# Strata Cloud Manager SDK
[](https://codecov.io/github/cdot65/pan-scm-sdk)
[](https://github.com/cdot65/pan-scm-sdk/actions/workflows/ci.yml)
[](https://badge.fury.io/py/pan-scm-sdk)
[](https://pypi.org/project/pan-scm-sdk/)
[](https://github.com/cdot65/pan-scm-sdk/blob/main/LICENSE)
[](https://deepwiki.com/cdot65/pan-scm-sdk)
Python SDK for Palo Alto Networks Strata Cloud Manager.
> **NOTE**: Please refer to the [GitHub Pages documentation site](https://cdot65.github.io/pan-scm-sdk/) for all
> examples
## Table of Contents
- [Strata Cloud Manager SDK](#strata-cloud-manager-sdk)
- [Table of Contents](#table-of-contents)
- [Features](#features)
- [Development Guidelines](#development-guidelines)
- [Installation](#installation)
- [Usage](#usage)
- [Authentication](#authentication)
- [Method 1: OAuth2 Client Credentials passed into a ScmClient instance](#method-1-oauth2-client-credentials-passed-into-a-scmclient-instance)
- [Method 2: Bearer Token Authentication](#method-2-bearer-token-authentication)
- [TLS Certificate Verification Control](#tls-certificate-verification-control)
- [Available Client Services](#available-client-services)
- [Development](#development)
- [Setup](#setup)
- [Code Quality](#code-quality)
- [Pre-commit Hooks](#pre-commit-hooks)
- [Contributing](#contributing)
- [License](#license)
- [Support](#support)
## Features
- **Flexible Authentication**:
- OAuth2 client credentials flow for standard authentication
- Bearer token support for scenarios with pre-acquired tokens
- **Resource Management**: Create, read, update, and delete configuration objects such as addresses, address groups,
applications, regions, internal DNS servers, and more.
- **Data Validation**: Utilize Pydantic models for data validation and serialization.
- **Exception Handling**: Comprehensive error handling with custom exceptions for API errors.
- **Extensibility**: Designed for easy extension to support additional resources and endpoints.
## Development Guidelines
For developers working on this SDK:
- **Service File Standards**: See `SDK_STYLING_GUIDE.md` for comprehensive service file guidelines
- **Model Standards**: See `CLAUDE_MODELS.md` for Pydantic model patterns and conventions
- **Templates**: Use `SDK_SERVICE_TEMPLATE.py` as a starting point for new services
- **Claude Code Integration**: Reference `CLAUDE.md` for AI-assisted development guidelines
## Installation
**Requirements**:
- Python 3.10 or higher
Install the package via pip:
```bash
pip install pan-scm-sdk
```
## Usage
### TLS Certificate Verification Control
By default, the SDK verifies TLS certificates for all HTTPS requests. You can bypass TLS verification (for development or testing) by setting the `verify_ssl` flag to `False` when initializing `Scm` or `ScmClient`:
```python
from scm.client import ScmClient
client = ScmClient(
client_id="...",
client_secret="...",
tsg_id="...",
verify_ssl=False, # WARNING: disables TLS verification!
)
```
> **Warning:** Disabling TLS verification is insecure and exposes you to man-in-the-middle attacks. Only use `verify_ssl=False` in trusted development environments.
### Authentication
Before interacting with the SDK, you need to authenticate:
#### Method 1: OAuth2 Client Credentials passed into a ScmClient instance
```python
from scm.client import ScmClient
# Initialize the API client with OAuth2 client credentials
api_client = ScmClient(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id",
)
# The SCM client is now ready to use
```
#### Method 2: Bearer Token Authentication
If you already have a valid OAuth token, you can use it directly:
```python
from scm.client import Scm
# Initialize the API client with a pre-acquired bearer token
api_client = Scm(
access_token="your_bearer_token"
)
# The SCM client is now ready to use
```
> **NOTE**: When using bearer token authentication, token refresh is your responsibility. For commit operations with bearer token auth, you must explicitly provide the `admin` parameter.
```python
# Example of commit with bearer token authentication
api_client.commit(
folders=["Texas"],
description="Configuration changes",
admin=["admin@example.com"], # Required when using bearer token
sync=True
)
```
### Available Client Services
The unified client provides access to the following services through attribute-based access:
| Client Property | Description |
| ---------------------------------- | ------------------------------------------------------------- |
| **Objects** | |
| `address` | IP addresses, CIDR ranges, and FQDNs for security policies |
| `address_group` | Static or dynamic collections of address objects |
| `application` | Custom application definitions and signatures |
| `application_filter` | Filters for identifying applications by characteristics |
| `application_group` | Logical groups of applications for policy application |
| `auto_tag_action` | Automated tag assignment based on traffic and security events |
| `dynamic_user_group` | User groups with dynamic membership criteria |
| `external_dynamic_list` | Externally managed lists of IPs, URLs, or domains |
| `hip_object` | Host information profile match criteria |
| `hip_profile` | Endpoint security compliance profiles |
| `http_server_profile` | HTTP server configurations for logging and monitoring |
| `log_forwarding_profile` | Configurations for forwarding logs to external systems |
| `quarantined_device` | Management of devices blocked from network access |
| `region` | Geographic regions for policy control |
| `schedule` | Time-based policies and access control |
| `service` | Protocol and port definitions for network services |
| `service_group` | Collections of services for simplified policy management |
| `syslog_server_profile` | Syslog server configurations for centralized logging |
| `tag` | Resource classification and organization labels |
| **Mobile Agent** | |
| `auth_setting` | GlobalProtect authentication settings |
| `agent_version` | GlobalProtect agent versions (read-only) |
| **Network** | |
| `ike_crypto_profile` | IKE crypto profiles for VPN tunnel encryption |
| `ike_gateway` | IKE gateways for VPN tunnel endpoints |
| `ipsec_crypto_profile` | IPsec crypto profiles for VPN tunnel encryption |
| `nat_rule` | Network address translation policies for traffic routing |
| `security_zone` | Security zones for network segmentation |
| **Deployment** | |
| `bandwidth_allocation` | Bandwidth allocation management for network capacity planning |
| `bgp_routing` | BGP routing configuration for network connectivity |
| `internal_dns_server` | Internal DNS server configurations for domain resolution |
| `network_location` | Geographic network locations for service connectivity |
| `remote_network` | Secure branch and remote site connectivity configurations |
| `service_connection` | Service connections to cloud service providers |
| **Security** | |
| `security_rule` | Core security policies controlling network traffic |
| `anti_spyware_profile` | Protection against spyware, C2 traffic, and data exfiltration |
| `decryption_profile` | SSL/TLS traffic inspection configurations |
| `dns_security_profile` | Protection against DNS-based threats and tunneling |
| `url_category` | Custom URL categorization for web filtering |
| `vulnerability_protection_profile` | Defense against known CVEs and exploit attempts |
| `wildfire_antivirus_profile` | Cloud-based malware analysis and zero-day protection |
| **Setup** | |
| `device` | Device resources and management |
| `folder` | Folder organization and hierarchy |
| `label` | Resource classification and simple key-value object labels |
| `snippet` | Reusable configuration snippets |
| `variable` | Typed variables with flexible container scoping |
---
## Development
Before starting development, please review:
- `SDK_STYLING_GUIDE.md` - Comprehensive guide for writing consistent SDK code
- `CLAUDE_MODELS.md` - Guidelines for creating Pydantic models
- `SDK_SERVICE_TEMPLATE.py` - Template for new service files
- `WINDSURF_RULES.md` - Overall project standards
### Setup
1. Clone the repository:
```bash
git clone https://github.com/cdot65/pan-scm-sdk.git
cd pan-scm-sdk
```
2. Install dependencies and pre-commit hooks:
```bash
make setup
```
Alternatively, you can install manually:
```bash
poetry install
poetry run pre-commit install
```
### Code Quality
This project uses [ruff](https://github.com/astral-sh/ruff) for linting and formatting:
```bash
# Run linting checks
make lint
# Format code
make format
# Auto-fix linting issues when possible
make fix
```
### Pre-commit Hooks
We use pre-commit hooks to ensure code quality before committing:
```bash
# Run pre-commit hooks on all files
make pre-commit-all
```
The following checks run automatically before each commit:
- ruff linting and formatting
- Trailing whitespace removal
- End-of-file fixer
- YAML/JSON syntax checking
- Large file detection
- Python syntax validation
- Merge conflict detection
- Private key detection
## Contributing
We welcome contributions! To contribute:
1. Fork the repository.
2. Create a new feature branch (`git checkout -b feature/your-feature`).
3. Make your changes, ensuring all linting and tests pass.
4. Commit your changes (`git commit -m 'Add new feature'`).
5. Push to your branch (`git push origin feature/your-feature`).
6. Open a Pull Request.
Ensure your code adheres to the project's coding standards and includes tests where appropriate.
## License
This project is licensed under the Apache 2.0 License. See the [LICENSE](./LICENSE) file for details.
## Support
For support and questions, please refer to the [SUPPORT.md](./SUPPORT.md) file in this repository.
---
_Detailed documentation is available on our [GitHub Pages documentation site](https://cdot65.github.io/pan-scm-sdk/)._
Raw data
{
"_id": null,
"home_page": "https://github.com/cdot65/pan-scm-sdk",
"name": "pan-scm-sdk",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.10",
"maintainer_email": null,
"keywords": "paloaltonetworks, stratacloudmanager, scm",
"author": "Calvin Remsburg",
"author_email": "calvin@cdot.io",
"download_url": "https://files.pythonhosted.org/packages/18/3b/ce40526c157ef1f66d006763b2b534a7f200d66ca57a5351390bffcbb1f8/pan_scm_sdk-0.3.44.tar.gz",
"platform": null,
"description": "# Strata Cloud Manager SDK\n\n\n[](https://codecov.io/github/cdot65/pan-scm-sdk)\n[](https://github.com/cdot65/pan-scm-sdk/actions/workflows/ci.yml)\n[](https://badge.fury.io/py/pan-scm-sdk)\n[](https://pypi.org/project/pan-scm-sdk/)\n[](https://github.com/cdot65/pan-scm-sdk/blob/main/LICENSE)\n[](https://deepwiki.com/cdot65/pan-scm-sdk)\n\nPython SDK for Palo Alto Networks Strata Cloud Manager.\n\n> **NOTE**: Please refer to the [GitHub Pages documentation site](https://cdot65.github.io/pan-scm-sdk/) for all\n> examples\n\n## Table of Contents\n\n- [Strata Cloud Manager SDK](#strata-cloud-manager-sdk)\n - [Table of Contents](#table-of-contents)\n - [Features](#features)\n - [Development Guidelines](#development-guidelines)\n - [Installation](#installation)\n - [Usage](#usage)\n - [Authentication](#authentication)\n - [Method 1: OAuth2 Client Credentials passed into a ScmClient instance](#method-1-oauth2-client-credentials-passed-into-a-scmclient-instance)\n - [Method 2: Bearer Token Authentication](#method-2-bearer-token-authentication)\n - [TLS Certificate Verification Control](#tls-certificate-verification-control)\n - [Available Client Services](#available-client-services)\n - [Development](#development)\n - [Setup](#setup)\n - [Code Quality](#code-quality)\n - [Pre-commit Hooks](#pre-commit-hooks)\n - [Contributing](#contributing)\n - [License](#license)\n - [Support](#support)\n\n## Features\n\n- **Flexible Authentication**:\n - OAuth2 client credentials flow for standard authentication\n - Bearer token support for scenarios with pre-acquired tokens\n- **Resource Management**: Create, read, update, and delete configuration objects such as addresses, address groups,\n applications, regions, internal DNS servers, and more.\n- **Data Validation**: Utilize Pydantic models for data validation and serialization.\n- **Exception Handling**: Comprehensive error handling with custom exceptions for API errors.\n- **Extensibility**: Designed for easy extension to support additional resources and endpoints.\n\n## Development Guidelines\n\nFor developers working on this SDK:\n\n- **Service File Standards**: See `SDK_STYLING_GUIDE.md` for comprehensive service file guidelines\n- **Model Standards**: See `CLAUDE_MODELS.md` for Pydantic model patterns and conventions\n- **Templates**: Use `SDK_SERVICE_TEMPLATE.py` as a starting point for new services\n- **Claude Code Integration**: Reference `CLAUDE.md` for AI-assisted development guidelines\n\n## Installation\n\n**Requirements**:\n\n- Python 3.10 or higher\n\nInstall the package via pip:\n\n```bash\npip install pan-scm-sdk\n```\n\n## Usage\n\n### TLS Certificate Verification Control\n\nBy default, the SDK verifies TLS certificates for all HTTPS requests. You can bypass TLS verification (for development or testing) by setting the `verify_ssl` flag to `False` when initializing `Scm` or `ScmClient`:\n\n```python\nfrom scm.client import ScmClient\n\nclient = ScmClient(\n client_id=\"...\",\n client_secret=\"...\",\n tsg_id=\"...\",\n verify_ssl=False, # WARNING: disables TLS verification!\n)\n```\n\n> **Warning:** Disabling TLS verification is insecure and exposes you to man-in-the-middle attacks. Only use `verify_ssl=False` in trusted development environments.\n\n### Authentication\n\nBefore interacting with the SDK, you need to authenticate:\n\n#### Method 1: OAuth2 Client Credentials passed into a ScmClient instance\n\n```python\nfrom scm.client import ScmClient\n\n# Initialize the API client with OAuth2 client credentials\napi_client = ScmClient(\n client_id=\"your_client_id\",\n client_secret=\"your_client_secret\",\n tsg_id=\"your_tsg_id\",\n)\n\n# The SCM client is now ready to use\n```\n\n#### Method 2: Bearer Token Authentication\n\nIf you already have a valid OAuth token, you can use it directly:\n\n```python\nfrom scm.client import Scm\n\n# Initialize the API client with a pre-acquired bearer token\napi_client = Scm(\n access_token=\"your_bearer_token\"\n)\n\n# The SCM client is now ready to use\n```\n\n> **NOTE**: When using bearer token authentication, token refresh is your responsibility. For commit operations with bearer token auth, you must explicitly provide the `admin` parameter.\n\n```python\n# Example of commit with bearer token authentication\napi_client.commit(\n folders=[\"Texas\"],\n description=\"Configuration changes\",\n admin=[\"admin@example.com\"], # Required when using bearer token\n sync=True\n)\n```\n\n### Available Client Services\n\nThe unified client provides access to the following services through attribute-based access:\n\n| Client Property | Description |\n| ---------------------------------- | ------------------------------------------------------------- |\n| **Objects** | |\n| `address` | IP addresses, CIDR ranges, and FQDNs for security policies |\n| `address_group` | Static or dynamic collections of address objects |\n| `application` | Custom application definitions and signatures |\n| `application_filter` | Filters for identifying applications by characteristics |\n| `application_group` | Logical groups of applications for policy application |\n| `auto_tag_action` | Automated tag assignment based on traffic and security events |\n| `dynamic_user_group` | User groups with dynamic membership criteria |\n| `external_dynamic_list` | Externally managed lists of IPs, URLs, or domains |\n| `hip_object` | Host information profile match criteria |\n| `hip_profile` | Endpoint security compliance profiles |\n| `http_server_profile` | HTTP server configurations for logging and monitoring |\n| `log_forwarding_profile` | Configurations for forwarding logs to external systems |\n| `quarantined_device` | Management of devices blocked from network access |\n| `region` | Geographic regions for policy control |\n| `schedule` | Time-based policies and access control |\n| `service` | Protocol and port definitions for network services |\n| `service_group` | Collections of services for simplified policy management |\n| `syslog_server_profile` | Syslog server configurations for centralized logging |\n| `tag` | Resource classification and organization labels |\n| **Mobile Agent** | |\n| `auth_setting` | GlobalProtect authentication settings |\n| `agent_version` | GlobalProtect agent versions (read-only) |\n| **Network** | |\n| `ike_crypto_profile` | IKE crypto profiles for VPN tunnel encryption |\n| `ike_gateway` | IKE gateways for VPN tunnel endpoints |\n| `ipsec_crypto_profile` | IPsec crypto profiles for VPN tunnel encryption |\n| `nat_rule` | Network address translation policies for traffic routing |\n| `security_zone` | Security zones for network segmentation |\n| **Deployment** | |\n| `bandwidth_allocation` | Bandwidth allocation management for network capacity planning |\n| `bgp_routing` | BGP routing configuration for network connectivity |\n| `internal_dns_server` | Internal DNS server configurations for domain resolution |\n| `network_location` | Geographic network locations for service connectivity |\n| `remote_network` | Secure branch and remote site connectivity configurations |\n| `service_connection` | Service connections to cloud service providers |\n| **Security** | |\n| `security_rule` | Core security policies controlling network traffic |\n| `anti_spyware_profile` | Protection against spyware, C2 traffic, and data exfiltration |\n| `decryption_profile` | SSL/TLS traffic inspection configurations |\n| `dns_security_profile` | Protection against DNS-based threats and tunneling |\n| `url_category` | Custom URL categorization for web filtering |\n| `vulnerability_protection_profile` | Defense against known CVEs and exploit attempts |\n| `wildfire_antivirus_profile` | Cloud-based malware analysis and zero-day protection |\n| **Setup** | |\n| `device` | Device resources and management |\n| `folder` | Folder organization and hierarchy |\n| `label` | Resource classification and simple key-value object labels |\n| `snippet` | Reusable configuration snippets |\n| `variable` | Typed variables with flexible container scoping |\n\n---\n\n## Development\n\nBefore starting development, please review:\n\n- `SDK_STYLING_GUIDE.md` - Comprehensive guide for writing consistent SDK code\n- `CLAUDE_MODELS.md` - Guidelines for creating Pydantic models\n- `SDK_SERVICE_TEMPLATE.py` - Template for new service files\n- `WINDSURF_RULES.md` - Overall project standards\n\n### Setup\n\n1. Clone the repository:\n\n ```bash\n git clone https://github.com/cdot65/pan-scm-sdk.git\n cd pan-scm-sdk\n ```\n\n2. Install dependencies and pre-commit hooks:\n\n ```bash\n make setup\n ```\n\n Alternatively, you can install manually:\n\n ```bash\n poetry install\n poetry run pre-commit install\n ```\n\n### Code Quality\n\nThis project uses [ruff](https://github.com/astral-sh/ruff) for linting and formatting:\n\n```bash\n# Run linting checks\nmake lint\n\n# Format code\nmake format\n\n# Auto-fix linting issues when possible\nmake fix\n```\n\n### Pre-commit Hooks\n\nWe use pre-commit hooks to ensure code quality before committing:\n\n```bash\n# Run pre-commit hooks on all files\nmake pre-commit-all\n```\n\nThe following checks run automatically before each commit:\n\n- ruff linting and formatting\n- Trailing whitespace removal\n- End-of-file fixer\n- YAML/JSON syntax checking\n- Large file detection\n- Python syntax validation\n- Merge conflict detection\n- Private key detection\n\n## Contributing\n\nWe welcome contributions! To contribute:\n\n1. Fork the repository.\n2. Create a new feature branch (`git checkout -b feature/your-feature`).\n3. Make your changes, ensuring all linting and tests pass.\n4. Commit your changes (`git commit -m 'Add new feature'`).\n5. Push to your branch (`git push origin feature/your-feature`).\n6. Open a Pull Request.\n\nEnsure your code adheres to the project's coding standards and includes tests where appropriate.\n\n## License\n\nThis project is licensed under the Apache 2.0 License. See the [LICENSE](./LICENSE) file for details.\n\n## Support\n\nFor support and questions, please refer to the [SUPPORT.md](./SUPPORT.md) file in this repository.\n\n---\n\n_Detailed documentation is available on our [GitHub Pages documentation site](https://cdot65.github.io/pan-scm-sdk/)._\n",
"bugtrack_url": null,
"license": "Apache 2.0",
"summary": "Python SDK for Palo Alto Networks Strata Cloud Manager.",
"version": "0.3.44",
"project_urls": {
"Documentation": "https://cdot65.github.io/pan-scm-sdk/",
"Homepage": "https://github.com/cdot65/pan-scm-sdk",
"Repository": "https://github.com/cdot65/pan-scm-sdk"
},
"split_keywords": [
"paloaltonetworks",
" stratacloudmanager",
" scm"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "c0bde3ab507e7ca9f41c7c1d7c5c643c3328f4b07507b032a2f48ca523a4dd94",
"md5": "85153d4a5181066271ccc49b7bec2aec",
"sha256": "247e8047e378a09ef76395ceeade55078a705c2266d9bc8bb82b6ba0c05b9267"
},
"downloads": -1,
"filename": "pan_scm_sdk-0.3.44-py3-none-any.whl",
"has_sig": false,
"md5_digest": "85153d4a5181066271ccc49b7bec2aec",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.10",
"size": 271306,
"upload_time": "2025-07-18T16:16:22",
"upload_time_iso_8601": "2025-07-18T16:16:22.343548Z",
"url": "https://files.pythonhosted.org/packages/c0/bd/e3ab507e7ca9f41c7c1d7c5c643c3328f4b07507b032a2f48ca523a4dd94/pan_scm_sdk-0.3.44-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "183bce40526c157ef1f66d006763b2b534a7f200d66ca57a5351390bffcbb1f8",
"md5": "fde282fa149fcbb7075864afb2a0dae0",
"sha256": "b0a5c16742ed189079184087cb9aacb94306d376c446a176ff40353f5d2343b3"
},
"downloads": -1,
"filename": "pan_scm_sdk-0.3.44.tar.gz",
"has_sig": false,
"md5_digest": "fde282fa149fcbb7075864afb2a0dae0",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.10",
"size": 118018,
"upload_time": "2025-07-18T16:16:23",
"upload_time_iso_8601": "2025-07-18T16:16:23.448843Z",
"url": "https://files.pythonhosted.org/packages/18/3b/ce40526c157ef1f66d006763b2b534a7f200d66ca57a5351390bffcbb1f8/pan_scm_sdk-0.3.44.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-18 16:16:23",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "cdot65",
"github_project": "pan-scm-sdk",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "pan-scm-sdk"
}
JSON
