Skip to main content

Vault | Python SDK

Asymmetric generate

Vault.asymmetric_generate(algorithm, purpose, name, folder, metadata, tags, rotation_frequency, rotation_state, expiration)

Generate an asymmetric key

required parameters

AsymmetricAlgorithm

The algorithm of the key

KeyPurpose

The purpose of this key

str

The name of this item

optional parameters

str

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations, or never to disallow rotation

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed
str

Expiration timestamp

Response Object

A PangeaResponse where the ID of the key is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.asymmetric_generate(
    algorithm=AsymmetricAlgorithm.RSA,
    purpose=KeyPurpose.SIGNING,
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    expiration="2025-01-01T10:00:00Z",
)

Asymmetric store

Vault.asymmetric_store(private_key, public_key, algorithm, purpose, name, folder, metadata, tags, rotation_frequency, rotation_state, expiration)

Import an asymmetric key

required parameters

EncodedPrivateKey

The private key in PEM format

EncodedPublicKey

The public key in PEM format

AsymmetricAlgorithm

The algorithm of the key

KeyPurpose

The purpose of this key. signing, encryption, or jwt.

str

The name of this item

optional parameters

str

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations, or never to disallow rotation

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed
str

Expiration timestamp

Response Object

A PangeaResponse where the ID and public key is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.asymmetric_store(
    private_key="private key example",
    public_key="-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA8s5JopbEPGBylPBcMK+L5PqHMqPJW/5KYPgBHzZGncc=\n-----END PUBLIC KEY-----",
    algorithm=AsymmetricAlgorithm.RSA,
    purpose=KeyPurpose.SIGNING,
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    expiration="2025-01-01T10:00:00Z",
)

Decrypt

Vault.decrypt(id, cipher_text, version)

Decrypt a message using a key

required parameters

str

The item ID

str

A message encrypted by Vault (in base64)

optional parameters

int

The item version

Response Object

A PangeaResponse where the decrypted message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.decrypt(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    cipher_text="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Decrypt structured

Vault.decrypt_structured(id, structured_data, filter, version, additional_data)

Decrypt parts of a JSON object.

required parameters

str

The item ID.

dict

Structured data to decrypt.

optional parameters

str

A filter expression for applying bulk operations to the data field.

int

The item version. Defaults to the current version.

str

User provided authentication data.

Response Object

A PangeaResponse where the decrypted object is returned in the response.result field. Available response fields can be found in our API documentation.

data = {"field1": [1, 2, "kxcbC9E9IlgVaSCChPWUMgUC3ko=", "6FfI/LCzatLRLNAc8SuBK/TDnGxp"], "field2": "data2"}
response = vault.decrypt_structured(
    id="pvi_[...]",
    structured_data=data,
    filter="$.field1[2:4]"
)

Delete

Vault.delete(id)

Delete a secret or key

required parameters

str

The item ID

Response Object

A PangeaResponse where the id of the deleted secret or key is returned in the response.result field. Available response fields can be found in our API documentation.

vault.delete(id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5")

download-file

Vault.download_file()

Response Object

Encrypt

Vault.encrypt(id, plain_text, version)

Encrypt a message using a key

required parameters

str

The item ID

str

A message to be in encrypted (in base64)

optional parameters

int

The item version

Response Object

A PangeaResponse where the encrypted message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.encrypt(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    plain_text="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

Encrypt structured

Vault.encrypt_structured(id, structured_data, filter, version, additional_data)

Encrypt parts of a JSON object.

required parameters

str

The item ID.

dict

Structured data for applying bulk operations.

optional parameters

str

A filter expression for applying bulk operations to the data field.

int

The item version. Defaults to the current version.

str

User provided authentication data.

Response Object

A PangeaResponse where the encrypted object is returned in the response.result field. Available response fields can be found in our API documentation.

data = {"field1": [1, 2, "true", "false"], "field2": "data2"}
response = vault.encrypt_structured(
    id="pvi_[...]",
    structured_data=data,
    filter="$.field1[2:4]"
)

Create

Vault.folder_create(name, folder, metadata, tags)

Creates a folder

required parameters

str

The name of this folder

str

The parent folder where this folder is stored

optional parameters

Metadata

User-provided metadata

Tags

A list of user-defined tags

Response Object

A PangeaResponse where the state change object is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.folder_create(
    name="folder_name",
    folder="parent/folder/name",
)

Retrieve

Vault.get(id, version, version_state, verbose)

Retrieve a secret or key, and any associated information

required parameters

str

The item ID

optional parameters

str, int

The key version(s).

  • all for all versions
  • num for a specific version
  • -num for the num latest versions
ItemVersionState

The state of the item version

bool

Return metadata and extra fields. Default is False.

Response Object

A PangeaResponse where the secret or key is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.get(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    version=1,
    version_state=ItemVersionState.ACTIVE,
    verbose=True,
)

JWT Retrieve

Vault.jwk_get(id, version)

Retrieve a key in JWK format

required parameters

str

The item ID

optional parameters

str

The key version(s).

  • all for all versions
  • num for a specific version
  • -num for the num latest versions

Response Object

A PangeaResponse where the JSON Web Key Set (JWKS) object is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.jwk_get(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
)

JWT Sign

Vault.jwt_sign(id, payload)

Sign a JSON Web Token (JWT) using a key

required parameters

str

The item ID

str

The JWT payload (in JSON)

Response Object

A PangeaResponse where the signed JSON Web Token (JWS) is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.jwt_sign(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    payload="{\"sub\": \"1234567890\",\"name\": \"John Doe\",\"admin\": true}"
)

JWT Verify

Vault.jwt_verify(jws)

Verify the signature of a JSON Web Token (JWT)

required parameters

str

The signed JSON Web Token (JWS)

Response Object

A PangeaResponse where the signature is valid is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.jwt_verify(
    jws="ewogICJhbGciO...",
)

Key rotate

Vault.key_rotate(id, rotation_state, public_key, private_key, key)

Manually rotate a symmetric or asymmetric key

required parameters

str

The ID of the item

optional parameters

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • suspended
  • destroyed

Default is deactivated.

EncodedPublicKey

The public key (in PEM format)

EncodedPrivateKey

The private key (in PEM format)

EncodedSymmetricKey

The key material (in base64)

Response Object

A PangeaResponse where the ID is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.key_rotate(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    rotation_state=ItemVersionState.DEACTIVATED,
    key="lJkk0gCLux+Q+rPNqLPEYw==",
)

List

Vault.list(filter, last, order, order_by, size)

Look up a list of secrets, keys and folders, and their associated information

optional parameters

dict

A set of filters to help you customize your search. Examples:

  • "folder": "/tmp"
  • "tags": "personal"
  • "name__contains": "xxx"
  • "created_at__gt": "2020-02-05T10:00:00Z"

For metadata, use: "metadata_": "<value>"

str

Internal ID returned in the previous look up response. Used for pagination.

ItemOrder

Ordering direction: asc or desc

ItemOrderBy

Property used to order the results. Supported properties: id, type, created_at, algorithm, purpose, expiration, last_rotated, next_rotation, name, folder, item_state.

int

Maximum number of items in the response. Default is 50.

Response Object

A PangeaResponse where a list of secrets or keys is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.list(
    filter={
        "folder": "/",
        "type": "asymmetric_key",
        "name__contains": "test",
        "metadata_key1": "value1",
        "created_at__lt": "2023-12-12T00:00:00Z"
    },
    last="WyIvdGVzdF8yMDdfc3ltbWV0cmljLyJd",
    order=ItemOrder.ASC,
    order_by=ItemOrderBy.NAME,
    size=20,
)

Token rotate

Vault.pangea_token_rotate(id)

Rotate a Pangea token

required parameters

str

The item ID

Response Object

A PangeaResponse where the token is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.pangea_token_rotate(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
)

Pangea token store

Vault.pangea_token_store(pangea_token, name, folder, metadata, tags, rotation_frequency, rotation_state, expiration)

Import a secret

required parameters

str

The pangea token to store

str

the name of this item

optional parameters

str

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed
str

Expiration timestamp

Response Object

A PangeaResponse where the token is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.pangea_token_store(
    pangea_token="ptv_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd",
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    expiration="2025-01-01T10:00:00Z",
)

Poll result

Vault.poll_result(exception)

Returns request's result that has been accepted by the server

required parameters

AcceptedRequestException

Exception raise by SDK on the call that is been processed.

Response Object

PangeaResponse

response = service.poll_result(exception)

Secret rotate

Vault.secret_rotate(id, secret, rotation_state)

Rotate a secret

required parameters

str

The item ID

str

The secret value

optional parameters

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • suspended
  • destroyed

Default is deactivated.

Response Object

A PangeaResponse where the secret is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.secret_rotate(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    secret="12sdfgs4543qv@#%$casd",
    rotation_state=ItemVersionState.DEACTIVATED,
)

Secret store

Vault.secret_store(secret, name, folder, metadata, tags, rotation_frequency, rotation_state, expiration)

Import a secret

required parameters

str

The secret value

str

The name of this item

optional parameters

str

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed
str

Expiration timestamp

Response Object

A PangeaResponse where the secret is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.secret_store(
    secret="12sdfgs4543qv@#%$casd",
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    expiration="2025-01-01T10:00:00Z",
)

Sign

Vault.sign(id, message, version)

Sign a message using a key

required parameters

str

The item ID

str

The message to be signed, in base64

optional parameters

int

The item version

Response Object

A PangeaResponse where the signature of the message in base64 is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.sign(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    message="lJkk0gCLux+Q+rPNqLPEYw==",
    version=1,
)

State change

Vault.state_change(id, state, version, destroy_period)

Change the state of a specific version of a secret or key

required parameters

str

The item ID

ItemVersionState

The new state of the item version. Supported options:

  • active
  • deactivated
  • suspended
  • compromised
  • destroyed

optional parameters

int

the item version

str

Period of time for the destruction of a compromised key. Only valid if state=compromised

Response Object

A PangeaResponse where the state change object is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.state_change(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    state=ItemVersionState.DEACTIVATED,
)

Symmetric generate

Vault.symmetric_generate(algorithm, purpose, name, folder, metadata, tags, rotation_frequency, rotation_state, expiration)

Generate a symmetric key

required parameters

SymmetricAlgorithm

The algorithm of the key

KeyPurpose

The purpose of this key

str

The name of this item

optional parameters

str

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations, or never to disallow rotation

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed
str

Expiration timestamp

Response Object

A PangeaResponse where the ID of the key is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.symmetric_generate(
    algorithm=SymmetricAlgorithm.AES,
    purpose=KeyPurpose.ENCRYPTION,
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    expiration="2025-01-01T10:00:00Z",
)

Symmetric store

Vault.symmetric_store(key, algorithm, purpose, name, folder, metadata, tags, rotation_frequency, rotation_state, expiration)

Import a symmetric key

required parameters

str

The key material (in base64)

SymmetricAlgorithm

The algorithm of the key

KeyPurpose

The purpose of this key. encryption or jwt

str

The name of this item

optional parameters

str

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations, or never to disallow rotation

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed
str

Expiration timestamp

Response Object

A PangeaResponse where the ID is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.symmetric_store(
    key="lJkk0gCLux+Q+rPNqLPEYw==",
    algorithm=SymmetricAlgorithm.AES,
    purpose=KeyPurpose.ENCRYPTION,
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    expiration="2025-01-01T10:00:00Z",
)

Update

Vault.update(id, name, folder, metadata, tags, rotation_frequency, rotation_state, rotation_grace_period, expiration, item_state)

Update information associated with a secret or key.

required parameters

str

The item ID

optional parameters

str

The name of this item

string

The folder where this item is stored

dict

User-provided metadata

list[str]

A list of user-defined tags

str

Period of time between item rotations

ItemVersionState

State to which the previous version should transition upon rotation. Supported options:

  • deactivated
  • destroyed

Default is deactivated.

str

Grace period for the previous version of the Pangea Token

str

Expiration timestamp

ItemState

The new state of the item. Supported options:

  • enabled
  • disabled

Response Object

A PangeaResponse where the item ID is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.update(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    name="my-very-secret-secret",
    folder="/personal",
    metadata={
        "created_by": "John Doe",
        "used_in": "Google products"
    },
    tags=[
        "irs_2023",
        "personal"
    ],
    rotation_frequency="10d",
    rotation_state=ItemVersionState.DEACTIVATED,
    rotation_grace_period="1d",
    expiration="2025-01-01T10:00:00Z",
    item_state=ItemState.DISABLED,
)

Verify

Vault.verify(id, message, signature, version)

Verify a signature using a key

required parameters

str

The item ID

str

A message to be verified (in base64)

str

The message signature (in base64)

optional parameters

int

The item version

Response Object

A PangeaResponse where the signature is valid is returned in the response.result field. Available response fields can be found in our API documentation.

response = vault.verify(
    id="pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    message="lJkk0gCLux+Q+rPNqLPEYw==",
    signature="FfWuT2Mq/+cxa7wIugfhzi7ktZxVf926idJNgBDCysF/knY9B7M6wxqHMMPDEBs86D8OsEGuED21y3J7IGOpCQ==",
    version=1,
)