Change a key version state
Modify the state of a key version
Key version states can be changed in one of two ways:
- During rotation, when a target state is defined. If no state is defined, the current version will transition to Deactivated.
- Explicitly changing the state of a version.
For more details on keys, review the Vault Overview.
import os
import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services import Vault
from pangea.services.vault.models.common import ItemVersionState
def suspend_version(key_id: str, version: int) -> None:
token = os.getenv("PANGEA_VAULT_TOKEN")
domain = os.getenv("PANGEA_DOMAIN")
config = PangeaConfig(domain=domain)
vault = Vault(token, config=config)
try:
# use other state names to change to other states
vault.state_change(key_id, ItemVersionState.SUSPENDED, version)
except pe.PangeaAPIException as e:
print(f"Vault Request Error: {e.response.summary}")
for err in e.errors:
print(f"\t{err.detail} \n")
Change version state to compromised
When transitioning a key version to compromised, you must additionally provide a destruction timeframe, indicating when you want the key material to be destroyed.
import os
import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services import Vault
from pangea.services.vault.models.common import ItemVersionState
def mark_version_compromised(secret_id, version):
token = os.getenv("PANGEA_VAULT_TOKEN")
domain = os.getenv("PANGEA_DOMAIN")
config = PangeaConfig(domain=domain)
vault = Vault(token, config=config)
try:
vault.state_change(secret_id, ItemVersionState.COMPROMISED, version, "5days")
except pe.PangeaAPIException as e:
print(f"Vault Request Error: {e.response.summary}")
for err in e.errors:
print(f"\t{err.detail} \n")
Was this article helpful?