Vault | Python SDK

Vault client

Vault(token, config, logger_name)

Initializes a new Vault client.

required parameters

token

str

Pangea API token.

optional parameters

config

PangeaConfig | None

Configuration.

logger_name

str

Logger name.

config = PangeaConfig(domain="pangea_domain")
vault = Vault(token="pangea_token", config=config)

Decrypt

Vault.decrypt(item_id, cipher_text, version, additional_data)

Decrypt a message using a key.

required parameters

item_id

str

The item ID.

cipher_text

str

A message encrypted by Vault (in base64).

optional parameters

version

int | None

The item version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the decrypted message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.decrypt(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    cipher_text="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Decrypt structured

Vault.decrypt_structured(id, structured_data, filter, version, additional_data)

Decrypt parts of a JSON object.

required parameters

structured_data

TDict

Structured data for applying bulk operations.

optional parameters

id

The ID of the key to use.

filter

A filter expression.

version

int | None

The item version. Defaults to the current version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the decrypted object is returned in the response.result field. Available response fields can be found in our API documentation.

data = {"field1": [1, 2, "kxcbC9E9IlgVaSCChPWUMgUC3ko=", "6FfI/LCzatLRLNAc8SuBK/TDnGxp"], "field2": "data2"}
response = vault.decrypt_structured(
    id="pvi_[...]",
    structured_data=data,
    filter="$.field1[2:4]"
)

Decrypt transform

Vault.decrypt_transform(id, cipher_text, tweak, alphabet, version)

Decrypt using a format-preserving algorithm (FPE).

required parameters

cipher_text

str

A message encrypted by Vault.

tweak

str

User provided tweak string.

alphabet

TransformAlphabet

Set of characters to use for format-preserving encryption (FPE).

optional parameters

id

The item ID.

version

int | None

The item version. Defaults to the current version.

Response Object

A PangeaResponse containing the decrypted message.

vault.decrypt_transform(
    id="pvi_[...]",
    cipher_text="encrypted message",
    tweak="MTIzMTIzMT==",
    alphabet=TransformAlphabet.ALPHANUMERIC,
)

Delete

Vault.delete(item_id, recursive)

Delete a secret or key

required parameters

item_id

str

The item ID.

optional parameters

recursive

bool

Whether to delete the item and all its children recursively. Only applicable to folders.

Response Object

A PangeaResponse where the id of the deleted secret or key is returned in the response.result field. Available response fields can be found in our API documentation.

vault.delete(id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5")

download-file

Vault.download_file()

Encrypt

Vault.encrypt(item_id, plain_text, version, additional_data)

Encrypt a message using a key.

required parameters

item_id

str

The item ID.

plain_text

str

A message to be encrypted (in base64).

optional parameters

version

int | None

The item version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the encrypted message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.encrypt(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    plain_text="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Encrypt structured

Vault.encrypt_structured(key_id, structured_data, filter_expr, version, additional_data)

Encrypt parts of a JSON object.

required parameters

key_id

str

The ID of the key to use.

structured_data

TDict

Structured data for applying bulk operations.

filter_expr

str

A filter expression.

optional parameters

version

int | None

The item version. Defaults to the current version.

additional_data

str | None

User provided authentication data.

Response Object

A PangeaResponse where the encrypted object is returned in the response.result field. Available response fields can be found in our API documentation.

data = {"field1": [1, 2, "true", "false"], "field2": "data2"}
response = vault.encrypt_structured(
    id="pvi_[...]",
    structured_data=data,
    filter="$.field1[2:4]"
)

Encrypt transform

Vault.encrypt_transform(item_id, plain_text, alphabet, tweak, version)

Encrypt using a format-preserving algorithm (FPE).

required parameters

item_id

str

The item ID.

plain_text

str

A message to be encrypted.

alphabet

TransformAlphabet

Set of characters to use for format-preserving encryption (FPE).

optional parameters

tweak

str | None

User provided tweak string. If not provided, a random string will be generated and returned.

version

int | None

The item version. Defaults to the current version.

Response Object

A PangeaResponse containing the encrypted message.

vault.encrypt_transform(
    id="pvi_[...]",
    plain_text="message to encrypt",
    alphabet=TransformAlphabet.ALPHANUMERIC,
    tweak="MTIzMTIzMT==",
)

Export

Vault.export(item_id, version, kem_password, asymmetric_public_key, asymmetric_algorithm)

Export a symmetric or asymmetric key.

required parameters

item_id

str

The item ID.

optional parameters

version

int | None

The item version.

kem_password

str | None

This is the password that will be used along with a salt to derive the symmetric key that is used to encrypt the exported key material.

asymmetric_public_key

str | None

Public key in pem format used to encrypt exported key(s).

asymmetric_algorithm

ExportEncryptionAlgorithm | None

The algorithm of the public key.

Response Object

A PangeaResponse where the exported key is returned in the response.result field. Available response fields can be found in our API documentation.

exp_encrypted_resp = self.vault.export(
    id=id,
    asymmetric_public_key=rsa_pub_key_pem,
    asymmetric_algorithm=ExportEncryptionAlgorithm.RSA4096_OAEP_SHA512,
)

Create

Vault.folder_create(name, folder, metadata, tags, rotation_frequency, rotation_state, rotation_grace_period, disabled_at)

Creates a folder.

required parameters

name

str

The name of this folder.

folder

str

The parent folder where this folder is stored.

optional parameters

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RequestRotationState

State to which the previous version should transition upon rotation.

rotation_grace_period

str | None

Grace period for the previous version.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

response = vault.folder_create(
    name="folder_name",
    folder="parent/folder/name",
)

Generate key

Vault.generate_key(key_type, purpose, algorithm, name, folder, metadata, tags, rotation_frequency, rotation_state, disabled_at, exportable)

Generate a key.

required parameters

key_type

Literal[ItemType.ASYMMETRIC_KEY, ItemType.SYMMETRIC_KEY]

Key type.

purpose

SymmetricKeyPurpose | AsymmetricKeyPurpose

The purpose of this key.

algorithm

AsymmetricKeyAlgorithm | SymmetricKeyAlgorithm

The algorithm of the key.

optional parameters

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RequestRotationState | None

State to which the previous version should transition upon rotation.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

exportable

bool

Whether the key is exportable or not.

response = vault.generate_key(
    key_type=ItemType.SYMMETRIC_KEY,
    purpose=SymmetricKeyPurpose.FPE,
    algorithm=SymmetricKeyFpeAlgorithm.AES_FF3_1_256_BETA,
)

Retrieve

Vault.get(item_id, version)

Retrieve a secret, key or folder, and any associated information.

required parameters

item_id

str

The item ID

optional parameters

version

Union[Literal['all'], int, None]

The key version(s).

• all for all versions
• num for a specific version
• -num for the num latest versions

Response Object

A PangeaResponse where the secret or key is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.get(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    version=1,
)

Get bulk

Vault.get_bulk(filter, size, order, order_by, last)

Retrieve details for multiple Vault items, including keys, secrets, tokens, or folders, that match a given filter specification.

optional parameters

filter

Filters to customize your search.

size

int | None

Maximum number of items in the response.

order

ItemOrder | None

Direction for ordering the results.

order_by

ItemOrderBy | None

Property by which to order the results.

last

str | None

Internal ID returned in the previous look up response. Used for pagination.

response = vault.get_bulk({"id": "pvi_..."})

JWT Retrieve

Vault.jwk_get(id, version)

Retrieve a key in JWK format.

optional parameters

id

The item ID

version

str | None

The key version(s).

• all for all versions
• num for a specific version
• -num for the num latest versions

Response Object

A PangeaResponse where the JSON Web Key Set (JWKS) object is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.jwk_get("pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5")

JWT Sign

Vault.jwt_sign(id, payload)

Sign a JSON Web Token (JWT) using a key.

required parameters

payload

str

The JWT payload (in JSON).

optional parameters

id

The item ID.

Response Object

A PangeaResponse where the signed JSON Web Token (JWS) is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.jwt_sign(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    payload="{\"sub\": \"1234567890\",\"name\": \"John Doe\",\"admin\": true}"
)

JWT Verify

Vault.jwt_verify(jws)

Verify the signature of a JSON Web Token (JWT).

required parameters

jws

str

The signed JSON Web Token (JWS).

Response Object

A PangeaResponse where the signature is valid is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.jwt_verify(jws="ewogICJhbGciO...")

List

Vault.list(filter, size, order, order_by, last)

Retrieve a list of secrets, keys and folders, and their associated information.

optional parameters

filter

Optional[Mapping[str, str]]

A set of filters to help you customize your search. Examples:

• "folder": "/tmp"
• "tags": "personal"
• "name__contains": "xxx"
• "created_at__gt": "2020-02-05T10:00:00Z"

For metadata, use: "metadata_{key}": "{value}"

size

int

Maximum number of items in the response. Default is 50.

order

Optional[ItemOrder]

Ordering direction: asc or desc

order_by

ItemOrderBy | None

Property used to order the results. Supported properties: id, type, created_at, algorithm, purpose, expiration, last_rotated, next_rotation, name, folder, item_state.

last

str | None

Internal ID returned in the previous look up response. Used for pagination.

Response Object

A PangeaResponse where a list of secrets or keys is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.list(
    filter={
        "folder": "/",
        "type": "asymmetric_key",
        "name__contains": "test",
        "metadata_key1": "value1",
        "created_at__lt": "2023-12-12T00:00:00Z"
    },
    last="WyIvdGVzdF8yMDdfc3ltbWV0cmljLyJd",
    order=ItemOrder.ASC,
    order_by=ItemOrderBy.NAME,
    size=20,
)

Poll result

Vault.poll_result(exception)

Returns request's result that has been accepted by the server

optional parameters

exception

Optional[AcceptedRequestException]

Exception that was previously raised by the SDK on a call that is being processed.

Response Object

PangeaResponse

response = service.poll_result(exception)

Rotate secret

Vault.rotate_client_secret(item_id, rotation_grace_period, rotation_state)

Rotate a client secret.

required parameters

item_id

str

The item ID.

optional parameters

rotation_grace_period

str | None

Grace period for the previous version of the Pangea Token.

rotation_state

RequestManualRotationState

State to which the previous version should transition upon rotation.

response = vault.rotate_client_secret(item_id="foo")

Rotate key

Vault.rotate_key(key_id, key_type, rotation_state, public_key, private_key, key)

Manually rotate an asymmetric or symmetric key.

required parameters

key_id

str

The ID of the key.

key_type

Literal[ItemType.ASYMMETRIC_KEY, ItemType.SYMMETRIC_KEY]

Key type.

optional parameters

rotation_state

RequestManualRotationState

State to which the previous version should transition upon rotation.

public_key

str | None

The public key (in PEM format).

private_key

str | None

The private key (in PEM format).

key

str | None

The key material.

response = vault.rotate_key("pvi_...", key_type=ItemType.SYMMETRIC_KEY)

Rotate secret

Vault.rotate_pangea_token(item_id, rotation_grace_period, rotation_state)

Rotate a Pangea token.

required parameters

item_id

str

The item ID.

optional parameters

rotation_grace_period

str | None

Grace period for the previous version of the Pangea Token.

rotation_state

RequestManualRotationState

State to which the previous version should transition upon rotation.

response = vault.rotate_pangea_token(item_id="foo")

Rotate secret

Vault.rotate_secret(item_id, secret, rotation_state)

Rotate a secret.

required parameters

item_id

str

The item ID.

secret

str

The secret value.

optional parameters

rotation_state

RequestManualRotationState

State to which the previous version should transition upon rotation.

response = vault.rotate_secret(item_id="foo", secret="bar")

Sign

Vault.sign(id, message, version)

Sign a message using a key

required parameters

message

str

The message to be signed, in base64.

optional parameters

id

The item ID.

version

int | None

The item version.

Response Object

A PangeaResponse where the signature of the message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.sign(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    message="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

State change

Vault.state_change(item_id, state, version, destroy_period)

Change the state of a specific version of a secret or key.

required parameters

item_id

str

The item ID.

state

ItemVersionState

The new state of the item version.

optional parameters

version

int | None

The item version.

destroy_period

str | None

Period of time for the destruction of a compromised key. Only valid if state=compromised.

Response Object

A PangeaResponse where the state change object is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.state_change(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    state=ItemVersionState.DEACTIVATED,
)

Store key

Vault.store_key(key_type, purpose, algorithm, public_key, private_key, key, name, folder, metadata, tags, rotation_frequency, rotation_state, disabled_at, exportable)

Import a key.

required parameters

key_type

Literal[ItemType.ASYMMETRIC_KEY, ItemType.SYMMETRIC_KEY]

Key type.

purpose

SymmetricKeyPurpose | AsymmetricKeyPurpose

The purpose of this key.

algorithm

AsymmetricKeySigningAlgorithm | AsymmetricKeyEncryptionAlgorithm | AsymmetricKeyJwtAlgorithm | AsymmetricKeyPkiAlgorithm | SymmetricKeyEncryptionAlgorithm | SymmetricKeyJwtAlgorithm | SymmetricKeyFpeAlgorithm

The algorithm of the key.

optional parameters

public_key

str | None

The public key (in PEM format).

private_key

str | None

The private key (in PEM format).

key

str | None

The key material.

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RequestRotationState | None

State to which the previous version should transition upon rotation.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

exportable

bool

Whether the key is exportable or not.

response = vault.store_key(
    key_type=ItemType.SYMMETRIC_KEY,
    purpose=SymmetricKeyPurpose.FPE,
    algorithm=SymmetricKeyFpeAlgorithm.AES_FF3_1_256_BETA,
)

Store secret

Vault.store_pangea_client_secret(client_secret, client_id, client_secret_id, name, folder, metadata, tags, disabled_at, rotation_frequency, rotation_state, rotation_grace_period)

Store a Pangea client secret.

required parameters

client_secret

str

The oauth client secret.

client_id

str

The oauth client ID.

client_secret_id

str

The oauth client secret ID.

optional parameters

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RotationState | None

State to which the previous version should transition upon rotation.

rotation_grace_period

str | None

Grace period for the previous version of the Pangea Token.

response = vault.store_pangea_client_secret(
    client_secret="foo",
    client_id="bar",
    client_secret_id="baz",
)

Store secret

Vault.store_pangea_token(token, name, folder, metadata, tags, disabled_at)

Store a Pangea token.

required parameters

token

str

The Pangea token value.

optional parameters

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

response = vault.store_pangea_token(token="foobar")

Store secret

Vault.store_secret(secret, name, folder, metadata, tags, disabled_at)

Store a secret.

required parameters

secret

str

The secret value.

optional parameters

name

str | None

The name of this item.

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

disabled_at

datetime.datetime | None

Timestamp indicating when the item will be disabled.

response = vault.store_secret(secret="foobar")

Update

Vault.update(item_id, name, folder, metadata, tags, disabled_at, enabled, rotation_frequency, rotation_state, rotation_grace_period)

Update information associated with a secret, key or folder.

required parameters

item_id

str

The item ID.

optional parameters

name

str | None

The name of this item

folder

str | None

The folder where this item is stored.

metadata

Metadata | None

User-provided metadata.

tags

Tags | None

A list of user-defined tags.

disabled_at

str | None

Timestamp indicating when the item will be disabled.

enabled

bool | None

True if the item is enabled.

rotation_frequency

str | None

Period of time between item rotations.

rotation_state

RequestRotationState

State to which the previous version should transition upon rotation.

rotation_grace_period

str | None

Grace period for the previous version of the Pangea Token.

Response Object

A PangeaResponse where the item ID is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.update(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
)

Verify

Vault.verify(id, message, signature, version)

Verify a signature using a key.

required parameters

message

str

A message to be verified (in base64).

signature

str

The message signature (in base64).

optional parameters

id

The item ID.

version

int | None

The item version.

Response Object

A PangeaResponse where the signature is valid is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.verify(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    message="lJkk0gCLux+Q+rPNqLPEYw==",
    signature="FfWuT2Mq/+cxa7wIugfhzi7ktZxVf926idJNgBDCysF/knY9B7M6wxqHMMPDEBs86D8OsEGuED21y3J7IGOpCQ==",
    version=1,
)