azure.keyvault.keys package¶
Submodules¶
azure.keyvault.keys.client module¶
azure.keyvault.keys.enums module¶
azure.keyvault.keys.models module¶
Module contents¶
-
class
azure.keyvault.keys.
KeyClient
(vault_url, credential, **kwargs)[source]¶ Bases:
azure.keyvault.keys._shared.client_base.KeyVaultClientBase
A high-level interface for managing a vault’s keys.
Parameters: - vault_url (str) – URL of the vault the client will access. This is also called the vault’s “DNS Name”.
- credential – An object which can provide an access token for the vault, such as a credential from
azure.identity
Keyword Arguments: - api_version (str) – version of the Key Vault API to use. Defaults to the most recent.
- transport (HttpTransport) – transport to use. Defaults to
RequestsTransport
.
Example
Create a newKeyClient
¶from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient # Create a KeyClient using default Azure credentials credential = DefaultAzureCredential() key_client = KeyClient(vault_url, credential)
-
backup_key
(name, **kwargs)[source]¶ Back up a key in a protected form useable only by Azure Key Vault. Requires keys/backup permission.
This is intended to allow copying a key from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.
Parameters: name (str) – The name of the key to back up Return type: bytes Raises: ResourceNotFoundError
if the key doesn’t exist,HttpResponseError
for other errorsExample
Get a key backup¶# backup key key_backup = key_client.backup_key(key_name) # returns the raw bytes of the backed up key print(key_backup)
-
begin_delete_key
(name, **kwargs)[source]¶ Delete all versions of a key and its cryptographic material. Requires keys/delete permission.
When this method returns Key Vault has begun deleting the key. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
Parameters: name (str) – The name of the key to delete. Returns: A poller for the delete key operation. The poller’s result method returns the DeletedKey
without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the key withpurge_deleted_key()
, call the poller’s wait method first. It will block until the deletion is complete. The wait method requires keys/get permission.Return type: LROPoller[DeletedKey] Raises: ResourceNotFoundError
if the key doesn’t exist,HttpResponseError
for other errorsExample
Delete a key¶# delete a key deleted_key_poller = key_client.begin_delete_key("key-name") deleted_key = deleted_key_poller.result() print(deleted_key.name) # if the vault has soft-delete enabled, the key's deleted_date, # scheduled purge date and recovery id are set print(deleted_key.deleted_date) print(deleted_key.scheduled_purge_date) print(deleted_key.recovery_id) # if you want to block until deletion is complete, call wait() on the poller deleted_key_poller.wait()
-
begin_recover_deleted_key
(name, **kwargs)[source]¶ Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled.
Requires keys/recover permission.
When this method returns Key Vault has begun recovering the key. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered key in another operation immediately.
Parameters: name (str) – The name of the deleted key to recover Returns: A poller for the recovery operation. The poller’s result method returns the recovered KeyVaultKey
without waiting for recovery to complete. If you want to use the recovered key immediately, call the poller’s wait method, which blocks until the key is ready to use. The wait method requires keys/get permission.Return type: LROPoller[KeyVaultKey] Raises: HttpResponseError
Example
Recover a deleted key¶# recover a deleted key to its latest version (requires soft-delete enabled for the vault) recover_key_poller = key_client.begin_recover_deleted_key("key-name") recovered_key = recover_key_poller.result() print(recovered_key.id) print(recovered_key.name) # if you want to block until key is recovered server-side, call wait() on the poller recover_key_poller.wait()
-
create_ec_key
(name, **kwargs)[source]¶ Create a new elliptic curve key or, if name is already in use, create a new version of the key.
Requires the keys/create permission.
Parameters: name (str) – The name for the new key.
Keyword Arguments: - curve (KeyCurveName or str) – Elliptic curve name. Defaults to the NIST P-256 elliptic curve.
- key_operations (list[KeyOperation or str]) – Allowed key operations
- hardware_protected (bool) – Whether the key should be created in a hardware security module.
Defaults to
False
. - enabled (bool) – Whether the key is enabled for use.
- tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
- not_before (datetime) – Not before date of the key in UTC
- expires_on (datetime) – Expiry date of the key in UTC
Returns: The created key
Return type: Raises: Example
Create an elliptic curve key¶key_curve = "P-256" # create an EC (Elliptic curve) key with curve specification # EC key can be created with default curve of 'P-256' ec_key = key_client.create_ec_key("key-name", curve=key_curve) print(ec_key.id) print(ec_key.properties.version) print(ec_key.key_type) print(ec_key.key.crv)
-
create_key
(name, key_type, **kwargs)[source]¶ Create a key or, if name is already in use, create a new version of the key.
Requires keys/create permission.
Parameters: - name (str) – The name of the new key.
- key_type (KeyType or str) – The type of key to create
Keyword Arguments: - size (int) – RSA key size in bits, for example 2048, 3072, or 4096. Applies only to RSA keys. To
create an RSA key, consider using
create_rsa_key()
instead. - curve (KeyCurveName or str) – Elliptic curve name. Applies only to elliptic curve keys. Defaults to the NIST P-256
elliptic curve. To create an elliptic curve key, consider using
create_ec_key()
instead. - key_operations (list[KeyOperation or str]) – Allowed key operations
- enabled (bool) – Whether the key is enabled for use.
- tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
- not_before (datetime) – Not before date of the key in UTC
- expires_on (datetime) – Expiry date of the key in UTC
Returns: The created key
Return type: Raises: Example
Create a key¶from dateutil import parser as date_parse expires_on = date_parse.parse("2050-02-02T08:00:00.000Z") # create a key with optional arguments key = key_client.create_key("key-name", "RSA-HSM", expires_on=expires_on) print(key.name) print(key.id) print(key.key_type) print(key.properties.expires_on)
-
create_rsa_key
(name, **kwargs)[source]¶ Create a new RSA key or, if name is already in use, create a new version of the key
Requires the keys/create permission.
Parameters: name (str) – The name for the new key.
Keyword Arguments: - size (int) – Key size in bits, for example 2048, 3072, or 4096.
- hardware_protected (bool) – Whether the key should be created in a hardware security module.
Defaults to
False
. - key_operations (list[KeyOperation or str]) – Allowed key operations
- enabled (bool) – Whether the key is enabled for use.
- tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
- not_before (datetime) – Not before date of the key in UTC
- expires_on (datetime) – Expiry date of the key in UTC
Returns: The created key
Return type: Raises: Example
Create RSA key¶key_size = 2048 key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"] # create an rsa key with size specification # RSA key can be created with default size of '2048' key = key_client.create_rsa_key("key-name", hardware_protected=True, size=key_size, key_operations=key_ops) print(key.id) print(key.name) print(key.key_type) print(key.key_operations)
-
get_deleted_key
(name, **kwargs)[source]¶ Get a deleted key. Possible only in a vault with soft-delete enabled. Requires keys/get permission.
Parameters: name (str) – The name of the key Returns: The deleted key Return type: DeletedKey Raises: ResourceNotFoundError
if the key doesn’t exist,HttpResponseError
for other errorsExample
Get a deleted key¶# get a deleted key (requires soft-delete enabled for the vault) deleted_key = key_client.get_deleted_key("key-name") print(deleted_key.name) # if the vault has soft-delete enabled, the key's deleted_date # scheduled purge date and recovery id are set print(deleted_key.deleted_date) print(deleted_key.scheduled_purge_date) print(deleted_key.recovery_id)
-
get_key
(name, version=None, **kwargs)[source]¶ Get a key’s attributes and, if it’s an asymmetric key, its public material. Requires keys/get permission.
Parameters: - name (str) – The name of the key to get.
- version (str) – (optional) A specific version of the key to get. If not specified, gets the latest version of the key.
Return type: Raises: ResourceNotFoundError
if the key doesn’t exist,HttpResponseError
for other errorsExample
Get a key¶# get the latest version of a key key = key_client.get_key("key-name") # alternatively, specify a version key_version = key.properties.version key = key_client.get_key("key-name", key_version) print(key.id) print(key.name) print(key.properties.version) print(key.key_type) print(key.properties.vault_url)
-
import_key
(name, key, **kwargs)[source]¶ Import a key created externally. Requires keys/import permission.
If name is already in use, the key will be imported as a new version.
Parameters: - name (str) – Name for the imported key
- key (JsonWebKey) – The JSON web key to import
Keyword Arguments: - hardware_protected (bool) – Whether the key should be backed by a hardware security module
- enabled (bool) – Whether the key is enabled for use.
- tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
- not_before (datetime) – Not before date of the key in UTC
- expires_on (datetime) – Expiry date of the key in UTC
Returns: The imported key
Return type: Raises:
-
list_deleted_keys
(**kwargs)[source]¶ List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled.
Requires keys/list permission.
Returns: An iterator of deleted keys Return type: ItemPaged[DeletedKey] Example
List all the deleted keys¶# get an iterator of deleted keys (requires soft-delete enabled for the vault) deleted_keys = key_client.list_deleted_keys() for key in deleted_keys: print(key.id) print(key.name) print(key.scheduled_purge_date) print(key.recovery_id) print(key.deleted_date)
-
list_properties_of_key_versions
(name, **kwargs)[source]¶ List the identifiers and properties of a key’s versions. Requires keys/list permission.
Parameters: name (str) – The name of the key Returns: An iterator of keys without their cryptographic material Return type: ItemPaged[KeyProperties] Example
List all versions of a key¶# get an iterator of a key's versions key_versions = key_client.list_properties_of_key_versions("key-name") for key in key_versions: print(key.id) print(key.name)
-
list_properties_of_keys
(**kwargs)[source]¶ List identifiers and properties of all keys in the vault. Requires keys/list permission.
Returns: An iterator of keys without their cryptographic material or version information Return type: ItemPaged[KeyProperties] Example
List all keys¶# get an iterator of keys keys = key_client.list_properties_of_keys() for key in keys: print(key.id) print(key.name)
-
purge_deleted_key
(name, **kwargs)[source]¶ Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled.
Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not available if the
recovery_level
does not specify ‘Purgeable’. This method is only necessary for purging a key before itsscheduled_purge_date
.Requires keys/purge permission.
Parameters: name (str) – The name of the deleted key to purge Returns: None Raises: HttpResponseError
Example
# if the vault has soft-delete enabled, purge permanently deletes a deleted key # (with soft-delete disabled, begin_delete_key is permanent) key_client.purge_deleted_key("key-name")
-
restore_key_backup
(backup, **kwargs)[source]¶ Restore a key backup to the vault. Requires keys/restore permission.
This imports all versions of the key, with its name, attributes, and access control policies. If the key’s name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.
Parameters: backup (bytes) – A key backup as returned by backup_key()
Returns: The restored key Return type: KeyVaultKey Raises: ResourceExistsError
if the backed up key’s name is already in use,HttpResponseError
for other errorsExample
Restore a key backup¶# restore a key backup restored_key = key_client.restore_key_backup(key_backup) print(restored_key.id) print(restored_key.properties.version)
-
update_key_properties
(name, version=None, **kwargs)[source]¶ Change a key’s properties (not its cryptographic material). Requires keys/update permission.
Parameters: - name (str) – The name of key to update
- version (str) – (optional) The version of the key to update. If unspecified, the latest version is updated.
Keyword Arguments: - key_operations (list[KeyOperation or str]) – Allowed key operations
- enabled (bool) – Whether the key is enabled for use.
- tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
- not_before (datetime) – Not before date of the key in UTC
- expires_on (datetime) – Expiry date of the key in UTC
Returns: The updated key
Return type: Raises: ResourceNotFoundError
if the key doesn’t exist,HttpResponseError
for other errorsExample
Update a key’s attributes¶# update attributes of an existing key expires_on = date_parse.parse("2050-01-02T08:00:00.000Z") tags = {"foo": "updated tag"} updated_key = key_client.update_key_properties(key.name, expires_on=expires_on, tags=tags) print(updated_key.properties.version) print(updated_key.properties.updated_on) print(updated_key.properties.expires_on) print(updated_key.properties.tags) print(key.key_type)
-
class
azure.keyvault.keys.
JsonWebKey
(**kwargs)[source]¶ Bases:
object
As defined in http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18. All parameters are optional.
Parameters: - kid (str) – Key identifier.
- kty (KeyType or str) – Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
- key_ops (list[str or KeyOperation]) – Allowed operations for the key
- n (bytes) – RSA modulus.
- e (bytes) – RSA public exponent.
- d (bytes) – RSA private exponent, or the D component of an EC private key.
- dp (bytes) – RSA private key parameter.
- dq (bytes) – RSA private key parameter.
- qi (bytes) – RSA private key parameter.
- p (bytes) – RSA secret prime.
- q (bytes) – RSA secret prime, with p < q.
- k (bytes) – Symmetric key.
- t (bytes) – HSM Token, used with ‘Bring Your Own Key’.
- crv (KeyCurveName or str) – Elliptic curve name.
- x (bytes) – X component of an EC public key.
- y (bytes) – Y component of an EC public key.
-
class
azure.keyvault.keys.
KeyVaultKey
(key_id, jwk=None, **kwargs)[source]¶ Bases:
object
A key’s attributes and cryptographic material.
Parameters: - key_id (str) – Key Vault’s identifier for the key. Typically a URI, e.g. https://myvault.vault.azure.net/keys/my-key/version
- jwk – The key’s cryptographic material as a JSON Web Key (https://tools.ietf.org/html/rfc7517). This may be provided
as a dictionary or keyword arguments. See
JsonWebKey
for field names.
Providing cryptographic material as keyword arguments:
from azure.keyvault.keys.models import KeyVaultKey key_id = 'https://myvault.vault.azure.net/keys/my-key/my-key-version' key_bytes = os.urandom(32) key = KeyVaultKey(key_id, k=key_bytes, kty='oct', key_ops=['unwrapKey', 'wrapKey'])
Providing cryptographic material as a dictionary:
from azure.keyvault.keys.models import KeyVaultKey key_id = 'https://myvault.vault.azure.net/keys/my-key/my-key-version' key_bytes = os.urandom(32) jwk = {'k': key_bytes, 'kty': 'oct', 'key_ops': ['unwrapKey', 'wrapKey']} key = KeyVaultKey(key_id, jwk=jwk)
-
id
¶ The key’s id
Return type: str
-
key
¶ The JSON web key
Return type: JsonWebKey
-
key_operations
¶ Permitted operations. See
KeyOperation
for possible values.Return type: list[KeyOperation or str]
-
name
¶ The key’s name
Return type: str
-
properties
¶ The key’s properties
Return type: KeyProperties
-
class
azure.keyvault.keys.
KeyCurveName
[source]¶ Bases:
str
,enum.Enum
Supported elliptic curves
-
p_256
= 'P-256'¶ The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
-
p_256_k
= 'P-256K'¶ The SECG SECP256K1 elliptic curve.
-
p_384
= 'P-384'¶ The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
-
p_521
= 'P-521'¶ The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
-
-
class
azure.keyvault.keys.
KeyOperation
[source]¶ Bases:
str
,enum.Enum
Supported key operations
-
decrypt
= 'decrypt'¶
-
encrypt
= 'encrypt'¶
-
sign
= 'sign'¶
-
unwrap_key
= 'unwrapKey'¶
-
verify
= 'verify'¶
-
wrap_key
= 'wrapKey'¶
-
-
class
azure.keyvault.keys.
KeyType
[source]¶ Bases:
str
,enum.Enum
Supported key types
-
ec
= 'EC'¶ Elliptic Curve
-
ec_hsm
= 'EC-HSM'¶ Elliptic Curve with a private key which is not exportable from the HSM
-
oct
= 'oct'¶ Octet sequence (used to represent symmetric keys)
-
rsa
= 'RSA'¶
-
rsa_hsm
= 'RSA-HSM'¶ RSA with a private key which is not exportable from the HSM
-
-
class
azure.keyvault.keys.
DeletedKey
(properties, deleted_date=None, recovery_id=None, scheduled_purge_date=None, **kwargs)[source]¶ Bases:
azure.keyvault.keys._models.KeyVaultKey
A deleted key’s properties, cryptographic material and its deletion information. If soft-delete is enabled, returns information about its recovery as well.
-
deleted_date
¶ When the key was deleted, in UTC
Return type: datetime
-
recovery_id
¶ An identifier used to recover the deleted key. Returns
None
if soft-delete is disabled.Return type: str
-
scheduled_purge_date
¶ When the key is scheduled to be purged, in UTC. Returns
None
if soft-delete is disabled.Return type: datetime
-
-
class
azure.keyvault.keys.
KeyProperties
(key_id, attributes=None, **kwargs)[source]¶ Bases:
object
A key’s id and attributes.
-
created_on
¶ When the key was created, in UTC
Return type: datetime
-
enabled
¶ Whether the key is enabled for use
Return type: bool
-
expires_on
¶ When the key will expire, in UTC
Return type: datetime
-
id
¶ The key’s id
Return type: str
-
managed
¶ Returns whether the key’s lifetime is managed by key vault
Return type: bool
-
name
¶ The key’s name
Return type: str
-
not_before
¶ The time before which the key can not be used, in UTC
Return type: datetime
-
recovery_level
¶ The vault’s deletion recovery level for keys
Return type: str
Application specific metadata in the form of key-value pairs
Return type: dict[str, str]
-
updated_on
¶ When the key was last updated, in UTC
Return type: datetime
-
vault_url
¶ URL of the vault containing the key
Return type: str
-
version
¶ The key’s version
Return type: str
-