tessl/pypi-azure-mgmt-keyvault
Microsoft Azure Key Vault Management Client Library for Python providing comprehensive programmatic management of Azure Key Vault resources through the Azure Resource Manager API.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-azure-mgmt-keyvault@12.0.0index.mddocs/
Azure Key Vault Management Client
Microsoft Azure Key Vault Management Client Library provides comprehensive programmatic management of Azure Key Vault resources through the Azure Resource Manager API. This library enables developers to create, configure, and manage Azure Key Vaults, access policies, keys, secrets, and Managed HSM instances with enterprise-grade security and compliance features.
Package Information
- Package Name: azure-mgmt-keyvault
- Language: Python
- Installation:
pip install azure-mgmt-keyvault - Requires Python: >=3.9
Core Imports
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.identity import DefaultAzureCredentialImport models and enums:
from azure.mgmt.keyvault.models import (
Vault, VaultCreateOrUpdateParameters, VaultProperties,
AccessPolicyEntry, Permissions,
ManagedHsm, Secret, Key
)Basic Usage
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.identity import DefaultAzureCredential
from azure.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, VaultProperties, Sku, SkuName
)
# Initialize the client
credential = DefaultAzureCredential()
subscription_id = "your-subscription-id"
client = KeyVaultManagementClient(credential, subscription_id)
# Create a new key vault
vault_name = "my-key-vault"
resource_group_name = "my-resource-group"
location = "East US"
vault_properties = VaultProperties(
tenant_id="your-tenant-id",
sku=Sku(family="A", name=SkuName.STANDARD),
access_policies=[]
)
vault_params = VaultCreateOrUpdateParameters(
location=location,
properties=vault_properties
)
# Start the vault creation (Long-running operation)
poller = client.vaults.begin_create_or_update(
resource_group_name, vault_name, vault_params
)
vault = poller.result()
print(f"Created vault: {vault.name}")
# List all vaults in subscription
for vault in client.vaults.list_by_subscription():
print(f"Vault: {vault.name} in {vault.location}")
# Clean up resources
client.vaults.delete(resource_group_name, vault_name)Architecture
The Azure Key Vault Management Client follows Azure SDK patterns with a hierarchical structure:
- KeyVaultManagementClient: Main client providing access to all operation groups
- Operation Groups: Specialized classes for different resource types (vaults, keys, secrets, managed HSMs)
- Models: Data classes representing Azure resources and their properties
- Long-Running Operations (LRO): Asynchronous operations with polling support for resource-intensive tasks
- Authentication: Integration with Azure Identity for credential management across different authentication flows
The client supports both synchronous and asynchronous patterns, with async versions available in the aio module. All operations follow Azure Resource Manager conventions with consistent parameter patterns and error handling.
Capabilities
Vault Management
Comprehensive Azure Key Vault lifecycle management including creation, configuration, access policy management, and deletion. Supports both basic and premium vault SKUs with advanced security features.
def begin_create_or_update(resource_group_name: str, vault_name: str, parameters: VaultCreateOrUpdateParameters) -> LROPoller[Vault]: ...
def update(resource_group_name: str, vault_name: str, parameters: VaultPatchParameters) -> Vault: ...
def delete(resource_group_name: str, vault_name: str) -> None: ...
def get(resource_group_name: str, vault_name: str) -> Vault: ...
def update_access_policy(resource_group_name: str, vault_name: str, operation_kind: AccessPolicyUpdateKind, parameters: VaultAccessPolicyParameters) -> VaultAccessPolicyParameters: ...
def list_by_resource_group(resource_group_name: str, top: Optional[int] = None) -> ItemPaged[Vault]: ...
def list_by_subscription(top: Optional[int] = None) -> ItemPaged[Vault]: ...
def list_deleted() -> ItemPaged[DeletedVault]: ...
def get_deleted(vault_name: str, location: str) -> DeletedVault: ...
def begin_purge_deleted(vault_name: str, location: str) -> LROPoller[None]: ...
def list(top: Optional[int] = None) -> ItemPaged[Resource]: ...
def check_name_availability(vault_name: VaultCheckNameAvailabilityParameters) -> CheckNameAvailabilityResult: ...Key Management
Management operations for cryptographic keys within Azure Key Vault, including key creation, versioning, and metadata management through the Azure Resource Manager API.
def create_if_not_exist(resource_group_name: str, vault_name: str, key_name: str, parameters: KeyCreateParameters) -> Key: ...
def get(resource_group_name: str, vault_name: str, key_name: str) -> Key: ...
def list(resource_group_name: str, vault_name: str) -> ItemPaged[Key]: ...
def get_version(resource_group_name: str, vault_name: str, key_name: str, key_version: str) -> Key: ...
def list_versions(resource_group_name: str, vault_name: str, key_name: str) -> ItemPaged[Key]: ...Secret Management
ARM-level operations for managing secrets in Azure Key Vault, primarily intended for ARM template deployments and infrastructure automation rather than runtime secret operations.
def create_or_update(resource_group_name: str, vault_name: str, secret_name: str, parameters: SecretCreateOrUpdateParameters) -> Secret: ...
def update(resource_group_name: str, vault_name: str, secret_name: str, parameters: SecretPatchParameters) -> Secret: ...
def get(resource_group_name: str, vault_name: str, secret_name: str) -> Secret: ...
def list(resource_group_name: str, vault_name: str, top: Optional[int] = None) -> ItemPaged[Secret]: ...Managed HSM Operations
Complete lifecycle management for Azure Managed Hardware Security Module (HSM) instances, providing dedicated HSM resources with enhanced security and compliance capabilities, including geo-replication region management.
def begin_create_or_update(resource_group_name: str, name: str, parameters: ManagedHsm) -> LROPoller[ManagedHsm]: ...
def begin_update(resource_group_name: str, name: str, parameters: ManagedHsm) -> LROPoller[ManagedHsm]: ...
def begin_delete(resource_group_name: str, name: str) -> LROPoller[None]: ...
def get(resource_group_name: str, name: str) -> Optional[ManagedHsm]: ...
def list_by_resource_group(resource_group_name: str, top: Optional[int] = None) -> ItemPaged[ManagedHsm]: ...
def list_by_subscription(top: Optional[int] = None) -> ItemPaged[ManagedHsm]: ...
def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMGeoReplicatedRegion]: ...Private Endpoint Connections
Management of private endpoint connections for secure network access to Key Vault resources, enabling private connectivity from virtual networks without internet exposure.
def get(resource_group_name: str, vault_name: str, private_endpoint_connection_name: str) -> PrivateEndpointConnection: ...
def put(resource_group_name: str, vault_name: str, private_endpoint_connection_name: str, properties: PrivateEndpointConnection) -> PrivateEndpointConnection: ...
def begin_delete(resource_group_name: str, vault_name: str, private_endpoint_connection_name: str) -> LROPoller[None]: ...
def list_by_resource(resource_group_name: str, vault_name: str) -> ItemPaged[PrivateEndpointConnection]: ...Private Link Resources
Discovery of private link resources supported for Key Vault resources, providing information about available private connectivity options.
def list_by_vault(resource_group_name: str, vault_name: str) -> PrivateLinkResourceListResult: ...Managed HSM Keys
Management operations for cryptographic keys within Managed HSM instances, providing hardware-backed key operations with FIPS 140-2 Level 3 compliance.
def create_if_not_exist(resource_group_name: str, name: str, key_name: str, parameters: ManagedHsmKeyCreateParameters) -> ManagedHsmKey: ...
def get(resource_group_name: str, name: str, key_name: str) -> ManagedHsmKey: ...
def list(resource_group_name: str, name: str) -> ItemPaged[ManagedHsmKey]: ...
def get_version(resource_group_name: str, name: str, key_name: str, key_version: str) -> ManagedHsmKey: ...
def list_versions(resource_group_name: str, name: str, key_name: str) -> ItemPaged[ManagedHsmKey]: ...MHSM Private Endpoint Connections
Management of private endpoint connections for Managed HSM instances, enabling secure network access without internet exposure.
def get(resource_group_name: str, name: str, private_endpoint_connection_name: str) -> MHSMPrivateEndpointConnection: ...
def put(resource_group_name: str, name: str, private_endpoint_connection_name: str, properties: MHSMPrivateEndpointConnection) -> MHSMPrivateEndpointConnection: ...
def begin_delete(resource_group_name: str, name: str, private_endpoint_connection_name: str) -> LROPoller[None]: ...
def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMPrivateEndpointConnection]: ...MHSM Private Link Resources
Discovery of private link resources supported for Managed HSM instances, providing information about available private connectivity options for HSMs.
def list_by_mhsm_resource(resource_group_name: str, name: str) -> MHSMPrivateLinkResourceListResult: ...MHSM Regions
Management and discovery of geo-replication regions for Managed HSM instances, providing information about regional availability and replication status.
def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMGeoReplicatedRegion]: ...Operations and Resource Discovery
Service discovery and available operations listing for the Azure Key Vault Management API, providing metadata about supported operations and capabilities.
def list() -> ItemPaged[Operation]: ...Key Types
Core Client Type
class KeyVaultManagementClient:
def __init__(
self,
credential: TokenCredential,
subscription_id: str,
base_url: Optional[str] = None,
**kwargs: Any
) -> None: ...
def close(self) -> None: ...
def __enter__(self) -> Self: ...
def __exit__(self, *exc_details: Any) -> None: ...Resource Models
class Vault:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
tags: Optional[Dict[str, str]]
properties: Optional[VaultProperties]
system_data: Optional[SystemData]
class VaultProperties:
tenant_id: str
sku: Sku
access_policies: Optional[List[AccessPolicyEntry]]
vault_uri: Optional[str]
enabled_for_deployment: Optional[bool]
enabled_for_disk_encryption: Optional[bool]
enabled_for_template_deployment: Optional[bool]
enable_soft_delete: Optional[bool]
soft_delete_retention_in_days: Optional[int]
enable_purge_protection: Optional[bool]
network_acls: Optional[NetworkRuleSet]
provisioning_state: Optional[VaultProvisioningState]
class ManagedHsm:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
sku: Optional[ManagedHsmSku]
tags: Optional[Dict[str, str]]
identity: Optional[ManagedServiceIdentity]
properties: Optional[ManagedHsmProperties]
system_data: Optional[SystemData]Authentication and Configuration
class AccessPolicyEntry:
tenant_id: str
object_id: str
application_id: Optional[str]
permissions: Permissions
class Permissions:
keys: Optional[List[KeyPermissions]]
secrets: Optional[List[SecretPermissions]]
certificates: Optional[List[CertificatePermissions]]
storage: Optional[List[StoragePermissions]]
class Sku:
family: SkuFamily
name: SkuNameAdditional Resource Types
class DeletedVault:
id: Optional[str]
name: Optional[str]
type: Optional[str]
properties: Optional[DeletedVaultProperties]
class DeletedVaultProperties:
vault_id: Optional[str]
location: Optional[str]
deletion_date: Optional[datetime]
scheduled_purge_date: Optional[datetime]
tags: Optional[Dict[str, str]]
class Resource:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
tags: Optional[Dict[str, str]]
class VaultCheckNameAvailabilityParameters:
name: str
type: str
class CheckNameAvailabilityResult:
name_available: Optional[bool]
reason: Optional[str]
message: Optional[str]Key and Secret Management Types
class Key:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
tags: Optional[Dict[str, str]]
properties: Optional[KeyProperties]
class KeyCreateParameters:
properties: KeyProperties
class KeyProperties:
attributes: Optional[KeyAttributes]
kty: Optional[str]
key_ops: Optional[List[str]]
key_size: Optional[int]
curve: Optional[str]
class Secret:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
tags: Optional[Dict[str, str]]
properties: Optional[SecretProperties]
class SecretCreateOrUpdateParameters:
properties: SecretProperties
class SecretPatchParameters:
properties: Optional[SecretProperties]
class SecretProperties:
value: Optional[str]
content_type: Optional[str]
attributes: Optional[SecretAttributes]Managed HSM Types
class ManagedHsmKey:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
tags: Optional[Dict[str, str]]
properties: Optional[ManagedHsmKeyProperties]
class ManagedHsmKeyCreateParameters:
properties: ManagedHsmKeyProperties
class ManagedHsmKeyProperties:
attributes: Optional[ManagedHsmKeyAttributes]
kty: Optional[str]
key_ops: Optional[List[str]]
key_size: Optional[int]
curve: Optional[str]
key_uri: Optional[str]
key_uri_with_version: Optional[str]Private Connectivity Types
class PrivateEndpointConnection:
id: Optional[str]
name: Optional[str]
type: Optional[str]
etag: Optional[str]
properties: Optional[PrivateEndpointConnectionProperties]
class PrivateLinkResourceListResult:
value: Optional[List[PrivateLinkResource]]
class PrivateLinkResource:
id: Optional[str]
name: Optional[str]
type: Optional[str]
group_id: Optional[str]
required_members: Optional[List[str]]
required_zone_names: Optional[List[str]]
class MHSMPrivateEndpointConnection:
id: Optional[str]
name: Optional[str]
type: Optional[str]
etag: Optional[str]
properties: Optional[MHSMPrivateEndpointConnectionProperties]
class MHSMPrivateLinkResourceListResult:
value: Optional[List[MHSMPrivateLinkResource]]
class MHSMPrivateLinkResource:
id: Optional[str]
name: Optional[str]
type: Optional[str]
group_id: Optional[str]
required_members: Optional[List[str]]
required_zone_names: Optional[List[str]]
class MHSMGeoReplicatedRegion:
name: Optional[str]
provisioning_state: Optional[str]
is_primary: Optional[bool]Operation Results
class LROPoller:
def result(self, timeout: Optional[float] = None) -> T: ...
def done(self) -> bool: ...
def wait(self, timeout: Optional[float] = None) -> None: ...
class ItemPaged:
def __iter__(self) -> Iterator[T]: ...
def by_page(self) -> Iterator[List[T]]: ...Error Handling
The client raises Azure-specific exceptions for different error conditions:
from azure.core.exceptions import (
HttpResponseError,
ResourceNotFoundError,
ResourceExistsError,
ClientAuthenticationError
)
try:
vault = client.vaults.get(resource_group_name, vault_name)
except ResourceNotFoundError:
print("Vault not found")
except ClientAuthenticationError:
print("Authentication failed")
except HttpResponseError as e:
print(f"HTTP error: {e.status_code} - {e.message}")Async Support
Full async support is available through the aio module:
from azure.mgmt.keyvault.aio import KeyVaultManagementClient
from azure.identity.aio import DefaultAzureCredential
async def manage_vault():
credential = DefaultAzureCredential()
async with KeyVaultManagementClient(credential, subscription_id) as client:
vault = await client.vaults.get(resource_group_name, vault_name)
print(f"Vault: {vault.name}")