Skip to content

feat(IAM Identity): add apikey expiration #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pyrooka merged 1 commit into from
Jan 13, 2026
Merged

feat(IAM Identity): add apikey expiration #314

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
175 changes: 79 additions & 96 deletions ibm_platform_services/iam_identity_v1.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# coding: utf-8

# (C) Copyright IBM Corp. 2025.
# (C) Copyright IBM Corp. 2026.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -919,6 +919,7 @@ def create_api_key(
store_value: Optional[bool] = None,
support_sessions: Optional[bool] = None,
action_when_leaked: Optional[str] = None,
expires_at: Optional[str] = None,
entity_lock: Optional[str] = None,
entity_disable: Optional[str] = None,
**kwargs,
Expand Down Expand Up @@ -954,6 +955,8 @@ def create_api_key(
access, delete or rotate the API key. Available only for user API keys.
:param str action_when_leaked: (optional) Defines the action to take when
API key is leaked, valid values are 'none', 'disable' and 'delete'.
:param str expires_at: (optional) Date and time when the API key becomes
invalid, ISO 8601 datetime in the format 'yyyy-MM-ddTHH:mm+0000'.
:param str entity_lock: (optional) Indicates if the API key is locked for
further write operations. False by default.
:param str entity_disable: (optional) Indicates if the API key is disabled.
Expand Down Expand Up @@ -987,6 +990,7 @@ def create_api_key(
'store_value': store_value,
'support_sessions': support_sessions,
'action_when_leaked': action_when_leaked,
'expires_at': expires_at,
}
data = {k: v for (k, v) in data.items() if v is not None}
data = json.dumps(data)
Expand Down Expand Up @@ -1127,6 +1131,7 @@ def update_api_key(
description: Optional[str] = None,
support_sessions: Optional[bool] = None,
action_when_leaked: Optional[str] = None,
expires_at: Optional[str] = None,
**kwargs,
) -> DetailedResponse:
"""
Expand Down Expand Up @@ -1155,6 +1160,8 @@ def update_api_key(
access, delete or rotate the API key. Available only for user API keys.
:param str action_when_leaked: (optional) Defines the action to take when
API key is leaked, valid values are 'none', 'disable' and 'delete'.
:param str expires_at: (optional) Date and time when the API key becomes
invalid, ISO 8601 datetime in the format 'yyyy-MM-ddTHH:mm+0000'.
:param dict headers: A `dict` containing the request headers
:return: A `DetailedResponse` containing the result, headers and HTTP status code.
:rtype: DetailedResponse with `dict` result representing a `ApiKey` object
Expand All @@ -1179,6 +1186,7 @@ def update_api_key(
'description': description,
'support_sessions': support_sessions,
'action_when_leaked': action_when_leaked,
'expires_at': expires_at,
}
data = {k: v for (k, v) in data.items() if v is not None}
data = json.dumps(data)
Expand Down Expand Up @@ -7750,6 +7758,8 @@ class ApiKey:
delete or rotate the API key. Available only for user API keys.
:param str action_when_leaked: (optional) Defines the action to take when API
key is leaked, valid values are 'none', 'disable' and 'delete'.
:param str expires_at: (optional) Date and time when the API key becomes
invalid, ISO 8601 datetime in the format 'yyyy-MM-ddTHH:mm+0000'.
:param str description: (optional) The optional description of the API key. The
'description' property is only available if a description was provided during a
create of an API key.
Expand Down Expand Up @@ -7783,6 +7793,7 @@ def __init__(
modified_at: Optional[datetime] = None,
support_sessions: Optional[bool] = None,
action_when_leaked: Optional[str] = None,
expires_at: Optional[str] = None,
description: Optional[str] = None,
history: Optional[List['EnityHistoryRecord']] = None,
activity: Optional['Activity'] = None,
Expand Down Expand Up @@ -7826,6 +7837,8 @@ def __init__(
access, delete or rotate the API key. Available only for user API keys.
:param str action_when_leaked: (optional) Defines the action to take when
API key is leaked, valid values are 'none', 'disable' and 'delete'.
:param str expires_at: (optional) Date and time when the API key becomes
invalid, ISO 8601 datetime in the format 'yyyy-MM-ddTHH:mm+0000'.
:param str description: (optional) The optional description of the API key.
The 'description' property is only available if a description was provided
during a create of an API key.
Expand All @@ -7844,6 +7857,7 @@ def __init__(
self.name = name
self.support_sessions = support_sessions
self.action_when_leaked = action_when_leaked
self.expires_at = expires_at
self.description = description
self.iam_id = iam_id
self.account_id = account_id
Expand Down Expand Up @@ -7889,6 +7903,8 @@ def from_dict(cls, _dict: Dict) -> 'ApiKey':
args['support_sessions'] = support_sessions
if (action_when_leaked := _dict.get('action_when_leaked')) is not None:
args['action_when_leaked'] = action_when_leaked
if (expires_at := _dict.get('expires_at')) is not None:
args['expires_at'] = expires_at
if (description := _dict.get('description')) is not None:
args['description'] = description
if (iam_id := _dict.get('iam_id')) is not None:
Expand Down Expand Up @@ -7944,6 +7960,8 @@ def to_dict(self) -> Dict:
_dict['support_sessions'] = self.support_sessions
if hasattr(self, 'action_when_leaked') and self.action_when_leaked is not None:
_dict['action_when_leaked'] = self.action_when_leaked
if hasattr(self, 'expires_at') and self.expires_at is not None:
_dict['expires_at'] = self.expires_at
if hasattr(self, 'description') and self.description is not None:
_dict['description'] = self.description
if hasattr(self, 'iam_id') and self.iam_id is not None:
Expand Down Expand Up @@ -8007,6 +8025,10 @@ class ApiKeyInsideCreateServiceIdRequest:
key value is retrievable in the future by using the Get details of an API key
request. If you create an API key for a user, you must specify `false` or omit
the value. We don't allow storing of API keys for users.
:param str action_when_leaked: (optional) Defines the action to take when API
key is leaked, valid values are 'none', 'disable' and 'delete'.
:param str expires_at: (optional) Date and time when the API key becomes
invalid, ISO 8601 datetime in the format 'yyyy-MM-ddTHH:mm+0000'.
"""

def __init__(
Expand All @@ -8016,6 +8038,8 @@ def __init__(
description: Optional[str] = None,
apikey: Optional[str] = None,
store_value: Optional[bool] = None,
action_when_leaked: Optional[str] = None,
expires_at: Optional[str] = None,
) -> None:
"""
Initialize a ApiKeyInsideCreateServiceIdRequest object.
Expand All @@ -8037,11 +8061,17 @@ def __init__(
API key value is retrievable in the future by using the Get details of an
API key request. If you create an API key for a user, you must specify
`false` or omit the value. We don't allow storing of API keys for users.
:param str action_when_leaked: (optional) Defines the action to take when
API key is leaked, valid values are 'none', 'disable' and 'delete'.
:param str expires_at: (optional) Date and time when the API key becomes
invalid, ISO 8601 datetime in the format 'yyyy-MM-ddTHH:mm+0000'.
"""
self.name = name
self.description = description
self.apikey = apikey
self.store_value = store_value
self.action_when_leaked = action_when_leaked
self.expires_at = expires_at

@classmethod
def from_dict(cls, _dict: Dict) -> 'ApiKeyInsideCreateServiceIdRequest':
Expand All @@ -8057,6 +8087,10 @@ def from_dict(cls, _dict: Dict) -> 'ApiKeyInsideCreateServiceIdRequest':
args['apikey'] = apikey
if (store_value := _dict.get('store_value')) is not None:
args['store_value'] = store_value
if (action_when_leaked := _dict.get('action_when_leaked')) is not None:
args['action_when_leaked'] = action_when_leaked
if (expires_at := _dict.get('expires_at')) is not None:
args['expires_at'] = expires_at
return cls(**args)

@classmethod
Expand All @@ -8075,6 +8109,10 @@ def to_dict(self) -> Dict:
_dict['apikey'] = self.apikey
if hasattr(self, 'store_value') and self.store_value is not None:
_dict['store_value'] = self.store_value
if hasattr(self, 'action_when_leaked') and self.action_when_leaked is not None:
_dict['action_when_leaked'] = self.action_when_leaked
if hasattr(self, 'expires_at') and self.expires_at is not None:
_dict['expires_at'] = self.expires_at
return _dict

def _to_dict(self):
Expand Down Expand Up @@ -9634,90 +9672,6 @@ def __ne__(self, other: 'MfaEnrollmentTypeStatus') -> bool:
return not self == other


class MfaEnrollments:
"""
MfaEnrollments.

:param str effective_mfa_type: currently effective mfa type i.e. id_based_mfa or
account_based_mfa.
:param IdBasedMfaEnrollment id_based_mfa: (optional)
:param AccountBasedMfaEnrollment account_based_mfa: (optional)
"""

def __init__(
self,
effective_mfa_type: str,
*,
id_based_mfa: Optional['IdBasedMfaEnrollment'] = None,
account_based_mfa: Optional['AccountBasedMfaEnrollment'] = None,
) -> None:
"""
Initialize a MfaEnrollments object.

:param str effective_mfa_type: currently effective mfa type i.e.
id_based_mfa or account_based_mfa.
:param IdBasedMfaEnrollment id_based_mfa: (optional)
:param AccountBasedMfaEnrollment account_based_mfa: (optional)
"""
self.effective_mfa_type = effective_mfa_type
self.id_based_mfa = id_based_mfa
self.account_based_mfa = account_based_mfa

@classmethod
def from_dict(cls, _dict: Dict) -> 'MfaEnrollments':
"""Initialize a MfaEnrollments object from a json dictionary."""
args = {}
if (effective_mfa_type := _dict.get('effective_mfa_type')) is not None:
args['effective_mfa_type'] = effective_mfa_type
else:
raise ValueError('Required property \'effective_mfa_type\' not present in MfaEnrollments JSON')
if (id_based_mfa := _dict.get('id_based_mfa')) is not None:
args['id_based_mfa'] = IdBasedMfaEnrollment.from_dict(id_based_mfa)
if (account_based_mfa := _dict.get('account_based_mfa')) is not None:
args['account_based_mfa'] = AccountBasedMfaEnrollment.from_dict(account_based_mfa)
return cls(**args)

@classmethod
def _from_dict(cls, _dict):
"""Initialize a MfaEnrollments object from a json dictionary."""
return cls.from_dict(_dict)

def to_dict(self) -> Dict:
"""Return a json dictionary representing this model."""
_dict = {}
if hasattr(self, 'effective_mfa_type') and self.effective_mfa_type is not None:
_dict['effective_mfa_type'] = self.effective_mfa_type
if hasattr(self, 'id_based_mfa') and self.id_based_mfa is not None:
if isinstance(self.id_based_mfa, dict):
_dict['id_based_mfa'] = self.id_based_mfa
else:
_dict['id_based_mfa'] = self.id_based_mfa.to_dict()
if hasattr(self, 'account_based_mfa') and self.account_based_mfa is not None:
if isinstance(self.account_based_mfa, dict):
_dict['account_based_mfa'] = self.account_based_mfa
else:
_dict['account_based_mfa'] = self.account_based_mfa.to_dict()
return _dict

def _to_dict(self):
"""Return a json dictionary representing this model."""
return self.to_dict()

def __str__(self) -> str:
"""Return a `str` version of this MfaEnrollments object."""
return json.dumps(self.to_dict(), indent=2)

def __eq__(self, other: 'MfaEnrollments') -> bool:
"""Return `true` when self and other are equal, false otherwise."""
if not isinstance(other, self.__class__):
return False
return self.__dict__ == other.__dict__

def __ne__(self, other: 'MfaEnrollments') -> bool:
"""Return `true` when self and other are not equal, false otherwise."""
return not self == other


class PolicyTemplateReference:
"""
Metadata for external access policy.
Expand Down Expand Up @@ -14267,14 +14221,19 @@ class UserReportMfaEnrollmentStatus:
:param str name: (optional) Name of the user.
:param str username: Username of the user.
:param str email: (optional) Email of the user.
:param MfaEnrollments enrollments:
:param str effective_mfa_type: currently effective mfa type i.e. id_based_mfa or
account_based_mfa.
:param IdBasedMfaEnrollment id_based_mfa:
:param AccountBasedMfaEnrollment account_based_mfa:
"""

def __init__(
self,
iam_id: str,
username: str,
enrollments: 'MfaEnrollments',
effective_mfa_type: str,
id_based_mfa: 'IdBasedMfaEnrollment',
account_based_mfa: 'AccountBasedMfaEnrollment',
*,
name: Optional[str] = None,
email: Optional[str] = None,
Expand All @@ -14284,15 +14243,20 @@ def __init__(

:param str iam_id: IAMid of the user.
:param str username: Username of the user.
:param MfaEnrollments enrollments:
:param str effective_mfa_type: currently effective mfa type i.e.
id_based_mfa or account_based_mfa.
:param IdBasedMfaEnrollment id_based_mfa:
:param AccountBasedMfaEnrollment account_based_mfa:
:param str name: (optional) Name of the user.
:param str email: (optional) Email of the user.
"""
self.iam_id = iam_id
self.name = name
self.username = username
self.email = email
self.enrollments = enrollments
self.effective_mfa_type = effective_mfa_type
self.id_based_mfa = id_based_mfa
self.account_based_mfa = account_based_mfa

@classmethod
def from_dict(cls, _dict: Dict) -> 'UserReportMfaEnrollmentStatus':
Expand All @@ -14310,10 +14274,22 @@ def from_dict(cls, _dict: Dict) -> 'UserReportMfaEnrollmentStatus':
raise ValueError('Required property \'username\' not present in UserReportMfaEnrollmentStatus JSON')
if (email := _dict.get('email')) is not None:
args['email'] = email
if (enrollments := _dict.get('enrollments')) is not None:
args['enrollments'] = MfaEnrollments.from_dict(enrollments)
if (effective_mfa_type := _dict.get('effective_mfa_type')) is not None:
args['effective_mfa_type'] = effective_mfa_type
else:
raise ValueError(
'Required property \'effective_mfa_type\' not present in UserReportMfaEnrollmentStatus JSON'
)
if (id_based_mfa := _dict.get('id_based_mfa')) is not None:
args['id_based_mfa'] = IdBasedMfaEnrollment.from_dict(id_based_mfa)
else:
raise ValueError('Required property \'id_based_mfa\' not present in UserReportMfaEnrollmentStatus JSON')
if (account_based_mfa := _dict.get('account_based_mfa')) is not None:
args['account_based_mfa'] = AccountBasedMfaEnrollment.from_dict(account_based_mfa)
else:
raise ValueError('Required property \'enrollments\' not present in UserReportMfaEnrollmentStatus JSON')
raise ValueError(
'Required property \'account_based_mfa\' not present in UserReportMfaEnrollmentStatus JSON'
)
return cls(**args)

@classmethod
Expand All @@ -14332,11 +14308,18 @@ def to_dict(self) -> Dict:
_dict['username'] = self.username
if hasattr(self, 'email') and self.email is not None:
_dict['email'] = self.email
if hasattr(self, 'enrollments') and self.enrollments is not None:
if isinstance(self.enrollments, dict):
_dict['enrollments'] = self.enrollments
if hasattr(self, 'effective_mfa_type') and self.effective_mfa_type is not None:
_dict['effective_mfa_type'] = self.effective_mfa_type
if hasattr(self, 'id_based_mfa') and self.id_based_mfa is not None:
if isinstance(self.id_based_mfa, dict):
_dict['id_based_mfa'] = self.id_based_mfa
else:
_dict['enrollments'] = self.enrollments.to_dict()
_dict['id_based_mfa'] = self.id_based_mfa.to_dict()
if hasattr(self, 'account_based_mfa') and self.account_based_mfa is not None:
if isinstance(self.account_based_mfa, dict):
_dict['account_based_mfa'] = self.account_based_mfa
else:
_dict['account_based_mfa'] = self.account_based_mfa.to_dict()
return _dict

def _to_dict(self):
Expand Down
13 changes: 12 additions & 1 deletion test/integration/test_iam_identity_v1.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,7 @@ def test_create_api_key1(self):
iam_id=self.iam_id,
description='PythonSDK test apikey #1',
account_id=self.account_id,
expires_at='2049-01-02T18:30:00+0000',
)

assert create_api_key_response.get_status_code() == 201
Expand Down Expand Up @@ -467,7 +468,10 @@ def test_update_api_key(self):

new_description = 'This is an updated description'
update_api_key_response = self.iam_identity_service.update_api_key(
id=apikey_id1, if_match=apikey_etag1, description=new_description
id=apikey_id1,
if_match=apikey_etag1,
description=new_description,
expires_at='2049-01-02T18:30:00+0000',
)

assert update_api_key_response.get_status_code() == 200
Expand Down Expand Up @@ -552,10 +556,17 @@ def test_delete_api_key2(self):

@needscredentials
def test_create_service_id(self):
api_key_inside_create_service_id_request_model = {
'name': 'API Key Name',
'store_value': True,
'expires_at': '2049-01-02T18:30:00+0000',
}

create_service_id_response = self.iam_identity_service.create_service_id(
account_id=self.account_id,
name=self.serviceid_name,
description='PythonSDK test serviceid',
apikey=api_key_inside_create_service_id_request_model,
)

assert create_service_id_response.get_status_code() == 201
Expand Down
Loading