KmsManagementClient

class oci.key_management.KmsManagementClient(config, service_endpoint, **kwargs)

Use the Key Management API to manage vaults and keys. For more information, see [Managing Vaults](/Content/KeyManagement/Tasks/managingvaults.htm) and [Managing Keys](/Content/KeyManagement/Tasks/managingkeys.htm).

Methods

__init__(config, service_endpoint, **kwargs) Creates a new service client
backup_key(key_id, **kwargs) Backs up an encrypted file that contains all key versions and metadata of the specified key so that you can restore the key later.
cancel_key_deletion(key_id, **kwargs) Cancels the scheduled deletion of the specified key.
cancel_key_version_deletion(key_id, …) Cancels the scheduled deletion of the specified key version.
change_key_compartment(key_id, …) Moves a key into a different compartment within the same tenancy.
create_key(create_key_details, **kwargs) Creates a new master encryption key.
create_key_version(key_id, **kwargs) Generates a new `KeyVersion`__ resource that provides new cryptographic material for a master encryption key.
disable_key(key_id, **kwargs) Disables a master encryption key so it can no longer be used for encryption, decryption, or generating new data encryption keys.
enable_key(key_id, **kwargs) Enables a master encryption key so it can be used for encryption, decryption, or generating new data encryption keys.
get_key(key_id, **kwargs) Gets information about the specified master encryption key.
get_key_version(key_id, key_version_id, **kwargs) Gets information about the specified key version.
get_replication_status(replication_id, **kwargs) When a vault has a replica, each operation on the vault or its resources, such as keys, is replicated and has an associated replicationId.
get_wrapping_key(**kwargs) Gets details about the public RSA wrapping key associated with the vault in the endpoint.
import_key(import_key_details, **kwargs) Imports AES and RSA keys to create a new key.
import_key_version(key_id, …) Imports AES key material to create a new key version and then rotate the key to begin using the new key version.
list_key_versions(key_id, **kwargs) Lists all `KeyVersion`__ resources for the specified master encryption key.
list_keys(compartment_id, **kwargs) Lists the master encryption keys in the specified vault and compartment.
restore_key_from_file(…) Restores the specified key to the specified vault, based on information in the backup file provided.
restore_key_from_object_store(**kwargs) Restores the specified key to the specified vault from an Oracle Cloud Infrastructure Object Storage location.
schedule_key_deletion(key_id, …) Schedules the deletion of the specified key.
schedule_key_version_deletion(key_id, …) Schedules the deletion of the specified key version.
update_key(key_id, update_key_details, **kwargs) Updates the properties of a master encryption key.
__init__(config, service_endpoint, **kwargs)

Creates a new service client

Parameters:
  • config (dict) – Configuration keys and values as per SDK and Tool Configuration. The from_file() method can be used to load configuration from a file. Alternatively, a dict can be passed. You can validate_config the dict using validate_config()
  • service_endpoint (str) – The endpoint of the service to call using this client. For example https://iaas.us-ashburn-1.oraclecloud.com.
  • timeout (float or tuple(float, float)) – (optional) The connection and read timeouts for the client. The default values are connection timeout 10 seconds and read timeout 60 seconds. This keyword argument can be provided as a single float, in which case the value provided is used for both the read and connection timeouts, or as a tuple of two floats. If a tuple is provided then the first value is used as the connection timeout and the second value as the read timeout.
  • signer (AbstractBaseSigner) –

    (optional) The signer to use when signing requests made by the service client. The default is to use a Signer based on the values provided in the config parameter.

    One use case for this parameter is for Instance Principals authentication by passing an instance of InstancePrincipalsSecurityTokenSigner as the value for this keyword argument

  • retry_strategy (obj) –

    (optional) A retry strategy to apply to all calls made by this service client (i.e. at the client level). There is no retry strategy applied by default. Retry strategies can also be applied at the operation level by passing a retry_strategy keyword argument as part of calling the operation. Any value provided at the operation level will override whatever is specified at the client level.

    This should be one of the strategies available in the retry module. A convenience DEFAULT_RETRY_STRATEGY is also available. The specifics of the default retry strategy are described here.

  • circuit_breaker_strategy (obj) – (optional) A circuit breaker strategy to apply to all calls made by this service client (i.e. at the client level). This client uses DEFAULT_CIRCUIT_BREAKER_STRATEGY as default if no circuit breaker strategy is provided. The specifics of circuit breaker strategy are described here.
  • circuit_breaker_callback (function) – (optional) Callback function to receive any exceptions triggerred by the circuit breaker.
  • client_level_realm_specific_endpoint_template_enabled (bool) – (optional) A boolean flag to indicate whether or not this client should be created with realm specific endpoint template enabled or disable. By default, this will be set as None.
  • allow_control_chars – (optional) allow_control_chars is a boolean to indicate whether or not this client should allow control characters in the response object. By default, the client will not allow control characters to be in the response object.
backup_key(key_id, **kwargs)

Backs up an encrypted file that contains all key versions and metadata of the specified key so that you can restore the key later. The file also contains the metadata of the vault that the key belonged to.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • backup_key_details (oci.key_management.models.BackupKeyDetails) – (optional) BackupKeyDetails
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use backup_key API.

cancel_key_deletion(key_id, **kwargs)

Cancels the scheduled deletion of the specified key. Canceling a scheduled deletion restores the key’s lifecycle state to what it was before its scheduled deletion.

As a provisioning operation, this call is subject to a Key Management limit that applies to the total number of requests across all provisioning write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of provisioning write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use cancel_key_deletion API.

cancel_key_version_deletion(key_id, key_version_id, **kwargs)

Cancels the scheduled deletion of the specified key version. Canceling a scheduled deletion restores the key version to its lifecycle state from before its scheduled deletion.

As a provisioning operation, this call is subject to a Key Management limit that applies to the total number of requests across all provisioning write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of provisioning write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • key_version_id (str) – (required) The OCID of the key version.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type KeyVersion
Return type:

Response
Example:

Click here to see an example of how to use cancel_key_version_deletion API.

change_key_compartment(key_id, change_key_compartment_details, **kwargs)

Moves a key into a different compartment within the same tenancy. For information about moving resources between compartments, see `Moving Resources to a Different Compartment`__.

When provided, if-match is checked against the ETag values of the key.

As a provisioning operation, this call is subject to a Key Management limit that applies to the total number of requests across all provisioning write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of provisioning write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • change_key_compartment_details (oci.key_management.models.ChangeKeyCompartmentDetails) – (required) Details of change key compartment.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type None
Return type:

Response
Example:

Click here to see an example of how to use change_key_compartment API.

create_key(create_key_details, **kwargs)

Creates a new master encryption key.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • create_key_details (oci.key_management.models.CreateKeyDetails) – (required) CreateKeyDetails
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use create_key API.

create_key_version(key_id, **kwargs)

Generates a new `KeyVersion`__ resource that provides new cryptographic material for a master encryption key. The key must be in an ENABLED state to be rotated.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • create_key_metadata_details (oci.key_management.models.ExternalKeyVersionReference) – (optional) CreateKeyMetadataDetails
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type KeyVersion
Return type:

Response
Example:

Click here to see an example of how to use create_key_version API.

disable_key(key_id, **kwargs)

Disables a master encryption key so it can no longer be used for encryption, decryption, or generating new data encryption keys.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use disable_key API.

enable_key(key_id, **kwargs)

Enables a master encryption key so it can be used for encryption, decryption, or generating new data encryption keys.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use enable_key API.

get_key(key_id, **kwargs)

Gets information about the specified master encryption key.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management read operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management read operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use get_key API.

get_key_version(key_id, key_version_id, **kwargs)

Gets information about the specified key version.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management read operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management read operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • key_version_id (str) – (required) The OCID of the key version.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type KeyVersion
Return type:

Response
Example:

Click here to see an example of how to use get_key_version API.

get_replication_status(replication_id, **kwargs)

When a vault has a replica, each operation on the vault or its resources, such as keys, is replicated and has an associated replicationId. Replication status provides details about whether the operation associated with the given replicationId has been successfully applied across replicas.

Parameters:
  • replication_id (str) – (required) replicationId associated with an operation on a resource
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type ReplicationStatusDetails
Return type:

Response
Example:

Click here to see an example of how to use get_replication_status API.

get_wrapping_key(**kwargs)

Gets details about the public RSA wrapping key associated with the vault in the endpoint. Each vault has an RSA key-pair that wraps and unwraps AES key material for import into Key Management.

Parameters:
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type WrappingKey
Return type:

Response
Example:

Click here to see an example of how to use get_wrapping_key API.

import_key(import_key_details, **kwargs)

Imports AES and RSA keys to create a new key. The key material must be base64-encoded and wrapped by the vault’s public RSA wrapping key before you can import it. Key Management supports both RSA and AES keys. The AES keys are symmetric keys of length 128 bits (16 bytes), 192 bits (24 bytes), or 256 bits (32 bytes), and the RSA keys are asymmetric keys of length 2048 bits (256 bytes), 3072 bits (384 bytes), and 4096 bits (512 bytes). Furthermore, the key length must match what you specify at the time of import. When importing an asymmetric key, only private key must be wrapped in PKCS8 format while the corresponding public key is generated internally by KMS.

Parameters:
  • import_key_details (oci.key_management.models.ImportKeyDetails) – (required) ImportKeyDetails
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use import_key API.

import_key_version(key_id, import_key_version_details, **kwargs)

Imports AES key material to create a new key version and then rotate the key to begin using the new key version. The key material must be base64-encoded and wrapped by the vault’s public RSA wrapping key before you can import it. Key Management supports AES symmetric keys that are exactly 16, 24, or 32 bytes. Furthermore, the key length must match the length of the specified key and what you specify as the length at the time of import. When importing an asymmetric key, only the private key must be wrapped in PKCS8 format while the corresponding public key is generated internally by KMS.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • import_key_version_details (oci.key_management.models.ImportKeyVersionDetails) – (required) ImportKeyVersionDetails
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type KeyVersion
Return type:

Response
Example:

Click here to see an example of how to use import_key_version API.

list_key_versions(key_id, **kwargs)

Lists all `KeyVersion`__ resources for the specified master encryption key.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management read operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management read operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • limit (int) – (optional) The maximum number of items to return in a paginated “List” call.
  • page (str) – (optional) The value of the opc-next-page response header from the previous “List” call.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • sort_by (str) –

    (optional) The field to sort by. You can specify only one sort order. The default order for TIMECREATED is descending. The default order for DISPLAYNAME is ascending.

    Allowed values are: “TIMECREATED”, “DISPLAYNAME”

  • sort_order (str) –

    (optional) The sort order to use, either ascending (ASC) or descending (DESC).

    Allowed values are: “ASC”, “DESC”

  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type list of KeyVersionSummary
Return type:

Response
Example:

Click here to see an example of how to use list_key_versions API.

list_keys(compartment_id, **kwargs)

Lists the master encryption keys in the specified vault and compartment.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management read operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management read operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • compartment_id (str) – (required) The OCID of the compartment.
  • limit (int) – (optional) The maximum number of items to return in a paginated “List” call.
  • page (str) – (optional) The value of the opc-next-page response header from the previous “List” call.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • sort_by (str) –

    (optional) The field to sort by. You can specify only one sort order. The default order for TIMECREATED is descending. The default order for DISPLAYNAME is ascending.

    Allowed values are: “TIMECREATED”, “DISPLAYNAME”

  • sort_order (str) –

    (optional) The sort order to use, either ascending (ASC) or descending (DESC).

    Allowed values are: “ASC”, “DESC”

  • protection_mode (str) –

    (optional) A key’s protection mode indicates how the key persists and where cryptographic operations that use the key are performed. A protection mode of HSM means that the key persists on a hardware security module (HSM) and all cryptographic operations are performed inside the HSM. A protection mode of SOFTWARE means that the key persists on the server, protected by the vault’s RSA wrapping key which persists on the HSM. All cryptographic operations that use a key with a protection mode of SOFTWARE are performed on the server. A protection mode of EXTERNAL mean that the key persists on the customer’s external key manager which is hosted externally outside of oracle. Oracle only hold a reference to that key. All cryptographic operations that use a key with a protection mode of EXTERNAL are performed by external key manager.

    Allowed values are: “HSM”, “SOFTWARE”, “EXTERNAL”

  • algorithm (str) –

    (optional) The algorithm used by a key’s key versions to encrypt or decrypt data. Currently, support includes AES, RSA, and ECDSA algorithms.

    Allowed values are: “AES”, “RSA”, “ECDSA”

  • length (int) – (optional) The length of the key in bytes, expressed as an integer. Supported values include 16, 24, or 32.
  • curve_id (str) –

    (optional) The curve ID of the keys. (This pertains only to ECDSA keys.)

    Allowed values are: “NIST_P256”, “NIST_P384”, “NIST_P521”

  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type list of KeySummary
Return type:

Response
Example:

Click here to see an example of how to use list_keys API.

restore_key_from_file(restore_key_from_file_details, **kwargs)

Restores the specified key to the specified vault, based on information in the backup file provided. If the vault doesn’t exist, the operation returns a response with a 404 HTTP status error code. You need to first restore the vault associated with the key.

Parameters:
  • restore_key_from_file_details (stream) – (required) The encrypted backup file to upload to restore the key.
  • content_length (int) – (optional) The content length of the body.
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • content_md5 (str) –

    (optional) The base64-encoded MD5 hash value of the body, as described in `RFC 2616`__, section 14.15. If the Content-MD5 header is present, Key Management performs an integrity check on the body of the HTTP request by computing the MD5 hash for the body and comparing it to the MD5 hash supplied in the header. If the two hashes don’t match, the object is rejected and a response with 400 Unmatched Content MD5 error is returned, along with the message: “The computed MD5 of the request body (ACTUAL_MD5) does not match the Content-MD5 header (HEADER_MD5).”

  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
  • buffer_limit (int) –

    (optional) A buffer limit for the stream to be buffered. buffer_limit is used to set the buffer size capacity. Streams will be read until the size of the buffer reaches the buffer_limit. If the stream size is greater than the buffer_limit, a BufferError exception will be thrown.

    The buffer_limit parameter is used when the stream object does not have a seek, tell, or fileno property for the Python Request library to calculate out the content length. If buffer_limit is not passed, then the buffer_limit will be defaulted to 100MB. Large streams can cause the process to freeze, consider passing in content-length for large streams instead.
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use restore_key_from_file API.

restore_key_from_object_store(**kwargs)

Restores the specified key to the specified vault from an Oracle Cloud Infrastructure Object Storage location. If the vault doesn’t exist, the operation returns a response with a 404 HTTP status error code. You need to first restore the vault associated with the key.

Parameters:
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • restore_key_from_object_store_details (oci.key_management.models.RestoreKeyFromObjectStoreDetails) – (optional) Location to restore the backup from
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use restore_key_from_object_store API.

schedule_key_deletion(key_id, schedule_key_deletion_details, **kwargs)

Schedules the deletion of the specified key. This sets the lifecycle state of the key to PENDING_DELETION and then deletes it after the specified retention period ends.

As a provisioning operation, this call is subject to a Key Management limit that applies to the total number of requests across all provisioning write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of provisioning write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • schedule_key_deletion_details (oci.key_management.models.ScheduleKeyDeletionDetails) – (required) ScheduleKeyDeletionDetails
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use schedule_key_deletion API.

schedule_key_version_deletion(key_id, key_version_id, schedule_key_version_deletion_details, **kwargs)

Schedules the deletion of the specified key version. This sets the lifecycle state of the key version to PENDING_DELETION and then deletes it after the specified retention period ends.

As a provisioning operation, this call is subject to a Key Management limit that applies to the total number of requests across all provisioning write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of provisioning write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • key_version_id (str) – (required) The OCID of the key version.
  • schedule_key_version_deletion_details (oci.key_management.models.ScheduleKeyVersionDeletionDetails) – (required) ScheduleKeyVersionDeletionDetails
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • opc_retry_token (str) – (optional) A token that uniquely identifies a request so it can be retried in case of a timeout or server error without risk of executing that same action again. Retry tokens expire after 24 hours, but can be invalidated before then due to conflicting operations (e.g., if a resource has been deleted and purged from the system, then a retry of the original creation request may be rejected).
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type KeyVersion
Return type:

Response
Example:

Click here to see an example of how to use schedule_key_version_deletion API.

update_key(key_id, update_key_details, **kwargs)

Updates the properties of a master encryption key. Specifically, you can update the displayName, freeformTags, and definedTags properties. Furthermore, the key must be in an ENABLED or CREATING state to be updated.

As a management operation, this call is subject to a Key Management limit that applies to the total number of requests across all management write operations. Key Management might throttle this call to reject an otherwise valid request when the total rate of management write operations exceeds 10 requests per second for a given tenancy.

Parameters:
  • key_id (str) – (required) The OCID of the key.
  • update_key_details (oci.key_management.models.UpdateKeyDetails) – (required) UpdateKeyDetails
  • if_match (str) – (optional) For optimistic concurrency control. In the PUT or DELETE call for a resource, set the if-match parameter to the value of the etag from a previous GET or POST response for that resource. The resource will be updated or deleted only if the etag you provide matches the resource’s current etag value.
  • opc_request_id (str) – (optional) Unique identifier for the request. If provided, the returned request ID will include this value. Otherwise, a random request ID will be generated by the service.
  • retry_strategy (obj) –

    (optional) A retry strategy to apply to this specific operation/call. This will override any retry strategy set at the client-level.

    This should be one of the strategies available in the retry module. This operation will not retry by default, users can also use the convenient DEFAULT_RETRY_STRATEGY provided by the SDK to enable retries for it. The specifics of the default retry strategy are described here.

    To have this operation explicitly not perform any retries, pass an instance of NoneRetryStrategy.

  • allow_control_chars (bool) – (optional) allow_control_chars is a boolean to indicate whether or not this request should allow control characters in the response object. By default, the response will not allow control characters in strings
Returns:

A Response object with data of type Key
Return type:

Response
Example:

Click here to see an example of how to use update_key API.