Skip to main content

Google Cloud KMS-backed Swarmauri key provider for key metadata, encryption, signing, wrapping, public JWKS, and HKDF workflows.

Project description

Swarmauri Logo

PyPI - Downloads Hits PyPI - Python Version PyPI - License PyPI - swarmauri_keyprovider_gcpkms Discord

Swarmauri GCP KMS Key Provider

swarmauri_keyprovider_gcpkms provides GcpKmsKeyProvider, a Swarmauri key provider for Google Cloud Key Management Service. It wraps Cloud KMS REST operations for key metadata, symmetric encryption and decryption, asymmetric signing and verification, RSA-OAEP key wrapping, public JWK/JWKS publishing, random bytes, and HKDF derivation.

Why Swarmauri GCP KMS Key Provider?

Use this package when Swarmauri applications need Google Cloud managed key material behind the shared key-provider interface. It lets agents, token services, envelope-encryption flows, and verifier services work with Cloud KMS keys while keeping credentials, OAuth token refresh, REST requests, public-key caching, and Swarmauri KeyRef metadata in one component.

FAQ

Q: How does the provider authenticate to Google Cloud?

A: The provider uses google.auth.default(scopes=[cloud-platform]), so it works with Application Default Credentials, workload identity, service account credentials, and other Google-supported credential sources.

Q: Does create_key() create every Cloud KMS key type?

A: No. The current create_key() helper creates a symmetric ENCRYPT_DECRYPT crypto key. Use Google Cloud KMS configuration or provisioning workflows for asymmetric signing and asymmetric decrypt keys, then reference them by kid.

Q: What key operations are implemented?

A: The provider implements encrypt(), decrypt(), sign(), verify(), wrap_key(), unwrap_key(), get_key(), list_versions(), get_public_jwk(), jwks(), destroy_key(), random_bytes(), and hkdf().

Q: How are public keys cached?

A: Public PEM responses are cached per crypto key version for five minutes. JWKS generation and verification reuse that cache to reduce Cloud KMS API calls.

Features

  • GcpKmsKeyProvider registered under the swarmauri.key_providers entry point.
  • Google Application Default Credentials and OAuth token refresh.
  • Cloud KMS symmetric encrypt and decrypt REST calls.
  • Cloud KMS asymmetric asymmetricSign calls.
  • Local RSA and EC signature verification using public keys from Cloud KMS.
  • RSA-OAEP wrap_key() with public keys and unwrap_key() through asymmetricDecrypt.
  • RFC 7517 JWK conversion for RSA, P-256, P-384, and secp256k1 public keys.
  • JWKS aggregation across enabled key versions in a key ring.
  • Enabled-version listing and version-specific destroy calls.
  • Local secure random bytes and HKDF helpers.
  • Optional cbor extra for workflows that need canonical CBOR support.
  • Python 3.10, 3.11, 3.12, 3.13, and 3.14 support.

Prerequisites

  • Google Cloud project with the Cloud KMS API enabled.
  • Existing key ring in the selected location.
  • Application Default Credentials available to the runtime.
  • IAM permissions for the operations you use, commonly cloudkms.cryptoKeys.get, cloudkms.cryptoKeys.list, cloudkms.cryptoKeyVersions.list, cloudkms.cryptoKeyVersions.viewPublicKey, cloudkms.cryptoKeyVersions.useToSign, cloudkms.cryptoKeyVersions.useToDecrypt, cloudkms.cryptoKeys.encrypt, cloudkms.cryptoKeys.decrypt, and cloudkms.cryptoKeyVersions.destroy.

Installation

Install with uv:

uv add swarmauri_keyprovider_gcpkms

Install with pip:

pip install swarmauri_keyprovider_gcpkms

Install with CBOR extras:

pip install "swarmauri_keyprovider_gcpkms[cbor]"

Usage

Inspect a Cloud KMS key and publish a public JWK:

import asyncio

from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider


async def main() -> None:
    provider = GcpKmsKeyProvider(
        project_id="my-project",
        location_id="us-central1",
        key_ring_id="swarmauri",
    )
    key_ref = await provider.get_key("jwt-signing-key")
    jwk = await provider.get_public_jwk("jwt-signing-key", key_ref.version)

    print(key_ref.uses)
    print(jwk["kty"])


asyncio.run(main())

Sign and verify with an asymmetric Cloud KMS key:

import asyncio

from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider


async def main() -> None:
    provider = GcpKmsKeyProvider(
        project_id="my-project",
        location_id="us-central1",
        key_ring_id="swarmauri",
    )
    message = b"payload to sign"

    signature = await provider.sign("jwt-signing-key", message)
    verified = await provider.verify("jwt-signing-key", message, signature)

    print(verified)


asyncio.run(main())

Encrypt and decrypt with a symmetric Cloud KMS key:

import asyncio

from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider


async def main() -> None:
    provider = GcpKmsKeyProvider(
        project_id="my-project",
        location_id="us-east1",
        key_ring_id="data-protection",
    )
    aad = b"swarmauri::tenant-a"

    ciphertext = await provider.encrypt(
        "documents",
        b"secret payload",
        aad=aad,
    )
    plaintext = await provider.decrypt(
        "documents",
        ciphertext,
        aad=aad,
    )

    print(plaintext)


asyncio.run(main())

Wrap and unwrap data keys with an RSA decrypt key:

import asyncio

from swarmauri_keyprovider_gcpkms import GcpKmsKeyProvider


async def main() -> None:
    provider = GcpKmsKeyProvider(
        project_id="my-project",
        location_id="us-east1",
        key_ring_id="data-protection",
    )
    data_key = await provider.random_bytes(32)

    wrapped = await provider.wrap_key("rsa-wrapping-key", data_key)
    unwrapped = await provider.unwrap_key("rsa-wrapping-key", wrapped)

    print(unwrapped == data_key)


asyncio.run(main())

Related Packages

Key provider packages:

Foundational packages:

Best Practices

  • Prefer workload identity or managed service account credentials over long-lived local key files.
  • Use version-specific operations when destroying key material.
  • Refresh JWKS caches after rotation when verifier services need immediate key visibility.
  • Keep Cloud KMS key creation and IAM policy setup in infrastructure code for repeatability.
  • Use wrap_key() and unwrap_key() for envelope encryption keys, and encrypt()/decrypt() for symmetric Cloud KMS crypto keys.

License

Apache-2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

swarmauri_keyprovider_gcpkms-0.11.0.dev1.tar.gz (14.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file swarmauri_keyprovider_gcpkms-0.11.0.dev1.tar.gz.

File metadata

  • Download URL: swarmauri_keyprovider_gcpkms-0.11.0.dev1.tar.gz
  • Upload date:
  • Size: 14.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_keyprovider_gcpkms-0.11.0.dev1.tar.gz
Algorithm Hash digest
SHA256 6705a84c98b74010a76531855bc2e23d9beacfee435fe2953f1faf4f5e0f5f32
MD5 8a43205ca562545a91c951784c174cff
BLAKE2b-256 8ccc6914017110177adac9af086e49ce8d5b68b579d43bba251ad83d1eeebd5f

See more details on using hashes here.

File details

Details for the file swarmauri_keyprovider_gcpkms-0.11.0.dev1-py3-none-any.whl.

File metadata

  • Download URL: swarmauri_keyprovider_gcpkms-0.11.0.dev1-py3-none-any.whl
  • Upload date:
  • Size: 13.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.26 {"installer":{"name":"uv","version":"0.11.26","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for swarmauri_keyprovider_gcpkms-0.11.0.dev1-py3-none-any.whl
Algorithm Hash digest
SHA256 4ae838252dc4b082439ae75fc1dbb6f85c690a0076d7caca02e79b55c82544c0
MD5 de519a62339f43145cb92f36b5ae440d
BLAKE2b-256 0e8853a3d05c939ab307ea85547c612ee8f125d7503e071d235aef01561a7c3e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page