Welcome to the redstone documentation.


The redstone package is available for install from PyPA with pip:

$ pip install -U redstone


redstone — Redstone Package

The redstone module is used to interact with various IBM Cloud services.

Basic usage involves getting a Session object, which can be used to build a client for interacting with a specific service.

For example, to interact with Resource Controller, we can use the default session to get a client to talk to Resource Controller:

>>> import redstone
>>> session = redstone.get_default_session()
>>> rc = session.service("ResourceController")

The service() function at the top level can be used as a shortcut for accessing the default session to build clients. This is equivalent to the above:

>>> import redstone
>>> rc = redstone.service("ResourceController")

The default session is constructed lazily on first access and looks for the environment variable IBMCLOUD_API_KEY to use as a credential for interacting with services.

The default session can be overriden or created manually if desired. Any clients created using the default session will then use that session instead.

>>> import redstone
>>> redstone.DEFAULT_SESSION = redstone.Session(iam_api_key="...")
>>> rc = redstone.service("ResourceController")


redstone.DEFAULT_SESSION = None

Holds the current default Session or None if no session has been built yet.

class redstone.Session(region=None, iam_api_key=None)[source]

Session objects are used to create clients used to interact with various services. They hold region endpoint information and a credential object that is used by the clients for authentication. It’s main purpose for sharing and caching credentials for use between multiple clients/services.

A Session can be created manually, but there is also a default session that can be accessed by using the get_default_session() function.

service(service_name, **kwargs)[source]

Returns the current default session for building clients objects.

redstone.service(service_name, **kwargs)[source]

Create and return a new client using the DEFAULT_SESSION.

redstone.auth — IBM Cloud IAM Authentication

This module holds functionality for authenticating with IBM Cloud services, which mainly involves getting a token from IAM and using that token while making requests to the various other services.

Most users will want to use the high level TokenManager which provides caching and automatic refresh for tokens.

There is also a low level auth() function that can be used to request a new token from IAM as needed.


class redstone.auth.TokenManager(api_key, iam_endpoint=None)[source]

TokenManager objects are a wrapper around an API key credential, which is used to request tokens when they are needed.

A TokenManager object caches tokens to minimize requests to IAM, and also will take care of requesting new tokens when the current cached one is expired.

Example usage:

tokman = TokenManager(api_key="my-cloud-api-key")

# get_token() will return a cached version or request one if needed
iam_token = tokman.get_token()
get_token() → str[source]

Retrieve a valid, unexpired token from IAM if needed, or return a cached, unexpired token.


Use to check if the cached IAM Refresh token needs to be refreshed.

The Refresh token is a different token than the IAM token used to interact with services. A Refresh token is a longer lasting token that can be used instead of an API key or password credential to request a new IAM token. It is useful for some specific cases, where the API key or password needs to be dropped and the Refresh token can be used instead to generate IAM tokens.


bool, True if the Refresh token needs to be refreshed, False otherwise


Use to check if the cached IAM token needs to be refreshed.


bool, True if the token needs to be refreshed, False otherwise

redstone.auth.auth(username=None, password=None, apikey=None, refresh_token=None, iam_endpoint=None)[source]

Makes a authentication request to the IAM API to retrieve an IAM token and IAM Refresh token.

  • username – Username

  • password – Password

  • apikey – IBMCloud/Bluemix API Key

  • refresh_token – IBM IAM Refresh Token, if specified the refresh token is used to authenticate, instead of the API key

  • iam_endpoint – base URL that can be specified to override the default IAM endpoint, if one, for example, wanted to test against their own IAM or an internal server



redstone.auth.find_space_and_org(bearer_token, org_name, space_name)[source]
redstone.auth.get_spaces(bearer_token, spaces_path)[source]

redstone.client — Redstone Service Clients

This module holds the service specific client classes, as well as the BaseClient class that they extend from for shared business function.

If you wish to add or extend functionality to a client or service, this is where the concrete classes and logic are for those purposes.


class redstone.client.BaseClient(region=None, service_instance_id=None, iam_api_key=None, verify=True, endpoint_url=None, credentials=None)[source]
class redstone.client.CIS(*args, **kwargs)[source]
names = ['cis']
class redstone.client.CISAuth(credentials)[source]
class redstone.client.IKS(*args, **kwargs)[source]

Retrieve a KubeConfig that can be used with kubectl to interact with the given IKS cluster.


base64 encoded file data; can be decode and written to file, or used with the python kubernetes client to interact in the same process

get_clusters() → List[Dict][source]

List the current IKS clusters in a specific region.


A list of dict objects representing the cluster metadata.


List the workers in an IKS cluster.

names = ['iks']
update_master(cluster, version)[source]

Initate an update on the master nodes of a cluster.

update_worker(cluster, worker)[source]

Initiate an update on a worker node.

The worker node will update to the latest revision that matches the master/API server version. i.e. If the master is at 1.16.x, the worker will update to the latest 1.16.x series.

class redstone.client.KeyProtect(*args, **kwargs)[source]

API Docs:

exception KeyProtectError[source]
static wrap(http_error)[source]
create(name, payload=None, raw_payload=None, root=False)[source]
names = ['kms']
rotate(key_id, payload=None)[source]
unwrap(key_id, ciphertext, aad=None)[source]
wrap(key_id, plaintext, aad=None)[source]
class redstone.client.ResourceController(*args, **kwargs)[source]

Client class for interacting with the Resource Controller service, which is used for managing service instances within the cloud account.

API Docs:
KEYPROTECT_PLAN_ID = 'eedd3585-90c6-4c8f-be3d-062069e99fc3'
create_instance(name, plan_id, region=None, resource_group=None)[source]

Create/provision a service instance.


tuple of (service_GUID, service_CRN) if successful


Exception if there is an error


Delete/deprovision a service instance identified by the given CRN or UUID.


Retrieve a list of all the service and resource instances in the current account.

Note this will return an iterator that will handle the underlying pagination of large sets of instances returned.


a generator type that iterates over the collection of instances returned from the API request

names = ['rc']
class redstone.client.TokenAuth(credentials)[source]

redstone.crypto — Encrypting/Decrypting with KeyProtect


redstone.crypto.decrypt(source: bytes, session: Optional[redstone.Session] = None) → Tuple[bytes, redstone.crypto.MessageHeader][source]

Decrypt data previously encrypted with the encrypt function.

redstone.crypto.encrypt(source: bytes, key_crns: List[str], aad: Optional[str] = None, session: Optional[redstone.Session] = None) → Tuple[bytes, redstone.crypto.MessageHeader][source]

Encrypt byte data using a given set of keys from KeyProtect.

Indices and tables