Skip to main content

Changing a secret version state

Modifying the state of a secret version

Secret version states can be changed in one of two ways:

  1. During rotation, when a target state is defined. If no state is defined, the current version will transition to "deactivated."
  2. Explicitly changing the state of a version.

For more details on secrets, review the Vault Overview.

import os

import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services import Vault
from pangea.services.vault.models.common import ItemVersionState


def suspend_version(secret_id, version):
token = os.getenv("PANGEA_VAULT_TOKEN")
domain = os.getenv("PANGEA_DOMAIN")
config = PangeaConfig(domain=domain)
vault = Vault(token, config=config)

try:
# use other state names to change to other states
vault.state_change(secret_id, ItemVersionState.SUSPENDED, version)
except pe.PangeaAPIException as e:
print(f"Vault Request Error: {e.response.summary}")
for err in e.errors:
print(f"\t{err.detail} \n")

Change version state to compromised

When transitioning a secret version to compromised, you must additionally provide a destruction timeframe, indicating when you want the secret material to be destroyed.


import os

import pangea.exceptions as pe
from pangea.config import PangeaConfig
from pangea.services import Vault
from pangea.services.vault.models.common import ItemVersionState

def mark_version_compromised(secret_id, version):
token = os.getenv("PANGEA_VAULT_TOKEN")
domain = os.getenv("PANGEA_DOMAIN")
config = PangeaConfig(domain=domain)
vault = Vault(token, config=config)

try:
vault.state_change(secret_id, ItemVersionState.COMPROMISED, 1, "5days")
except pe.PangeaAPIException as e:
print(f"Vault Request Error: {e.response.summary}")
for err in e.errors:
print(f"\t{err.detail} \n")

return

Was this article helpful?

Contact us