Microsoft Azure Key Vault Administration Client Library for Python
Project description
Azure Key Vault Administration client library for Python
Note: The Administration library only works with Managed HSM – functions targeting a Key Vault will fail.
Azure Key Vault helps solve the following problems:
- Vault administration (this library) - role-based access control (RBAC), and vault-level backup and restore options
- Cryptographic key management (azure-keyvault-keys) - create, store, and control access to the keys used to encrypt your data
- Secrets management (azure-keyvault-secrets) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets
- Certificate management (azure-keyvault-certificates) - create, manage, and deploy public and private SSL/TLS certificates
Source code | Package (PyPI) | Package (Conda) | API reference documentation | Product documentation | Samples
Disclaimer
Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691. Python 3.8 or later is required to use this package. For more details, please refer to Azure SDK for Python version support policy.
Getting started
Install packages
Install azure-keyvault-administration and azure-identity with pip:
pip install azure-keyvault-administration azure-identity
azure-identity is used for Azure Active Directory authentication as demonstrated below.
Prerequisites
- An Azure subscription
- Python 3.8 or later
- An existing Key Vault Managed HSM. If you need to create one, you can do so using the Azure CLI by following the steps in this document.
Authenticate the client
In order to interact with the Azure Key Vault service, you will need an instance of either a KeyVaultAccessControlClient or KeyVaultBackupClient, as well as a vault url (which you may see as "DNS Name" in the Azure Portal) and a credential object. This document demonstrates using a DefaultAzureCredential, which is appropriate for most scenarios, including local development and production environments. We recommend using a managed identity for authentication in production environments.
See azure-identity documentation for more information about other methods of authentication and their corresponding credential types.
Create a KeyVaultAccessControlClient
After configuring your environment for the DefaultAzureCredential to use a suitable method of authentication, you can do the following to create an access control client (replacing the value of vault_url
with your Managed HSM's URL):
from azure.identity import DefaultAzureCredential
from azure.keyvault.administration import KeyVaultAccessControlClient
MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
credential = DefaultAzureCredential()
client = KeyVaultAccessControlClient(vault_url=MANAGED_HSM_URL, credential=credential)
NOTE: For an asynchronous client, import
azure.keyvault.administration.aio
'sKeyVaultAccessControlClient
instead.
Create a KeyVaultBackupClient
After creating a user-assigned managed identity and
granting it access to your Managed HSM, you can do the following to create a backup
client (setting the value of CLIENT_ID
to your managed identity's client ID):
from azure.identity import ManagedIdentityCredential
from azure.keyvault.administration import KeyVaultBackupClient
MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
MANAGED_IDENTITY_CLIENT_ID = os.environ["CLIENT_ID"]
credential = ManagedIdentityCredential(client_id=MANAGED_IDENTITY_CLIENT_ID)
client = KeyVaultBackupClient(vault_url=MANAGED_HSM_URL, credential=credential)
Using the ManagedIdentityCredential
is preferred in order to enable authenticating backup and restore operations with
Managed Identity. Any other azure-identity
credential could be provided instead if SAS tokens are used in these
operations.
See azure-identity documentation for more information on Managed Identity authentication.
NOTE: For an asynchronous client, import
azure.keyvault.administration.aio
'sKeyVaultBackupClient
instead.
Create a KeyVaultSettingsClient
After configuring your environment for the DefaultAzureCredential to use a suitable method of authentication, you can do the following to create a settings client (replacing the value of vault_url
with your Managed HSM's URL):
from azure.identity import DefaultAzureCredential
from azure.keyvault.administration import KeyVaultSettingsClient
MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
credential = DefaultAzureCredential()
client = KeyVaultSettingsClient(vault_url=MANAGED_HSM_URL, credential=credential)
NOTE: For an asynchronous client, import
azure.keyvault.administration.aio
'sKeyVaultSettingsClient
instead.
Key concepts
Role definition
A role definition defines the operations that can be performed, such as read, write, and delete. It can also define the operations that are excluded from allowed operations.
A role definition is specified as part of a role assignment.
Role assignment
A role assignment is the association of a role definition to a service principal. They can be created, listed, fetched individually, and deleted.
KeyVaultAccessControlClient
A KeyVaultAccessControlClient
manages role definitions and role assignments.
KeyVaultBackupClient
A KeyVaultBackupClient
performs full key backups, full key restores, and selective key restores.
KeyVaultSettingsClient
A KeyVaultSettingsClient
manages Managed HSM account settings.
Examples
This section contains code snippets covering common tasks:
- Access control
- Backup and restore
List all role definitions
list_role_definitions
can be used by a KeyVaultAccessControlClient
to list the role definitions available for
assignment.
from azure.keyvault.administration import KeyVaultRoleScope
role_definitions = client.list_role_definitions(scope=KeyVaultRoleScope.GLOBAL)
for definition in role_definitions:
print(f"Role name: {definition.role_name}; Role definition name: {definition.name}")
Set, get, and delete a role definition
set_role_definition
can be used by a KeyVaultAccessControlClient
to either create a custom role definition or update
an existing definition with the specified unique name
(a UUID).
from azure.keyvault.administration import KeyVaultDataAction, KeyVaultPermission, KeyVaultRoleScope
role_name = "customRole"
scope = KeyVaultRoleScope.GLOBAL
permissions = [KeyVaultPermission(data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])]
role_definition = client.set_role_definition(scope=scope, role_name=role_name, permissions=permissions)
new_permissions = [
KeyVaultPermission(
data_actions=[KeyVaultDataAction.READ_HSM_KEY],
not_data_actions=[KeyVaultDataAction.CREATE_HSM_KEY]
)
]
unique_definition_name = role_definition.name
updated_definition = client.set_role_definition(
scope=scope, name=unique_definition_name, role_name=role_name, permissions=new_permissions
)
get_role_definition
can be used by a KeyVaultAccessControlClient
to fetch a role definition with the specified scope
and unique name.
fetched_definition = client.get_role_definition(scope=scope, name=unique_definition_name)
delete_role_definition
can be used by a KeyVaultAccessControlClient
to delete a role definition with the specified
scope and unique name.
client.delete_role_definition(scope=scope, name=unique_definition_name)
List all role assignments
list_role_assignments
can be used by a KeyVaultAccessControlClient
to list all of the current role assignments.
from azure.keyvault.administration import KeyVaultRoleScope
role_assignments = client.list_role_assignments(KeyVaultRoleScope.GLOBAL)
for assignment in role_assignments:
assert assignment.properties
print(f"Role assignment name: {assignment.name}")
print(f"Principal ID associated with this assignment: {assignment.properties.principal_id}")
Create, get, and delete a role assignment
Role assignments assign a role to a service principal. This will require a role definition ID and service principal
object ID. You can use an ID from the retrieved list of role definitions for the former,
and an assignment's principal_id
from the list retrieved in the above snippet for the
latter. Provide these values, and a scope, to a KeyVaultAccessControlClient
's create_role_assignment
method.
from azure.keyvault.administration import KeyVaultRoleScope
scope = KeyVaultRoleScope.GLOBAL
role_assignment = client.create_role_assignment(scope=scope, definition_id=definition_id, principal_id=principal_id)
print(f"Role assignment {role_assignment.name} created successfully.")
get_role_assignment
can be used by a KeyVaultAccessControlClient
to fetch an existing role assignment with the
specified scope and unique name.
fetched_assignment = client.get_role_assignment(scope=scope, name=role_assignment.name)
assert fetched_assignment.properties
print(f"Role assignment for principal {fetched_assignment.properties.principal_id} fetched successfully.")
delete_role_assignment
can be used by a KeyVaultAccessControlClient
to delete a role assignment with the specified
scope and unique name.
client.delete_role_assignment(scope=scope, name=role_assignment.name)
Perform a full key backup
The KeyVaultBackupClient
can be used to back up your entire collection of keys. The backing store for full key
backups is a blob storage container using either Managed Identity (which is preferred) or Shared Access Signature (SAS)
authentication.
If using Managed Identity, first make sure your user-assigned managed identity has the correct access to your Storage account and Managed HSM per the service's guidance.
For more details on creating a SAS token using a BlobServiceClient
from azure-storage-blob
, refer
to the library's credential documentation. Alternatively, it is possible to
generate a SAS token in Storage Explorer.
CONTAINER_URL = os.environ["CONTAINER_URL"]
backup_result: KeyVaultBackupResult = client.begin_backup(CONTAINER_URL, use_managed_identity=True).result()
print(f"Azure Storage Blob URL of the backup: {backup_result.folder_url}")
Note that the begin_backup
method returns a poller. Calling result()
on this poller returns a
KeyVaultBackupResult
containing information about the backup. Calling wait()
on the poller will instead block until
the operation is complete without returning an object.
Perform a full key restore
The KeyVaultBackupClient
can be used to restore your entire collection of keys from a backup. The data source for a
full key restore is a storage blob accessed using either Managed Identity (which is preferred) or Shared Access
Signature (SAS) authentication. You will also need the URL of the backup (KeyVaultBackupResult.folder_url
) from the
above snippet.
If using Managed Identity, first make sure your user-assigned managed identity has the correct access to your Storage account and Managed HSM per the service's guidance.
For more details on creating a SAS token using a BlobServiceClient
from azure-storage-blob
, refer
to the library's credential documentation. Alternatively, it is possible to
generate a SAS token in Storage Explorer.
# `backup_result` is the KeyVaultBackupResult returned by `begin_backup`
client.begin_restore(backup_result.folder_url, use_managed_identity=True).wait()
print("Vault restored successfully.")
Note that the begin_restore
method returns a poller. Unlike the poller returned by begin_backup
, this poller's
result
method returns None
; therefore, calling wait()
is functionally the same.
Perform a selective key restore
To restore a single key from a backed up vault instead of all keys, provide the key name as a key_name
argument to the
begin_restore
method shown above.
Troubleshooting
See the azure-keyvault-administration
troubleshooting guide
for details on how to diagnose various failure scenarios.
General
Key Vault clients raise exceptions defined in azure-core. For example, if you try to get a role assignment that doesn't exist, KeyVaultAccessControlClient raises ResourceNotFoundError:
from azure.identity import DefaultAzureCredential
from azure.keyvault.administration import KeyVaultAccessControlClient
from azure.core.exceptions import ResourceNotFoundError
credential = DefaultAzureCredential()
client = KeyVaultAccessControlClient(vault_url="https://my-managed-hsm-name.managedhsm.azure.net/", credential=credential)
try:
client.get_role_assignment("/", "which-does-not-exist")
except ResourceNotFoundError as e:
print(e.message)
Clients from the Administration library can only be used to perform operations on a managed HSM, so attempting to do so on a Key Vault will raise an error.
Next steps
Several samples are available in the Azure SDK for Python GitHub repository. These samples provide example code for additional Key Vault scenarios:
- Create/update/delete role definitions and role assignments (async version)
- Full backup and restore (async version)
- List and update Key Vault settings (async version)
Additional documentation
For more extensive documentation on Azure Key Vault, see the API reference documentation.
For more extensive documentation on Managed HSM, see the service documentation.
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Release History
4.5.0 (2024-10-17)
Features Added
- Added support for Continuous Access Evaluation (CAE).
enable_cae=True
is passed to allget_token
requests.
Bugs Fixed
- Typing errors from using Key Vault clients as context managers have been fixed (#34744)
Other Changes
- Updated minimum
azure-core
version to 1.31.0
4.4.0 (2024-02-22)
Features Added
- Added support for service API version
7.5
- (From 4.4.0b2)
KeyVaultBackupClient.begin_backup
andKeyVaultBackupClient.begin_restore
now accept ause_managed_identity
keyword-only argument to enable authentication via Managed Identity
Bugs Fixed
- (From 4.4.0b1) Token requests made during AD FS authentication no longer specify an erroneous "adfs" tenant ID (#29888)
Other Changes
- Python 3.7 is no longer supported. Please use Python version 3.8 or later.
- Key Vault API version
7.5
is now the default - Updated minimum
azure-core
version to 1.29.5 - Dropped
azure-common
requirement
4.4.0b2 (2023-11-03)
Features Added
- Added support for service API version
7.5-preview.1
KeyVaultBackupClient.begin_backup
andKeyVaultBackupClient.begin_restore
now accept ause_managed_identity
keyword-only argument to enable authentication via Managed Identity
Other Changes
- Key Vault API version
7.5-preview.1
is now the default
4.4.0b1 (2023-05-16)
Bugs Fixed
- Token requests made during AD FS authentication no longer specify an erroneous "adfs" tenant ID (#29888)
4.3.0 (2023-03-16)
Features Added
- Added support for service API version
7.4
- Clients each have a
send_request
method that can be used to send custom requests using the client's existing pipeline (#25172) - (From 4.3.0b1) Added sync and async
KeyVaultSettingsClient
s for getting and updating Managed HSM settings - The
KeyVaultSetting
class has agetboolean
method that will return the setting'svalue
as abool
, if possible, and raise aValueError
otherwise
Breaking Changes
These changes do not impact the API of stable versions such as 4.2.0. Only code written against a beta version such as 4.3.0b1 may be affected.
KeyVaultSettingsClient.update_setting
now accepts a singlesetting
argument (aKeyVaultSetting
instance) instead of aname
andvalue
- The
KeyVaultSetting
model'stype
parameter and attribute have been renamed tosetting_type
- The
SettingType
enum has been renamed toKeyVaultSettingType
Other Changes
- Key Vault API version
7.4
is now the default - (From 4.3.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- (From 4.3.0b1) Updated minimum
azure-core
version to 1.24.0 - (From 4.3.0b1) Dropped
msrest
requirement - (From 4.3.0b1) Dropped
six
requirement - (From 4.3.0b1) Added requirement for
isodate>=0.6.1
(isodate
was required bymsrest
) - (From 4.3.0b1) Added requirement for
typing-extensions>=4.0.1
4.3.0b1 (2022-11-15)
Features Added
- Added sync and async
KeyVaultSettingsClient
s for getting and updating Managed HSM settings. - Added support for service API version
7.4-preview.1
Other Changes
- Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- Key Vault API version
7.4-preview.1
is now the default - Updated minimum
azure-core
version to 1.24.0 - Dropped
msrest
requirement - Dropped
six
requirement - Added requirement for
isodate>=0.6.1
(isodate
was required bymsrest
) - Added requirement for
typing-extensions>=4.0.1
4.2.0 (2022-09-19)
Breaking Changes
- Clients verify the challenge resource matches the vault domain. This should affect few customers,
who can provide
verify_challenge_resource=False
to client constructors to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.
4.1.1 (2022-08-11)
Other Changes
- Documentation improvements (#25039)
4.1.0 (2022-03-28)
Features Added
- Key Vault API version 7.3 is now the default
- Added support for multi-tenant authentication when using
azure-identity
1.8.0 or newer (#20698)
Other Changes
- (From 4.1.0b3) Python 2.7 is no longer supported. Please use Python version 3.6 or later.
- (From 4.1.0b3) Updated minimum
azure-core
version to 1.20.0 - (From 4.1.0b2) To support multi-tenant authentication,
get_token
calls during challenge authentication requests now pass in atenant_id
keyword argument (#20698). See https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate this parameter ifget_token
is implemented by a custom credential.
4.1.0b3 (2022-02-08)
Other Changes
- Python 2.7 is no longer supported. Please use Python version 3.6 or later.
- Updated minimum
azure-core
version to 1.20.0 - (From 4.1.0b2) To support multi-tenant authentication,
get_token
calls during challenge authentication requests now pass in atenant_id
keyword argument (#20698)
4.1.0b2 (2021-11-11)
Features Added
- Added support for multi-tenant authentication when using
azure-identity
1.7.1 or newer (#20698)
Other Changes
- Updated minimum
azure-core
version to 1.15.0
4.1.0b1 (2021-09-09)
Features Added
- Key Vault API version 7.3-preview is now the default
4.0.0 (2021-06-22)
Changed
- Key Vault API version 7.2 is now the default
KeyVaultAccessControlClient.delete_role_assignment
and.delete_role_definition
no longer raise an error when the resource to be deleted is not found- Raised minimum azure-core version to 1.11.0
Added
KeyVaultAccessControlClient.set_role_definition
accepts an optionalassignable_scopes
keyword-only argument
Breaking Changes
KeyVaultAccessControlClient.delete_role_assignment
and.delete_role_definition
return None- Changed parameter order in
KeyVaultAccessControlClient.set_role_definition
.permissions
is now an optional keyword-only argument - Renamed
BackupOperation
toKeyVaultBackupResult
, and removed all but itsfolder_url
property - Removed
RestoreOperation
andSelectiveKeyRestoreOperation
classes - Removed
KeyVaultBackupClient.begin_selective_restore
. To restore a single key, pass the key's name toKeyVaultBackupClient.begin_restore
:# before (4.0.0b3): client.begin_selective_restore(folder_url, sas_token, key_name) # after: client.begin_restore(folder_url, sas_token, key_name=key_name)
- Removed
KeyVaultBackupClient.get_backup_status
and.get_restore_status
. Use the pollers returned byKeyVaultBackupClient.begin_backup
and.begin_restore
to check whether an operation has completed KeyVaultRoleAssignment
'sprincipal_id
,role_definition_id
, andscope
are now properties of aproperties
property# before (4.0.0b3): print(KeyVaultRoleAssignment.scope) # after: print(KeyVaultRoleAssignment.properties.scope)
- Renamed
KeyVaultPermission
properties:allowed_actions
->actions
denied_actions
->not_actions
allowed_data_actions
->data_actions
denied_data_actions
->denied_data_actions
- Renamed argument
role_assignment_name
toname
inKeyVaultAccessControlClient.create_role_assignment
,.delete_role_assignment
, and.get_role_assignment
- Renamed argument
role_definition_name
toname
inKeyVaultAccessControlClient.delete_role_definition
and.get_role_definition
- Renamed argument
role_scope
toscope
inKeyVaultAccessControlClient
methods
4.0.0b3 (2021-02-09)
Added
KeyVaultAccessControlClient
supports managing custom role definitions
Breaking Changes
- Renamed
KeyVaultBackupClient.begin_full_backup()
to.begin_backup()
- Renamed
KeyVaultBackupClient.begin_full_restore()
to.begin_restore()
- Renamed
BackupOperation.azure_storage_blob_container_uri
to.folder_url
- Renamed
id
property ofBackupOperation
,RestoreOperation
, andSelectiveKeyRestoreOperation
tojob_id
- Renamed
blob_storage_uri
parameters ofKeyVaultBackupClient.begin_restore()
and.begin_selective_restore()
tofolder_url
- Removed redundant
folder_name
parameter fromKeyVaultBackupClient.begin_restore()
and.begin_selective_restore()
(thefolder_url
parameter contains the folder name) - Renamed
KeyVaultPermission
attributes:actions
->allowed_actions
data_actions
->allowed_data_actions
not_actions
->denied_actions
not_data_actions
->denied_data_actions
- Renamed
KeyVaultRoleAssignment.assignment_id
to.role_assignment_id
- Renamed
KeyVaultRoleScope
enum values:global_value
->GLOBAL
keys_value
->KEYS
4.0.0b2 (2020-10-06)
Added
KeyVaultBackupClient.get_backup_status
and.get_restore_status
enable checking the status of a pending operation by its job ID (#13718)
Breaking Changes
- The
role_assignment_name
parameter ofKeyVaultAccessControlClient.create_role_assignment
is now an optional keyword-only argument. When this argument isn't passed, the client will generate a name for the role assignment. (#13512)
4.0.0b1 (2020-09-08)
Added
KeyVaultAccessControlClient
performs role-based access control operationsKeyVaultBackupClient
performs full vault backup and full and selective restore operations
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file azure_keyvault_administration-4.5.0.tar.gz
.
File metadata
- Download URL: azure_keyvault_administration-4.5.0.tar.gz
- Upload date:
- Size: 103.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: RestSharp/106.13.0.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6539676eca70560ad76abb8d5bd3af8aecb1715817ed915ee600867f265b7e95 |
|
MD5 | 4b970eb9c75be72171fb16bc397979e2 |
|
BLAKE2b-256 | 937d6e406661ab207d71d1061efbd95064e2e8c315096d4fa471ca9dee9467f4 |
File details
Details for the file azure_keyvault_administration-4.5.0-py3-none-any.whl
.
File metadata
- Download URL: azure_keyvault_administration-4.5.0-py3-none-any.whl
- Upload date:
- Size: 99.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: RestSharp/106.13.0.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3c69f613a986477ee3f1e74ed76c8d66a6cb60d31779fb2d72bcdf6843a24527 |
|
MD5 | 84f244ffca62f63902e7455752e4da85 |
|
BLAKE2b-256 | c1c5c11226957105a396eaa21dc1d490d0359396056989ff03f3b0e82067ff4a |