How to API Python SDK

Automate vSphere Native Key Providers

vCenter 7.0 update 2 introduced Native Key Provider functionality. It is now very easy to set up encryption using the native key provider. A UI user simply inputs a key provider name and backups the secret data to activate the native key provider. It is similarly simple to automate vSphere native key providers through API. The big difference from past APIs is that the native key provider is part of the Automation SDK and not as one would traditionally suspect under CryptoManager from the vSphere Management SDK.

You can learn more about vSphere Native Key Providers from this video.

Managing Key Providers in vSphere Client

This blog post demonstrates simple operations with the Automation and Management APIs using Python to get you started with Native Key Providers. The vSphere Management API is modernized to support JSON there by allowing wider set of clients to access it. We will refer to the JSON documentation for both APIs in this post to allow one to replicate the workflows using only JSON and HTTP.

You will need Mac or Linux like environment with Python 3.9+ installed to use the sample code in this post.

First steps with vSphere Automation SDK Python

In this chapter we will set up vSphere Python development environment.

The vSphere Automation SDK for Python is on GitHub and VMware’s website. We will use GitHub in this post as it is easier. Some organizations prefer the added security of direct download from vmware.com to avoid supply chain attacks.

Firstly, we create a folder and set up our project.

Secondly, we configure a Python environment:

Thirdly, we download the necessary dependencies

Lastly, to keep our script free from secrets and sensitive data we will set several environment variables. We assume vCenter accepts username and password. vCenters set up with external Identity Provider may require OAuth 2 workflow instead. Replace vCenter details from the below commands and issue them in your shell:

This completes the setup of the vSphere Automation SDK for Python.

Connect to vCenter and list existing native key providers

In a code editor of your choice create a new file – “main.py” inside the “nkp_demo” folder. On Mac one can use Visual Studio Code from Terminal as follows

Firstly, import some packages that we will need in our demo:

Secondly, let’s initialize settings for our demo

Thirdly, we connect both the Automation SDK and pyVmomi to vCenter:

The connect function initializes both libraries with the vCenter server address and credentials. We get back VsphereClient and ServiceInstance objects. The get_kms_providers method helps with auto-completion in editor like Visual Studio Code.

We will discuss the cryptoManager and CryptoManagerKmip logic later when we set default key provider.

Fourthly, we fetch and print the Native Key Provider data

The kmsProvders.list() API gives a list with summary details for the Native Key providers that includes the name and overall status of the key provider. To see more wee need to call the kmsProviders.get() API with the provider name/identifier.

Lastly we save and run the program:

If you have no Native Key Providers set and all is well then you will see something like:

Let’s Add a Native Key Provider

Add to the end of you file the following

The kmsProviders.create() API creates a new Native Key Provider. Similar to UI it needs a name and flag weather to work on TPM enabled hosts only.

If you run the program again we should now see a bit more output.

Back up the Native Key Providers

To activate the Native Key Provider it’s secure keys need to be backed up first. This is a bit tricky through the API as it requires 2 distinct steps.

Firstly, we need to initiate the export by calling kmsProviders.export() API. It requires the name identifier of the key provider and a password to encrypt the export data. The output of the API when successful contains a URL and a bearer authentication token to download the exported data.

Secondly we need to make HTTP POST request to the URL with authentication token to fetch the exported PKCS12 data.

When all goes to plan we will see the following output at end. This indicates the Native Key Provider is now active and ready to use.

… what do I do if my Native Key Provider is corrupted?

We backed up and activated the Native Key Provider. Let’s take a second to see how we can restore the provider from back up.

Firstly, we accidentally delete the key provider:

Secondly, we restore the provider from the backup we took before:

How to make a Native Key Provider default?

To use the Native Key Provider we may want to set it as default for a cluster or the whole vCenter system. To get or set the default Key Provider we use GetDefaultKmsCluster and SetDefaultKmsCluster APIs. These are Management APIs available in pyVmomi library. We initialized earlier connection to vCenter using pyVmomi. We obtained a reference to the CryptoManager from the ServiceInstance content object and checked that it supports the extended CryptoManagerKmip API.

Paste the following to the end of the script to see how setting default Key Provider works.

At the end we clean up by reverting the default key provider and delete the demo Native Key Provider.

Conclusion

We saw it is easy to automate vSphere Native Key Providers. As with other vSphere functionalities to effectively automate Native Key Providers both the vSphere Automation and vSphere Management APIs need to be used in tandem.

You can find the full source code to this article in this GitHub gist.

Follow us on Twitter @VMware_API_team and send us any feedback.