can set CA certificate file path with RuntimeOptions
runtime = KmsRuntimeOptions(
ca='<your-ca-certificate-file-path>'
)
# If you ignore ssl verification,you can set ignore_ssl with True related to the RuntimeOptions parameter
# runtime = KmsRuntimeOptions(
# ignore_ssl=True
# )
try:
response = client.generate_data_key_with_options(request, runtime)
print(str(response.body))
except Exception as e:
print(str(e))
client = create_client()
create_key(client)
generate_data_key(client)
If you need to use the KMS instance SDK for KMS instance performance testing, please refer to the sample code of the pressure measurement tools in the directory named benchmarks , compile it into an executable program and run it with the following command:
$ python benchmark.py --case=encrypt --client_key_file=./ClientKey_****.json --client_key_password=**** --endpoint=kst-****.cryptoservice.kms.aliyuncs.com --key_id=key-**** --data_size=32 --concurrence_nums=32 --duration=600
How to compile and use the stress test tool, please refer to the document.
Copyright (c) 2009-present, Alibaba Cloud All rights reserved.