A high-level asynchronous interface for managing a vaultâs keys.
vault_url (str) â URL of the vault the client will access. This is also called the vaultâs âDNS Nameâ. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.
credential (AsyncTokenCredential) â An object which can provide an access token for the vault, such as a credential from azure.identity.aio
api_version (ApiVersion or str) â Version of the service API to use. Defaults to the most recent.
verify_challenge_resource (bool) â Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.
Example
Create a newKeyClientï
from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient # Create a KeyClient using default Azure credentials credential = DefaultAzureCredential() key_client = KeyClient(vault_url, credential) # the client and credential should be closed when no longer needed # (both are also async context managers) await key_client.close() await credential.close()
Back up a key in a protected form useable only by Azure Key Vault.
Requires key/backup permission. This is intended to allow copying a key from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.
name (str) â The name of the key to back up
The key backup result, in a protected bytes format that can only be used by Azure Key Vault.
ResourceNotFoundError or HttpResponseError â the former if the key doesnât exist; the latter for other errors
Example
# backup key key_backup = await key_client.backup_key(key_name) # returns the raw bytes of the backup print(key_backup)
Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
Create a new elliptic curve key or, if name is already in use, create a new version of the key.
Requires the keys/create permission.
name (str) â The name for the new key.
curve (KeyCurveName or str or None) â Elliptic curve name. Defaults to the NIST P-256 elliptic curve.
key_operations (List[KeyOperation or str] or None) â Allowed key operations
hardware_protected (bool or None) â Whether the key should be created in a hardware security module. Defaults to False.
enabled (bool or None) â Whether the key is enabled for use.
tags (dict[str, str] or None) â Application specific metadata in the form of key-value pairs.
not_before (datetime or None) â Not before date of the key in UTC
expires_on (datetime or None) â Expiry date of the key in UTC
exportable (bool or None) â Whether the private key can be exported.
release_policy (KeyReleasePolicy or None) â The policy rules under which the key can be exported.
The created key
Example
Create an elliptic curve keyï# create an elliptic curve (ec) key key_curve = "P-256" ec_key = await key_client.create_ec_key(key_name, curve=key_curve) print(ec_key.id) print(ec_key.name) print(ec_key.key_type) print(ec_key.key.crv)
Create a key or, if name is already in use, create a new version of the key.
Requires keys/create permission.
size (int or None) â Key size in bits. Applies only to RSA and symmetric keys. Consider using create_rsa_key() or create_oct_key() instead.
curve (KeyCurveName or str or None) â Elliptic curve name. Applies only to elliptic curve keys. Defaults to the NIST P-256 elliptic curve. To create an elliptic curve key, consider using create_ec_key() instead.
public_exponent (int or None) â The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM.
key_operations (List[KeyOperation or str] or None) â Allowed key operations
enabled (bool or None) â Whether the key is enabled for use.
tags (dict[str, str] or None) â Application specific metadata in the form of key-value pairs.
not_before (datetime or None) â Not before date of the key in UTC
expires_on (datetime or None) â Expiry date of the key in UTC
exportable (bool or None) â Whether the private key can be exported.
release_policy (KeyReleasePolicy or None) â The policy rules under which the key can be exported.
The created key
Example
from dateutil import parser as date_parse
key_size = 2048
key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
expires_on = date_parse.parse("2050-02-02T08:00:00.000Z")
# create a key with optional arguments
key = await key_client.create_key(
key_name, KeyType.rsa, size=key_size, key_operations=key_ops, expires_on=expires_on
)
print(key.id)
print(key.name)
print(key.key_type)
print(key.properties.enabled)
print(key.properties.expires_on)
Create a new octet sequence (symmetric) key or, if name is in use, create a new version of the key.
Requires the keys/create permission.
name (str) â The name for the new key.
size (int or None) â Key size in bits, for example 128, 192, or 256.
key_operations (List[KeyOperation or str] or None) â Allowed key operations.
hardware_protected (bool or None) â Whether the key should be created in a hardware security module. Defaults to False.
enabled (bool or None) â Whether the key is enabled for use.
tags (dict[str, str] or None) â Application specific metadata in the form of key-value pairs.
not_before (datetime or None) â Not before date of the key in UTC
expires_on (datetime or None) â Expiry date of the key in UTC
exportable (bool or None) â Whether the key can be exported.
release_policy (KeyReleasePolicy or None) â The policy rules under which the key can be exported.
The created key
Example
Create an octet sequence (symmetric) keyïkey = await key_client.create_oct_key(key_name, size=256, hardware_protected=True) print(key.id) print(key.name) print(key.key_type)
Create a new RSA key or, if name is already in use, create a new version of the key
Requires the keys/create permission.
name (str) â The name for the new key.
size (int or None) â Key size in bits, for example 2048, 3072, or 4096.
public_exponent (int or None) â The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM.
hardware_protected (bool or None) â Whether the key should be created in a hardware security module. Defaults to False.
key_operations (List[KeyOperation or str] or None) â Allowed key operations
enabled (bool or None) â Whether the key is enabled for use.
tags (dict[str, str] or None) â Application specific metadata in the form of key-value pairs.
not_before (datetime or None) â Not before date of the key in UTC
expires_on (datetime or None) â Expiry date of the key in UTC
exportable (bool or None) â Whether the private key can be exported.
release_policy (KeyReleasePolicy or None) â The policy rules under which the key can be exported.
The created key
Example
# create an rsa key in a hardware security module key = await key_client.create_rsa_key(key_name, hardware_protected=True, size=2048) print(key.id) print(key.name) print(key.key_type)
Delete all versions of a key and its cryptographic material.
Requires keys/delete permission. If the vault has soft-delete enabled, deletion may take several seconds to complete.
name (str) â The name of the key to delete
The deleted key
ResourceNotFoundError or HttpResponseError â the former if the key doesnât exist; the latter for other errors
Example
# delete a key deleted_key = await key_client.delete_key(key_name) print(deleted_key.name) # if the vault has soft-delete enabled, the key's # scheduled purge date, deleted_date and recovery id are set print(deleted_key.deleted_date) print(deleted_key.scheduled_purge_date) print(deleted_key.recovery_id)
Gets a CryptographyClient for the given key.
key_name (str) â The name of the key used to perform cryptographic operations.
key_version (str or None) â Optional version of the key used to perform cryptographic operations.
A CryptographyClient using the same options, credentials, and HTTP client as this KeyClient.
Get a deleted key. Possible only in a vault with soft-delete enabled.
Requires keys/get permission.
name (str) â The name of the key
The deleted key
ResourceNotFoundError or HttpResponseError â the former if the key doesnât exist; the latter for other errors
Example
# get a deleted key (requires soft-delete enabled for the vault) deleted_key = await key_client.get_deleted_key(key_name) print(deleted_key.name)
Get a keyâs attributes and, if itâs an asymmetric key, its public material.
Requires keys/get permission.
The fetched key.
ResourceNotFoundError or HttpResponseError â the former if the key doesnât exist; the latter for other errors
Example
# get the latest version of a key key = await key_client.get_key(key_name) # alternatively, specify a version key_version = key.properties.version key = await key_client.get_key(key_name, key_version) print(key.id) print(key.name) print(key.properties.version) print(key.key_type) print(key.properties.vault_url)
Get a key and its attestation blob.
This method is applicable to any key stored in Azure Key Vault Managed HSM. This operation requires the keys/get permission.
The key attestation.
Get the rotation policy of a Key Vault key.
key_name (str) â The name of the key.
The key rotation policy.
Get the requested number of random bytes from a managed HSM.
count (int) â The requested number of random bytes.
The random bytes.
ValueError or HttpResponseError â the former if less than one random byte is requested; the latter for other errors
Example
# get eight random bytes from a managed HSM random_bytes = await client.get_random_bytes(count=8)
Import a key created externally.
Requires keys/import permission. If name is already in use, the key will be imported as a new version.
name (str) â Name for the imported key
key (JsonWebKey) â The JSON web key to import
hardware_protected (bool or None) â Whether the key should be backed by a hardware security module
enabled (bool or None) â Whether the key is enabled for use.
tags (dict[str, str] or None) â Application specific metadata in the form of key-value pairs.
not_before (datetime or None) â Not before date of the key in UTC
expires_on (datetime or None) â Expiry date of the key in UTC
exportable (bool or None) â Whether the private key can be exported.
release_policy (KeyReleasePolicy or None) â The policy rules under which the key can be exported.
The imported key
List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled.
Requires keys/list permission.
An iterator of deleted keys
Example
List all the deleted keysï# get an iterator of deleted keys (requires soft-delete enabled for the vault)
deleted_keys = key_client.list_deleted_keys()
async for key in deleted_keys:
print(key.id)
print(key.name)
print(key.scheduled_purge_date)
print(key.recovery_id)
print(key.deleted_date)
List the identifiers and properties of a keyâs versions.
Requires keys/list permission.
name (str) â The name of the key
An iterator of keys without their cryptographic material
Example
List all versions of a keyï# get an iterator of all versions of a key
key_versions = key_client.list_properties_of_key_versions("key-name")
async for key in key_versions:
print(key.id)
print(key.updated_on)
print(key.properties.version)
print(key.expires_on)
List identifiers and properties of all keys in the vault.
Requires keys/list permission.
An iterator of keys without their cryptographic material or version information
Example
# list keys
keys = key_client.list_properties_of_keys()
async for key in keys:
print(key.id)
print(key.created_on)
print(key.name)
print(key.updated_on)
print(key.enabled)
Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled.
Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not available if the recovery_level does not specify âPurgeableâ. This method is only necessary for purging a key before its scheduled_purge_date.
Requires keys/purge permission.
name (str) â The name of the deleted key to purge
None
Example
# if the vault has soft-delete enabled, purge permanently deletes a deleted key
# (with soft-delete disabled, delete_key is permanent)
await key_client.purge_deleted_key("key-name")
Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled.
Requires keys/recover permission. If the vault does not have soft-delete enabled, delete_key() is permanent, and this method will raise an error. Attempting to recover a non-deleted key will also raise an error.
name (str) â The name of the deleted key
The recovered key
Example
# recover deleted key to its latest version (requires soft-delete enabled for the vault) recovered_key = await key_client.recover_deleted_key(key_name) print(recovered_key.id) print(recovered_key.name)
Releases a key.
The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.
version (str or None) â A specific version of the key to release. If unspecified, the latest version is released.
algorithm (str or KeyExportEncryptionAlgorithm or None) â The encryption algorithm to use to protect the released key material.
nonce (str or None) â A client-provided nonce for freshness.
The result of the key release.
Restore a key backup to the vault.
Requires keys/restore permission. This imports all versions of the key, with its name, attributes, and access control policies. If the keyâs name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.
backup (bytes) â A key backup as returned by backup_key()
The restored key
ResourceExistsError or HttpResponseError â the former if the backed up keyâs name is already in use; the latter for other errors
Example
# restores a backup restored_key = await key_client.restore_key_backup(key_backup) print(restored_key.id) print(restored_key.name) print(restored_key.properties.version)
Rotate the key based on the key policy by generating a new version of the key.
This operation requires the keys/rotate permission.
name (str) â The name of the key to rotate.
The new version of the rotated key.
Runs a network request using the clientâs existing pipeline.
The request URL can be relative to the vault URL. The service API version used for the request is the same as the clientâs unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request.
request (HttpRequest) â The network request you want to make.
stream (bool) â Whether the response payload will be streamed. Defaults to False.
The response of your network call. Does not do error handling on your response.
Change a keyâs properties (not its cryptographic material).
Requires keys/update permission.
key_operations (List[KeyOperation or str] or None) â Allowed key operations
enabled (bool or None) â Whether the key is enabled for use.
tags (dict[str, str] or None) â Application specific metadata in the form of key-value pairs.
not_before (datetime or None) â Not before date of the key in UTC
expires_on (datetime or None) â Expiry date of the key in UTC
release_policy (KeyReleasePolicy or None) â The policy rules under which the key can be exported.
The updated key
ResourceNotFoundError or HttpResponseError â the former if the key doesnât exist; the latter for other errors
Example
Update a keyâs attributesï# update attributes of an existing key
expires_on = date_parse.parse("2050-01-02T08:00:00.000Z")
tags = {"foo": "updated tag"}
updated_key = await key_client.update_key_properties(key.name, expires_on=expires_on, tags=tags)
print(updated_key.properties.version)
print(updated_key.properties.updated_on)
print(updated_key.properties.expires_on)
print(updated_key.properties.tags)
print(updated_key.key_type)
Updates the rotation policy of a Key Vault key.
This operation requires the keys/update permission.
key_name (str) â The name of the key in the given vault.
policy (KeyRotationPolicy) â The new rotation policy for the key.
lifetime_actions (List[KeyRotationLifetimeAction]) â Actions that will be performed by Key Vault over the lifetime of a key. This will override the lifetime actions of the provided policy.
expires_in (str) â The expiry time of the policy that will be applied on new key versions, defined as an ISO 8601 duration. For example: 90 days is âP90Dâ, 3 months is âP3Mâ, and 48 hours is âPT48Hâ. See Wikipedia for more information on ISO 8601 durations. This will override the expiry time of the provided policy.
The updated rotation policy.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4