tessl/pypi-azure-keyvault
Microsoft Azure Key Vault Client Libraries for Python providing unified access to keys, secrets, and certificates
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-azure-keyvault@4.2.0index.mddocs/
Azure Key Vault
Microsoft Azure Key Vault Client Libraries for Python providing comprehensive key management, secret storage, and certificate management capabilities. The package serves as a meta-package that installs three core Key Vault libraries for managing different types of cryptographic assets in Azure cloud applications.
Package Information
- Package Name: azure-keyvault
- Package Type: pypi
- Language: Python
- Installation:
pip install azure-keyvault
Core Imports
# Key management operations
from azure.keyvault.keys import KeyClient
# Secret management operations
from azure.keyvault.secrets import SecretClient
# Certificate management operations
from azure.keyvault.certificates import CertificateClient
# Cryptographic operations
from azure.keyvault.keys.crypto import CryptographyClient
# Administration operations (Managed HSM only)
from azure.keyvault.administration import KeyVaultAccessControlClient, KeyVaultBackupClientAsync clients:
# Async versions for all clients
from azure.keyvault.keys.aio import KeyClient as AsyncKeyClient
from azure.keyvault.secrets.aio import SecretClient as AsyncSecretClient
from azure.keyvault.certificates.aio import CertificateClient as AsyncCertificateClient
from azure.keyvault.keys.crypto.aio import CryptographyClient as AsyncCryptographyClient
# Async administration clients (Managed HSM only)
from azure.keyvault.administration.aio import KeyVaultAccessControlClient as AsyncAccessControlClient
from azure.keyvault.administration.aio import KeyVaultBackupClient as AsyncBackupClientBasic Usage
from azure.keyvault.keys import KeyClient
from azure.keyvault.secrets import SecretClient
from azure.keyvault.certificates import CertificateClient
from azure.identity import DefaultAzureCredential
# Initialize credential
credential = DefaultAzureCredential()
vault_url = "https://your-keyvault-name.vault.azure.net/"
# Create clients
key_client = KeyClient(vault_url=vault_url, credential=credential)
secret_client = SecretClient(vault_url=vault_url, credential=credential)
certificate_client = CertificateClient(vault_url=vault_url, credential=credential)
# Basic key operations
key = key_client.create_rsa_key("my-key", size=2048)
retrieved_key = key_client.get_key("my-key")
# Basic secret operations
secret = secret_client.set_secret("my-secret", "secret-value")
retrieved_secret = secret_client.get_secret("my-secret")
# Basic certificate operations
cert_policy = CertificatePolicy.get_default()
cert_operation = certificate_client.begin_create_certificate("my-cert", cert_policy)
certificate = cert_operation.result()Architecture
Azure Key Vault organizes cryptographic assets into three main categories:
- Keys: Cryptographic keys for encryption, decryption, signing, and verification operations
- Secrets: Sensitive data like passwords, connection strings, and API keys
- Certificates: X.509 certificates with automatic lifecycle management and renewal
Each category has its own client with both synchronous and asynchronous implementations. The package follows Azure SDK design patterns with consistent authentication, error handling, and operation patterns across all clients.
Capabilities
Key Management
Comprehensive key lifecycle management including RSA, EC, and symmetric keys with support for Hardware Security Modules (HSM). Provides key creation, rotation, backup/restore, and cryptographic operations.
class KeyClient:
def __init__(self, vault_url: str, credential, **kwargs): ...
def create_key(self, name: str, key_type: KeyType, **kwargs) -> KeyVaultKey: ...
def create_rsa_key(self, name: str, **kwargs) -> KeyVaultKey: ...
def create_ec_key(self, name: str, **kwargs) -> KeyVaultKey: ...
def get_key(self, name: str, version: str = None, **kwargs) -> KeyVaultKey: ...
def begin_delete_key(self, name: str, **kwargs) -> LROPoller[DeletedKey]: ...
def get_cryptography_client(self, key_name: str, **kwargs) -> CryptographyClient: ...Secret Management
Secure storage and retrieval of sensitive data with version management, expiration policies, and access control. Supports text-based secrets with optional content types and metadata.
class SecretClient:
def __init__(self, vault_url: str, credential, **kwargs): ...
def set_secret(self, name: str, value: str, **kwargs) -> KeyVaultSecret: ...
def get_secret(self, name: str, version: str = None, **kwargs) -> KeyVaultSecret: ...
def begin_delete_secret(self, name: str, **kwargs) -> LROPoller[DeletedSecret]: ...
def list_properties_of_secrets(**kwargs) -> ItemPaged[SecretProperties]: ...Certificate Management
Complete X.509 certificate lifecycle management including creation, renewal, import/export, and policy management. Supports integration with certificate authorities and automated renewal.
class CertificateClient:
def __init__(self, vault_url: str, credential, **kwargs): ...
def create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> KeyVaultCertificate: ...
def begin_create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> LROPoller[KeyVaultCertificate]: ...
def get_certificate(self, certificate_name: str, **kwargs) -> KeyVaultCertificate: ...
def import_certificate(self, certificate_name: str, certificate_bytes: bytes, **kwargs) -> KeyVaultCertificate: ...
def begin_delete_certificate(self, certificate_name: str, **kwargs) -> LROPoller[DeletedCertificate]: ...Cryptographic Operations
High-performance cryptographic operations using keys stored in Azure Key Vault including encryption, decryption, digital signing, verification, and key wrapping. Supports both local and remote operations.
class CryptographyClient:
def encrypt(self, algorithm: EncryptionAlgorithm, plaintext: bytes, **kwargs) -> EncryptResult: ...
def decrypt(self, algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs) -> DecryptResult: ...
def sign(self, algorithm: SignatureAlgorithm, digest: bytes, **kwargs) -> SignResult: ...
def verify(self, algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs) -> VerifyResult: ...HSM Administration
Comprehensive administration capabilities for Azure Key Vault Managed HSM instances including role-based access control (RBAC) management and full HSM backup/restore operations. Essential for enterprise HSM deployments requiring granular permission management and disaster recovery.
class KeyVaultAccessControlClient:
def __init__(self, vault_url: str, credential, **kwargs): ...
def create_role_assignment(self, role_scope: KeyVaultRoleScope, role_definition_id: str, principal_id: str, **kwargs) -> KeyVaultRoleAssignment: ...
def get_role_assignment(self, role_scope: KeyVaultRoleScope, role_assignment_name: str, **kwargs) -> KeyVaultRoleAssignment: ...
def set_role_definition(self, role_scope: KeyVaultRoleScope, **kwargs) -> KeyVaultRoleDefinition: ...
def list_role_definitions(self, role_scope: KeyVaultRoleScope, **kwargs) -> ItemPaged[KeyVaultRoleDefinition]: ...
class KeyVaultBackupClient:
def __init__(self, vault_url: str, credential, **kwargs): ...
def begin_backup(self, blob_storage_url: str, sas_token: str, **kwargs) -> LROPoller[KeyVaultBackupResult]: ...
def begin_restore(self, blob_storage_url: str, sas_token: str, folder_name: str, **kwargs) -> LROPoller[None]: ...Core Types
# Long-running operation support
from azure.core.polling import LROPoller
# Authentication and configuration
class ApiVersion(str, Enum):
V7_0 = "7.0"
V7_1 = "7.1"
V7_2 = "7.2"
V7_3 = "7.3"
V7_4 = "7.4"
V7_5 = "7.5"
# Key types and properties
class KeyVaultKey:
id: str
name: str
properties: KeyProperties
key: JsonWebKey
key_type: KeyType
class KeyProperties:
id: str
name: str
version: str
enabled: bool
expires_on: datetime
created_on: datetime
updated_on: datetime
tags: Dict[str, str]
# Secret types
class KeyVaultSecret:
id: str
name: str
properties: SecretProperties
value: str
class SecretProperties:
id: str
name: str
version: str
enabled: bool
expires_on: datetime
content_type: str
tags: Dict[str, str]
# Certificate types
class KeyVaultCertificate:
id: str
name: str
properties: CertificateProperties
cer: bytes
policy: CertificatePolicy
class CertificateProperties:
id: str
name: str
version: str
enabled: bool
expires_on: datetime
x509_thumbprint: bytes
tags: Dict[str, str]
# Key enums and additional types
class KeyType(str, Enum):
EC = "EC"
EC_HSM = "EC-HSM"
RSA = "RSA"
RSA_HSM = "RSA-HSM"
oct = "oct"
oct_HSM = "oct-HSM"
class KeyCurveName(str, Enum):
P_256 = "P-256"
P_384 = "P-384"
P_521 = "P-521"
P_256K = "P-256K"
class KeyOperation(str, Enum):
encrypt = "encrypt"
decrypt = "decrypt"
sign = "sign"
verify = "verify"
wrap_key = "wrapKey"
unwrap_key = "unwrapKey"
import_key = "import"
export = "export"
class DeletedKey:
id: str
name: str
properties: KeyProperties
key: JsonWebKey
deleted_on: datetime
recovery_id: str
scheduled_purge_date: datetime
class JsonWebKey:
kid: str
kty: KeyType
key_ops: List[KeyOperation]
n: bytes # RSA modulus
e: bytes # RSA public exponent
d: bytes # RSA private exponent
x: bytes # EC x coordinate
y: bytes # EC y coordinate
crv: KeyCurveName # EC curve name
k: bytes # Symmetric key value
# Deleted secret type
class DeletedSecret:
id: str
name: str
properties: SecretProperties
value: str
deleted_on: datetime
recovery_id: str
scheduled_purge_date: datetime
# Deleted certificate type
class DeletedCertificate:
id: str
name: str
properties: CertificateProperties
cer: bytes
policy: CertificatePolicy
deleted_on: datetime
recovery_id: str
scheduled_purge_date: datetime
# Certificate policy and related types
class CertificatePolicy:
id: str
issuer_name: str
subject: str
san_dns_names: List[str]
san_emails: List[str]
san_user_principal_names: List[str]
exportable: bool
key_type: KeyType
key_size: int
reuse_key: bool
curve: KeyCurveName
enhanced_key_usage: List[str]
key_usage: List[KeyUsageType]
x509_props: X509CertificateProperties
lifetime_actions: List[LifetimeAction]
attributes: CertificateAttributes
@classmethod
def get_default(cls) -> "CertificatePolicy": ...
class KeyUsageType(str, Enum):
digital_signature = "digitalSignature"
non_repudiation = "nonRepudiation"
key_encipherment = "keyEncipherment"
data_encipherment = "dataEncipherment"
key_agreement = "keyAgreement"
key_cert_sign = "keyCertSign"
crl_sign = "crlSign"
encipher_only = "encipherOnly"
decipher_only = "decipherOnly"
# Cryptographic operation result types
class EncryptResult:
key_id: str
algorithm: EncryptionAlgorithm
ciphertext: bytes
iv: bytes
authentication_tag: bytes
additional_authenticated_data: bytes
class DecryptResult:
key_id: str
algorithm: EncryptionAlgorithm
plaintext: bytes
class SignResult:
key_id: str
algorithm: SignatureAlgorithm
signature: bytes
class VerifyResult:
key_id: str
algorithm: SignatureAlgorithm
is_valid: bool
class WrapResult:
key_id: str
algorithm: KeyWrapAlgorithm
encrypted_key: bytes
class UnwrapResult:
key_id: str
algorithm: KeyWrapAlgorithm
key: bytes
# Cryptographic algorithm enums
class EncryptionAlgorithm(str, Enum):
RSA_OAEP = "RSA-OAEP"
RSA_OAEP_256 = "RSA-OAEP-256"
RSA1_5 = "RSA1_5"
A128GCM = "A128GCM"
A192GCM = "A192GCM"
A256GCM = "A256GCM"
A128CBC = "A128CBC"
A192CBC = "A192CBC"
A256CBC = "A256CBC"
A128CBCPAD = "A128CBCPAD"
A192CBCPAD = "A192CBCPAD"
A256CBCPAD = "A256CBCPAD"
class SignatureAlgorithm(str, Enum):
PS256 = "PS256"
PS384 = "PS384"
PS512 = "PS512"
RS256 = "RS256"
RS384 = "RS384"
RS512 = "RS512"
ES256 = "ES256"
ES384 = "ES384"
ES512 = "ES512"
ES256K = "ES256K"
class KeyWrapAlgorithm(str, Enum):
A128KW = "A128KW"
A192KW = "A192KW"
A256KW = "A256KW"
RSA_OAEP = "RSA-OAEP"
RSA_OAEP_256 = "RSA-OAEP-256"
RSA1_5 = "RSA1_5"
# Paging support
from azure.core.paging import ItemPaged