0
# Azure Key Vault
1
2
Microsoft Azure Key Vault Client Libraries for Python providing comprehensive key management, secret storage, and certificate management capabilities. The package serves as a meta-package that installs three core Key Vault libraries for managing different types of cryptographic assets in Azure cloud applications.
3
4
## Package Information
5
6
- **Package Name**: azure-keyvault
7
- **Package Type**: pypi
8
- **Language**: Python
9
- **Installation**: `pip install azure-keyvault`
10
11
## Core Imports
12
13
```python
14
# Key management operations
15
from azure.keyvault.keys import KeyClient
16
17
# Secret management operations
18
from azure.keyvault.secrets import SecretClient
19
20
# Certificate management operations
21
from azure.keyvault.certificates import CertificateClient
22
23
# Cryptographic operations
24
from azure.keyvault.keys.crypto import CryptographyClient
25
26
# Administration operations (Managed HSM only)
27
from azure.keyvault.administration import KeyVaultAccessControlClient, KeyVaultBackupClient
28
```
29
30
Async clients:
31
32
```python
33
# Async versions for all clients
34
from azure.keyvault.keys.aio import KeyClient as AsyncKeyClient
35
from azure.keyvault.secrets.aio import SecretClient as AsyncSecretClient
36
from azure.keyvault.certificates.aio import CertificateClient as AsyncCertificateClient
37
from azure.keyvault.keys.crypto.aio import CryptographyClient as AsyncCryptographyClient
38
39
# Async administration clients (Managed HSM only)
40
from azure.keyvault.administration.aio import KeyVaultAccessControlClient as AsyncAccessControlClient
41
from azure.keyvault.administration.aio import KeyVaultBackupClient as AsyncBackupClient
42
```
43
44
## Basic Usage
45
46
```python
47
from azure.keyvault.keys import KeyClient
48
from azure.keyvault.secrets import SecretClient
49
from azure.keyvault.certificates import CertificateClient
50
from azure.identity import DefaultAzureCredential
51
52
# Initialize credential
53
credential = DefaultAzureCredential()
54
vault_url = "https://your-keyvault-name.vault.azure.net/"
55
56
# Create clients
57
key_client = KeyClient(vault_url=vault_url, credential=credential)
58
secret_client = SecretClient(vault_url=vault_url, credential=credential)
59
certificate_client = CertificateClient(vault_url=vault_url, credential=credential)
60
61
# Basic key operations
62
key = key_client.create_rsa_key("my-key", size=2048)
63
retrieved_key = key_client.get_key("my-key")
64
65
# Basic secret operations
66
secret = secret_client.set_secret("my-secret", "secret-value")
67
retrieved_secret = secret_client.get_secret("my-secret")
68
69
# Basic certificate operations
70
cert_policy = CertificatePolicy.get_default()
71
cert_operation = certificate_client.begin_create_certificate("my-cert", cert_policy)
72
certificate = cert_operation.result()
73
```
74
75
## Architecture
76
77
Azure Key Vault organizes cryptographic assets into three main categories:
78
79
- **Keys**: Cryptographic keys for encryption, decryption, signing, and verification operations
80
- **Secrets**: Sensitive data like passwords, connection strings, and API keys
81
- **Certificates**: X.509 certificates with automatic lifecycle management and renewal
82
83
Each category has its own client with both synchronous and asynchronous implementations. The package follows Azure SDK design patterns with consistent authentication, error handling, and operation patterns across all clients.
84
85
## Capabilities
86
87
### Key Management
88
89
Comprehensive key lifecycle management including RSA, EC, and symmetric keys with support for Hardware Security Modules (HSM). Provides key creation, rotation, backup/restore, and cryptographic operations.
90
91
```python { .api }
92
class KeyClient:
93
def __init__(self, vault_url: str, credential, **kwargs): ...
94
def create_key(self, name: str, key_type: KeyType, **kwargs) -> KeyVaultKey: ...
95
def create_rsa_key(self, name: str, **kwargs) -> KeyVaultKey: ...
96
def create_ec_key(self, name: str, **kwargs) -> KeyVaultKey: ...
97
def get_key(self, name: str, version: str = None, **kwargs) -> KeyVaultKey: ...
98
def begin_delete_key(self, name: str, **kwargs) -> LROPoller[DeletedKey]: ...
99
def get_cryptography_client(self, key_name: str, **kwargs) -> CryptographyClient: ...
100
```
101
102
[Key Management](./key-management.md)
103
104
### Secret Management
105
106
Secure storage and retrieval of sensitive data with version management, expiration policies, and access control. Supports text-based secrets with optional content types and metadata.
107
108
```python { .api }
109
class SecretClient:
110
def __init__(self, vault_url: str, credential, **kwargs): ...
111
def set_secret(self, name: str, value: str, **kwargs) -> KeyVaultSecret: ...
112
def get_secret(self, name: str, version: str = None, **kwargs) -> KeyVaultSecret: ...
113
def begin_delete_secret(self, name: str, **kwargs) -> LROPoller[DeletedSecret]: ...
114
def list_properties_of_secrets(**kwargs) -> ItemPaged[SecretProperties]: ...
115
```
116
117
[Secret Management](./secret-management.md)
118
119
### Certificate Management
120
121
Complete X.509 certificate lifecycle management including creation, renewal, import/export, and policy management. Supports integration with certificate authorities and automated renewal.
122
123
```python { .api }
124
class CertificateClient:
125
def __init__(self, vault_url: str, credential, **kwargs): ...
126
def create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> KeyVaultCertificate: ...
127
def begin_create_certificate(self, certificate_name: str, policy: CertificatePolicy, **kwargs) -> LROPoller[KeyVaultCertificate]: ...
128
def get_certificate(self, certificate_name: str, **kwargs) -> KeyVaultCertificate: ...
129
def import_certificate(self, certificate_name: str, certificate_bytes: bytes, **kwargs) -> KeyVaultCertificate: ...
130
def begin_delete_certificate(self, certificate_name: str, **kwargs) -> LROPoller[DeletedCertificate]: ...
131
```
132
133
[Certificate Management](./certificate-management.md)
134
135
### Cryptographic Operations
136
137
High-performance cryptographic operations using keys stored in Azure Key Vault including encryption, decryption, digital signing, verification, and key wrapping. Supports both local and remote operations.
138
139
```python { .api }
140
class CryptographyClient:
141
def encrypt(self, algorithm: EncryptionAlgorithm, plaintext: bytes, **kwargs) -> EncryptResult: ...
142
def decrypt(self, algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs) -> DecryptResult: ...
143
def sign(self, algorithm: SignatureAlgorithm, digest: bytes, **kwargs) -> SignResult: ...
144
def verify(self, algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs) -> VerifyResult: ...
145
```
146
147
[Cryptographic Operations](./cryptographic-operations.md)
148
149
### HSM Administration
150
151
Comprehensive administration capabilities for Azure Key Vault Managed HSM instances including role-based access control (RBAC) management and full HSM backup/restore operations. Essential for enterprise HSM deployments requiring granular permission management and disaster recovery.
152
153
```python { .api }
154
class KeyVaultAccessControlClient:
155
def __init__(self, vault_url: str, credential, **kwargs): ...
156
def create_role_assignment(self, role_scope: KeyVaultRoleScope, role_definition_id: str, principal_id: str, **kwargs) -> KeyVaultRoleAssignment: ...
157
def get_role_assignment(self, role_scope: KeyVaultRoleScope, role_assignment_name: str, **kwargs) -> KeyVaultRoleAssignment: ...
158
def set_role_definition(self, role_scope: KeyVaultRoleScope, **kwargs) -> KeyVaultRoleDefinition: ...
159
def list_role_definitions(self, role_scope: KeyVaultRoleScope, **kwargs) -> ItemPaged[KeyVaultRoleDefinition]: ...
160
161
class KeyVaultBackupClient:
162
def __init__(self, vault_url: str, credential, **kwargs): ...
163
def begin_backup(self, blob_storage_url: str, sas_token: str, **kwargs) -> LROPoller[KeyVaultBackupResult]: ...
164
def begin_restore(self, blob_storage_url: str, sas_token: str, folder_name: str, **kwargs) -> LROPoller[None]: ...
165
```
166
167
[HSM Administration](./administration.md)
168
169
## Core Types
170
171
```python { .api }
172
# Long-running operation support
173
from azure.core.polling import LROPoller
174
175
# Authentication and configuration
176
class ApiVersion(str, Enum):
177
V7_0 = "7.0"
178
V7_1 = "7.1"
179
V7_2 = "7.2"
180
V7_3 = "7.3"
181
V7_4 = "7.4"
182
V7_5 = "7.5"
183
184
# Key types and properties
185
class KeyVaultKey:
186
id: str
187
name: str
188
properties: KeyProperties
189
key: JsonWebKey
190
key_type: KeyType
191
192
class KeyProperties:
193
id: str
194
name: str
195
version: str
196
enabled: bool
197
expires_on: datetime
198
created_on: datetime
199
updated_on: datetime
200
tags: Dict[str, str]
201
202
# Secret types
203
class KeyVaultSecret:
204
id: str
205
name: str
206
properties: SecretProperties
207
value: str
208
209
class SecretProperties:
210
id: str
211
name: str
212
version: str
213
enabled: bool
214
expires_on: datetime
215
content_type: str
216
tags: Dict[str, str]
217
218
# Certificate types
219
class KeyVaultCertificate:
220
id: str
221
name: str
222
properties: CertificateProperties
223
cer: bytes
224
policy: CertificatePolicy
225
226
class CertificateProperties:
227
id: str
228
name: str
229
version: str
230
enabled: bool
231
expires_on: datetime
232
x509_thumbprint: bytes
233
tags: Dict[str, str]
234
235
# Key enums and additional types
236
class KeyType(str, Enum):
237
EC = "EC"
238
EC_HSM = "EC-HSM"
239
RSA = "RSA"
240
RSA_HSM = "RSA-HSM"
241
oct = "oct"
242
oct_HSM = "oct-HSM"
243
244
class KeyCurveName(str, Enum):
245
P_256 = "P-256"
246
P_384 = "P-384"
247
P_521 = "P-521"
248
P_256K = "P-256K"
249
250
class KeyOperation(str, Enum):
251
encrypt = "encrypt"
252
decrypt = "decrypt"
253
sign = "sign"
254
verify = "verify"
255
wrap_key = "wrapKey"
256
unwrap_key = "unwrapKey"
257
import_key = "import"
258
export = "export"
259
260
class DeletedKey:
261
id: str
262
name: str
263
properties: KeyProperties
264
key: JsonWebKey
265
deleted_on: datetime
266
recovery_id: str
267
scheduled_purge_date: datetime
268
269
class JsonWebKey:
270
kid: str
271
kty: KeyType
272
key_ops: List[KeyOperation]
273
n: bytes # RSA modulus
274
e: bytes # RSA public exponent
275
d: bytes # RSA private exponent
276
x: bytes # EC x coordinate
277
y: bytes # EC y coordinate
278
crv: KeyCurveName # EC curve name
279
k: bytes # Symmetric key value
280
281
# Deleted secret type
282
class DeletedSecret:
283
id: str
284
name: str
285
properties: SecretProperties
286
value: str
287
deleted_on: datetime
288
recovery_id: str
289
scheduled_purge_date: datetime
290
291
# Deleted certificate type
292
class DeletedCertificate:
293
id: str
294
name: str
295
properties: CertificateProperties
296
cer: bytes
297
policy: CertificatePolicy
298
deleted_on: datetime
299
recovery_id: str
300
scheduled_purge_date: datetime
301
302
# Certificate policy and related types
303
class CertificatePolicy:
304
id: str
305
issuer_name: str
306
subject: str
307
san_dns_names: List[str]
308
san_emails: List[str]
309
san_user_principal_names: List[str]
310
exportable: bool
311
key_type: KeyType
312
key_size: int
313
reuse_key: bool
314
curve: KeyCurveName
315
enhanced_key_usage: List[str]
316
key_usage: List[KeyUsageType]
317
x509_props: X509CertificateProperties
318
lifetime_actions: List[LifetimeAction]
319
attributes: CertificateAttributes
320
321
@classmethod
322
def get_default(cls) -> "CertificatePolicy": ...
323
324
class KeyUsageType(str, Enum):
325
digital_signature = "digitalSignature"
326
non_repudiation = "nonRepudiation"
327
key_encipherment = "keyEncipherment"
328
data_encipherment = "dataEncipherment"
329
key_agreement = "keyAgreement"
330
key_cert_sign = "keyCertSign"
331
crl_sign = "crlSign"
332
encipher_only = "encipherOnly"
333
decipher_only = "decipherOnly"
334
335
# Cryptographic operation result types
336
class EncryptResult:
337
key_id: str
338
algorithm: EncryptionAlgorithm
339
ciphertext: bytes
340
iv: bytes
341
authentication_tag: bytes
342
additional_authenticated_data: bytes
343
344
class DecryptResult:
345
key_id: str
346
algorithm: EncryptionAlgorithm
347
plaintext: bytes
348
349
class SignResult:
350
key_id: str
351
algorithm: SignatureAlgorithm
352
signature: bytes
353
354
class VerifyResult:
355
key_id: str
356
algorithm: SignatureAlgorithm
357
is_valid: bool
358
359
class WrapResult:
360
key_id: str
361
algorithm: KeyWrapAlgorithm
362
encrypted_key: bytes
363
364
class UnwrapResult:
365
key_id: str
366
algorithm: KeyWrapAlgorithm
367
key: bytes
368
369
# Cryptographic algorithm enums
370
class EncryptionAlgorithm(str, Enum):
371
RSA_OAEP = "RSA-OAEP"
372
RSA_OAEP_256 = "RSA-OAEP-256"
373
RSA1_5 = "RSA1_5"
374
A128GCM = "A128GCM"
375
A192GCM = "A192GCM"
376
A256GCM = "A256GCM"
377
A128CBC = "A128CBC"
378
A192CBC = "A192CBC"
379
A256CBC = "A256CBC"
380
A128CBCPAD = "A128CBCPAD"
381
A192CBCPAD = "A192CBCPAD"
382
A256CBCPAD = "A256CBCPAD"
383
384
class SignatureAlgorithm(str, Enum):
385
PS256 = "PS256"
386
PS384 = "PS384"
387
PS512 = "PS512"
388
RS256 = "RS256"
389
RS384 = "RS384"
390
RS512 = "RS512"
391
ES256 = "ES256"
392
ES384 = "ES384"
393
ES512 = "ES512"
394
ES256K = "ES256K"
395
396
class KeyWrapAlgorithm(str, Enum):
397
A128KW = "A128KW"
398
A192KW = "A192KW"
399
A256KW = "A256KW"
400
RSA_OAEP = "RSA-OAEP"
401
RSA_OAEP_256 = "RSA-OAEP-256"
402
RSA1_5 = "RSA1_5"
403
404
# Paging support
405
from azure.core.paging import ItemPaged
406
```