Google Cloud KMS-backed Swarmauri key provider for key metadata, encryption, signing, wrapping, public JWKS, and HKDF workflows.
Project description
Swarmauri GCP KMS Key Provider
swarmauri_keyprovider_gcpkms provides GcpKmsKeyProvider, a Swarmauri key provider for Google Cloud Key Management Service. It wraps Cloud KMS REST operations for key metadata, symmetric encryption and decryption, asymmetric signing and verification, RSA-OAEP key wrapping, public JWK/JWKS publishing, random bytes, and HKDF derivation.
Why Swarmauri GCP KMS Key Provider?
Use this package when Swarmauri applications need Google Cloud managed key material behind the shared key-provider interface. It lets agents, token services, envelope-encryption flows, and verifier services work with Cloud KMS keys while keeping credentials, OAuth token refresh, REST requests, public-key caching, and Swarmauri KeyRef metadata in one component.
FAQ
Q: How does the provider authenticate to Google Cloud?
A: The provider uses google.auth.default(scopes=[cloud-platform]), so it works with Application Default Credentials, workload identity, service account credentials, and other Google-supported credential sources.
Q: Does create_key() create every Cloud KMS key type?
A: No. The current create_key() helper creates a symmetric ENCRYPT_DECRYPT crypto key. Use Google Cloud KMS configuration or provisioning workflows for asymmetric signing and asymmetric decrypt keys, then reference them by kid.
Q: What key operations are implemented?
A: The provider implements encrypt(), decrypt(), sign(), verify(), wrap_key(), unwrap_key(), get_key(), list_versions(), get_public_jwk(), jwks(), destroy_key(), random_bytes(), and hkdf().
Q: How are public keys cached?
A: Public PEM responses are cached per crypto key version for five minutes. JWKS generation and verification reuse that cache to reduce Cloud KMS API calls.
Features
GcpKmsKeyProviderregistered under theswarmauri.key_providersentry point.- Google Application Default Credentials and OAuth token refresh.
- Cloud KMS symmetric
encryptanddecryptREST calls. - Cloud KMS asymmetric
asymmetricSigncalls. - Local RSA and EC signature verification using public keys from Cloud KMS.
- RSA-OAEP
wrap_key()with public keys andunwrap_key()throughasymmetricDecrypt. - RFC 7517 JWK conversion for RSA, P-256, P-384, and secp256k1 public keys.
- JWKS aggregation across enabled key versions in a key ring.
- Enabled-version listing and version-specific destroy calls.
- Local secure random bytes and HKDF helpers.
- Optional
cborextra for workflows that need canonical CBOR support. - Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.
Prerequisites
- Google Cloud project with the Cloud KMS API enabled.
- Existing key ring in the selected location.
- Application Default Credentials available to the runtime.
- IAM permissions for the operations you use, commonly
cloudkms.cryptoKeys.get,cloudkms.cryptoKeys.list,cloudkms.cryptoKeyVersions.list,cloudkms.cryptoKeyVersions.viewPublicKey,cloudkms.cryptoKeyVersions.useToSign,cloudkms.cryptoKeyVersions.useToDecrypt,cloudkms.cryptoKeys.encrypt,cloudkms.cryptoKeys.decrypt, andcloudkms.cryptoKeyVersions.destroy.
Installation
Install with uv:
uv add swarmauri_keyprovider_gcpkms
Install with pip:
pip install swarmauri_keyprovider_gcpkms
Install with CBOR extras:
pip install "swarmauri_keyprovider_gcpkms[cbor]"
Usage
Inspect a Cloud KMS key and publish a public JWK:
import asyncio
from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider
async def main() -> None:
provider = GcpKmsKeyProvider(
project_id="my-project",
location_id="us-central1",
key_ring_id="swarmauri",
)
key_ref = await provider.get_key("jwt-signing-key")
jwk = await provider.get_public_jwk("jwt-signing-key", key_ref.version)
print(key_ref.uses)
print(jwk["kty"])
asyncio.run(main())
Sign and verify with an asymmetric Cloud KMS key:
import asyncio
from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider
async def main() -> None:
provider = GcpKmsKeyProvider(
project_id="my-project",
location_id="us-central1",
key_ring_id="swarmauri",
)
message = b"payload to sign"
signature = await provider.sign("jwt-signing-key", message)
verified = await provider.verify("jwt-signing-key", message, signature)
print(verified)
asyncio.run(main())
Encrypt and decrypt with a symmetric Cloud KMS key:
import asyncio
from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider
async def main() -> None:
provider = GcpKmsKeyProvider(
project_id="my-project",
location_id="us-east1",
key_ring_id="data-protection",
)
aad = b"swarmauri::tenant-a"
ciphertext = await provider.encrypt(
"documents",
b"secret payload",
aad=aad,
)
plaintext = await provider.decrypt(
"documents",
ciphertext,
aad=aad,
)
print(plaintext)
asyncio.run(main())
Wrap and unwrap data keys with an RSA decrypt key:
import asyncio
from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider
async def main() -> None:
provider = GcpKmsKeyProvider(
project_id="my-project",
location_id="us-east1",
key_ring_id="data-protection",
)
data_key = await provider.random_bytes(32)
wrapped = await provider.wrap_key("rsa-wrapping-key", data_key)
unwrapped = await provider.unwrap_key("rsa-wrapping-key", wrapped)
print(unwrapped == data_key)
asyncio.run(main())
Related Packages
Key provider packages:
- swarmauri_keyprovider_aws_kms
- swarmauri_keyprovider_vaulttransit
- swarmauri_keyprovider_file
- swarmauri_keyprovider_local
- swarmauri_keyprovider_inmemory
- swarmauri_keyprovider_remote_jwks
Foundational packages:
- swarmauri_core defines key provider types.
- swarmauri_base provides
KeyProviderBase. - swarmauri_standard provides standard Swarmauri components.
- swarmauri provides namespace imports and plugin discovery.
Best Practices
- Prefer workload identity or managed service account credentials over long-lived local key files.
- Use version-specific operations when destroying key material.
- Refresh JWKS caches after rotation when verifier services need immediate key visibility.
- Keep Cloud KMS key creation and IAM policy setup in infrastructure code for repeatability.
- Use
wrap_key()andunwrap_key()for envelope encryption keys, andencrypt()/decrypt()for symmetric Cloud KMS crypto keys.
License
Apache-2.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_keyprovider_gcpkms-0.11.0.dev1.tar.gz.
File metadata
- Download URL: swarmauri_keyprovider_gcpkms-0.11.0.dev1.tar.gz
- Upload date:
- Size: 14.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6705a84c98b74010a76531855bc2e23d9beacfee435fe2953f1faf4f5e0f5f32
|
|
| MD5 |
8a43205ca562545a91c951784c174cff
|
|
| BLAKE2b-256 |
8ccc6914017110177adac9af086e49ce8d5b68b579d43bba251ad83d1eeebd5f
|
File details
Details for the file swarmauri_keyprovider_gcpkms-0.11.0.dev1-py3-none-any.whl.
File metadata
- Download URL: swarmauri_keyprovider_gcpkms-0.11.0.dev1-py3-none-any.whl
- Upload date:
- Size: 13.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4ae838252dc4b082439ae75fc1dbb6f85c690a0076d7caca02e79b55c82544c0
|
|
| MD5 |
de519a62339f43145cb92f36b5ae440d
|
|
| BLAKE2b-256 |
0e8853a3d05c939ab307ea85547c612ee8f125d7503e071d235aef01561a7c3e
|