0
# Azure Key Vault Management Client
1
2
Microsoft Azure Key Vault Management Client Library provides comprehensive programmatic management of Azure Key Vault resources through the Azure Resource Manager API. This library enables developers to create, configure, and manage Azure Key Vaults, access policies, keys, secrets, and Managed HSM instances with enterprise-grade security and compliance features.
3
4
## Package Information
5
6
- **Package Name**: azure-mgmt-keyvault
7
- **Language**: Python
8
- **Installation**: `pip install azure-mgmt-keyvault`
9
- **Requires Python**: >=3.9
10
11
## Core Imports
12
13
```python
14
from azure.mgmt.keyvault import KeyVaultManagementClient
15
from azure.identity import DefaultAzureCredential
16
```
17
18
Import models and enums:
19
20
```python
21
from azure.mgmt.keyvault.models import (
22
Vault, VaultCreateOrUpdateParameters, VaultProperties,
23
AccessPolicyEntry, Permissions,
24
ManagedHsm, Secret, Key
25
)
26
```
27
28
## Basic Usage
29
30
```python
31
from azure.mgmt.keyvault import KeyVaultManagementClient
32
from azure.identity import DefaultAzureCredential
33
from azure.mgmt.keyvault.models import (
34
VaultCreateOrUpdateParameters, VaultProperties, Sku, SkuName
35
)
36
37
# Initialize the client
38
credential = DefaultAzureCredential()
39
subscription_id = "your-subscription-id"
40
client = KeyVaultManagementClient(credential, subscription_id)
41
42
# Create a new key vault
43
vault_name = "my-key-vault"
44
resource_group_name = "my-resource-group"
45
location = "East US"
46
47
vault_properties = VaultProperties(
48
tenant_id="your-tenant-id",
49
sku=Sku(family="A", name=SkuName.STANDARD),
50
access_policies=[]
51
)
52
53
vault_params = VaultCreateOrUpdateParameters(
54
location=location,
55
properties=vault_properties
56
)
57
58
# Start the vault creation (Long-running operation)
59
poller = client.vaults.begin_create_or_update(
60
resource_group_name, vault_name, vault_params
61
)
62
vault = poller.result()
63
print(f"Created vault: {vault.name}")
64
65
# List all vaults in subscription
66
for vault in client.vaults.list_by_subscription():
67
print(f"Vault: {vault.name} in {vault.location}")
68
69
# Clean up resources
70
client.vaults.delete(resource_group_name, vault_name)
71
```
72
73
## Architecture
74
75
The Azure Key Vault Management Client follows Azure SDK patterns with a hierarchical structure:
76
77
- **KeyVaultManagementClient**: Main client providing access to all operation groups
78
- **Operation Groups**: Specialized classes for different resource types (vaults, keys, secrets, managed HSMs)
79
- **Models**: Data classes representing Azure resources and their properties
80
- **Long-Running Operations (LRO)**: Asynchronous operations with polling support for resource-intensive tasks
81
- **Authentication**: Integration with Azure Identity for credential management across different authentication flows
82
83
The client supports both synchronous and asynchronous patterns, with async versions available in the `aio` module. All operations follow Azure Resource Manager conventions with consistent parameter patterns and error handling.
84
85
## Capabilities
86
87
### Vault Management
88
89
Comprehensive Azure Key Vault lifecycle management including creation, configuration, access policy management, and deletion. Supports both basic and premium vault SKUs with advanced security features.
90
91
```python { .api }
92
def begin_create_or_update(resource_group_name: str, vault_name: str, parameters: VaultCreateOrUpdateParameters) -> LROPoller[Vault]: ...
93
def update(resource_group_name: str, vault_name: str, parameters: VaultPatchParameters) -> Vault: ...
94
def delete(resource_group_name: str, vault_name: str) -> None: ...
95
def get(resource_group_name: str, vault_name: str) -> Vault: ...
96
def update_access_policy(resource_group_name: str, vault_name: str, operation_kind: AccessPolicyUpdateKind, parameters: VaultAccessPolicyParameters) -> VaultAccessPolicyParameters: ...
97
def list_by_resource_group(resource_group_name: str, top: Optional[int] = None) -> ItemPaged[Vault]: ...
98
def list_by_subscription(top: Optional[int] = None) -> ItemPaged[Vault]: ...
99
def list_deleted() -> ItemPaged[DeletedVault]: ...
100
def get_deleted(vault_name: str, location: str) -> DeletedVault: ...
101
def begin_purge_deleted(vault_name: str, location: str) -> LROPoller[None]: ...
102
def list(top: Optional[int] = None) -> ItemPaged[Resource]: ...
103
def check_name_availability(vault_name: VaultCheckNameAvailabilityParameters) -> CheckNameAvailabilityResult: ...
104
```
105
106
[Vault Management](./vault-management.md)
107
108
### Key Management
109
110
Management operations for cryptographic keys within Azure Key Vault, including key creation, versioning, and metadata management through the Azure Resource Manager API.
111
112
```python { .api }
113
def create_if_not_exist(resource_group_name: str, vault_name: str, key_name: str, parameters: KeyCreateParameters) -> Key: ...
114
def get(resource_group_name: str, vault_name: str, key_name: str) -> Key: ...
115
def list(resource_group_name: str, vault_name: str) -> ItemPaged[Key]: ...
116
def get_version(resource_group_name: str, vault_name: str, key_name: str, key_version: str) -> Key: ...
117
def list_versions(resource_group_name: str, vault_name: str, key_name: str) -> ItemPaged[Key]: ...
118
```
119
120
[Key Management](./key-management.md)
121
122
### Secret Management
123
124
ARM-level operations for managing secrets in Azure Key Vault, primarily intended for ARM template deployments and infrastructure automation rather than runtime secret operations.
125
126
```python { .api }
127
def create_or_update(resource_group_name: str, vault_name: str, secret_name: str, parameters: SecretCreateOrUpdateParameters) -> Secret: ...
128
def update(resource_group_name: str, vault_name: str, secret_name: str, parameters: SecretPatchParameters) -> Secret: ...
129
def get(resource_group_name: str, vault_name: str, secret_name: str) -> Secret: ...
130
def list(resource_group_name: str, vault_name: str, top: Optional[int] = None) -> ItemPaged[Secret]: ...
131
```
132
133
[Secret Management](./secret-management.md)
134
135
### Managed HSM Operations
136
137
Complete lifecycle management for Azure Managed Hardware Security Module (HSM) instances, providing dedicated HSM resources with enhanced security and compliance capabilities, including geo-replication region management.
138
139
```python { .api }
140
def begin_create_or_update(resource_group_name: str, name: str, parameters: ManagedHsm) -> LROPoller[ManagedHsm]: ...
141
def begin_update(resource_group_name: str, name: str, parameters: ManagedHsm) -> LROPoller[ManagedHsm]: ...
142
def begin_delete(resource_group_name: str, name: str) -> LROPoller[None]: ...
143
def get(resource_group_name: str, name: str) -> Optional[ManagedHsm]: ...
144
def list_by_resource_group(resource_group_name: str, top: Optional[int] = None) -> ItemPaged[ManagedHsm]: ...
145
def list_by_subscription(top: Optional[int] = None) -> ItemPaged[ManagedHsm]: ...
146
def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMGeoReplicatedRegion]: ...
147
```
148
149
[Managed HSM Operations](./managed-hsm.md)
150
151
### Private Endpoint Connections
152
153
Management of private endpoint connections for secure network access to Key Vault resources, enabling private connectivity from virtual networks without internet exposure.
154
155
```python { .api }
156
def get(resource_group_name: str, vault_name: str, private_endpoint_connection_name: str) -> PrivateEndpointConnection: ...
157
def put(resource_group_name: str, vault_name: str, private_endpoint_connection_name: str, properties: PrivateEndpointConnection) -> PrivateEndpointConnection: ...
158
def begin_delete(resource_group_name: str, vault_name: str, private_endpoint_connection_name: str) -> LROPoller[None]: ...
159
def list_by_resource(resource_group_name: str, vault_name: str) -> ItemPaged[PrivateEndpointConnection]: ...
160
```
161
162
[Private Endpoints](./private-endpoints.md)
163
164
### Private Link Resources
165
166
Discovery of private link resources supported for Key Vault resources, providing information about available private connectivity options.
167
168
```python { .api }
169
def list_by_vault(resource_group_name: str, vault_name: str) -> PrivateLinkResourceListResult: ...
170
```
171
172
### Managed HSM Keys
173
174
Management operations for cryptographic keys within Managed HSM instances, providing hardware-backed key operations with FIPS 140-2 Level 3 compliance.
175
176
```python { .api }
177
def create_if_not_exist(resource_group_name: str, name: str, key_name: str, parameters: ManagedHsmKeyCreateParameters) -> ManagedHsmKey: ...
178
def get(resource_group_name: str, name: str, key_name: str) -> ManagedHsmKey: ...
179
def list(resource_group_name: str, name: str) -> ItemPaged[ManagedHsmKey]: ...
180
def get_version(resource_group_name: str, name: str, key_name: str, key_version: str) -> ManagedHsmKey: ...
181
def list_versions(resource_group_name: str, name: str, key_name: str) -> ItemPaged[ManagedHsmKey]: ...
182
```
183
184
### MHSM Private Endpoint Connections
185
186
Management of private endpoint connections for Managed HSM instances, enabling secure network access without internet exposure.
187
188
```python { .api }
189
def get(resource_group_name: str, name: str, private_endpoint_connection_name: str) -> MHSMPrivateEndpointConnection: ...
190
def put(resource_group_name: str, name: str, private_endpoint_connection_name: str, properties: MHSMPrivateEndpointConnection) -> MHSMPrivateEndpointConnection: ...
191
def begin_delete(resource_group_name: str, name: str, private_endpoint_connection_name: str) -> LROPoller[None]: ...
192
def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMPrivateEndpointConnection]: ...
193
```
194
195
### MHSM Private Link Resources
196
197
Discovery of private link resources supported for Managed HSM instances, providing information about available private connectivity options for HSMs.
198
199
```python { .api }
200
def list_by_mhsm_resource(resource_group_name: str, name: str) -> MHSMPrivateLinkResourceListResult: ...
201
```
202
203
### MHSM Regions
204
205
Management and discovery of geo-replication regions for Managed HSM instances, providing information about regional availability and replication status.
206
207
```python { .api }
208
def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMGeoReplicatedRegion]: ...
209
```
210
211
### Operations and Resource Discovery
212
213
Service discovery and available operations listing for the Azure Key Vault Management API, providing metadata about supported operations and capabilities.
214
215
```python { .api }
216
def list() -> ItemPaged[Operation]: ...
217
```
218
219
[Operations](./operations.md)
220
221
## Key Types
222
223
### Core Client Type
224
225
```python { .api }
226
class KeyVaultManagementClient:
227
def __init__(
228
self,
229
credential: TokenCredential,
230
subscription_id: str,
231
base_url: Optional[str] = None,
232
**kwargs: Any
233
) -> None: ...
234
235
def close(self) -> None: ...
236
def __enter__(self) -> Self: ...
237
def __exit__(self, *exc_details: Any) -> None: ...
238
```
239
240
### Resource Models
241
242
```python { .api }
243
class Vault:
244
id: Optional[str]
245
name: Optional[str]
246
type: Optional[str]
247
location: Optional[str]
248
tags: Optional[Dict[str, str]]
249
properties: Optional[VaultProperties]
250
system_data: Optional[SystemData]
251
252
class VaultProperties:
253
tenant_id: str
254
sku: Sku
255
access_policies: Optional[List[AccessPolicyEntry]]
256
vault_uri: Optional[str]
257
enabled_for_deployment: Optional[bool]
258
enabled_for_disk_encryption: Optional[bool]
259
enabled_for_template_deployment: Optional[bool]
260
enable_soft_delete: Optional[bool]
261
soft_delete_retention_in_days: Optional[int]
262
enable_purge_protection: Optional[bool]
263
network_acls: Optional[NetworkRuleSet]
264
provisioning_state: Optional[VaultProvisioningState]
265
266
class ManagedHsm:
267
id: Optional[str]
268
name: Optional[str]
269
type: Optional[str]
270
location: Optional[str]
271
sku: Optional[ManagedHsmSku]
272
tags: Optional[Dict[str, str]]
273
identity: Optional[ManagedServiceIdentity]
274
properties: Optional[ManagedHsmProperties]
275
system_data: Optional[SystemData]
276
```
277
278
### Authentication and Configuration
279
280
```python { .api }
281
class AccessPolicyEntry:
282
tenant_id: str
283
object_id: str
284
application_id: Optional[str]
285
permissions: Permissions
286
287
class Permissions:
288
keys: Optional[List[KeyPermissions]]
289
secrets: Optional[List[SecretPermissions]]
290
certificates: Optional[List[CertificatePermissions]]
291
storage: Optional[List[StoragePermissions]]
292
293
class Sku:
294
family: SkuFamily
295
name: SkuName
296
```
297
298
### Additional Resource Types
299
300
```python { .api }
301
class DeletedVault:
302
id: Optional[str]
303
name: Optional[str]
304
type: Optional[str]
305
properties: Optional[DeletedVaultProperties]
306
307
class DeletedVaultProperties:
308
vault_id: Optional[str]
309
location: Optional[str]
310
deletion_date: Optional[datetime]
311
scheduled_purge_date: Optional[datetime]
312
tags: Optional[Dict[str, str]]
313
314
class Resource:
315
id: Optional[str]
316
name: Optional[str]
317
type: Optional[str]
318
location: Optional[str]
319
tags: Optional[Dict[str, str]]
320
321
class VaultCheckNameAvailabilityParameters:
322
name: str
323
type: str
324
325
class CheckNameAvailabilityResult:
326
name_available: Optional[bool]
327
reason: Optional[str]
328
message: Optional[str]
329
```
330
331
### Key and Secret Management Types
332
333
```python { .api }
334
class Key:
335
id: Optional[str]
336
name: Optional[str]
337
type: Optional[str]
338
location: Optional[str]
339
tags: Optional[Dict[str, str]]
340
properties: Optional[KeyProperties]
341
342
class KeyCreateParameters:
343
properties: KeyProperties
344
345
class KeyProperties:
346
attributes: Optional[KeyAttributes]
347
kty: Optional[str]
348
key_ops: Optional[List[str]]
349
key_size: Optional[int]
350
curve: Optional[str]
351
352
class Secret:
353
id: Optional[str]
354
name: Optional[str]
355
type: Optional[str]
356
location: Optional[str]
357
tags: Optional[Dict[str, str]]
358
properties: Optional[SecretProperties]
359
360
class SecretCreateOrUpdateParameters:
361
properties: SecretProperties
362
363
class SecretPatchParameters:
364
properties: Optional[SecretProperties]
365
366
class SecretProperties:
367
value: Optional[str]
368
content_type: Optional[str]
369
attributes: Optional[SecretAttributes]
370
```
371
372
### Managed HSM Types
373
374
```python { .api }
375
class ManagedHsmKey:
376
id: Optional[str]
377
name: Optional[str]
378
type: Optional[str]
379
location: Optional[str]
380
tags: Optional[Dict[str, str]]
381
properties: Optional[ManagedHsmKeyProperties]
382
383
class ManagedHsmKeyCreateParameters:
384
properties: ManagedHsmKeyProperties
385
386
class ManagedHsmKeyProperties:
387
attributes: Optional[ManagedHsmKeyAttributes]
388
kty: Optional[str]
389
key_ops: Optional[List[str]]
390
key_size: Optional[int]
391
curve: Optional[str]
392
key_uri: Optional[str]
393
key_uri_with_version: Optional[str]
394
```
395
396
### Private Connectivity Types
397
398
```python { .api }
399
class PrivateEndpointConnection:
400
id: Optional[str]
401
name: Optional[str]
402
type: Optional[str]
403
etag: Optional[str]
404
properties: Optional[PrivateEndpointConnectionProperties]
405
406
class PrivateLinkResourceListResult:
407
value: Optional[List[PrivateLinkResource]]
408
409
class PrivateLinkResource:
410
id: Optional[str]
411
name: Optional[str]
412
type: Optional[str]
413
group_id: Optional[str]
414
required_members: Optional[List[str]]
415
required_zone_names: Optional[List[str]]
416
417
class MHSMPrivateEndpointConnection:
418
id: Optional[str]
419
name: Optional[str]
420
type: Optional[str]
421
etag: Optional[str]
422
properties: Optional[MHSMPrivateEndpointConnectionProperties]
423
424
class MHSMPrivateLinkResourceListResult:
425
value: Optional[List[MHSMPrivateLinkResource]]
426
427
class MHSMPrivateLinkResource:
428
id: Optional[str]
429
name: Optional[str]
430
type: Optional[str]
431
group_id: Optional[str]
432
required_members: Optional[List[str]]
433
required_zone_names: Optional[List[str]]
434
435
class MHSMGeoReplicatedRegion:
436
name: Optional[str]
437
provisioning_state: Optional[str]
438
is_primary: Optional[bool]
439
```
440
441
### Operation Results
442
443
```python { .api }
444
class LROPoller:
445
def result(self, timeout: Optional[float] = None) -> T: ...
446
def done(self) -> bool: ...
447
def wait(self, timeout: Optional[float] = None) -> None: ...
448
449
class ItemPaged:
450
def __iter__(self) -> Iterator[T]: ...
451
def by_page(self) -> Iterator[List[T]]: ...
452
```
453
454
## Error Handling
455
456
The client raises Azure-specific exceptions for different error conditions:
457
458
```python
459
from azure.core.exceptions import (
460
HttpResponseError,
461
ResourceNotFoundError,
462
ResourceExistsError,
463
ClientAuthenticationError
464
)
465
466
try:
467
vault = client.vaults.get(resource_group_name, vault_name)
468
except ResourceNotFoundError:
469
print("Vault not found")
470
except ClientAuthenticationError:
471
print("Authentication failed")
472
except HttpResponseError as e:
473
print(f"HTTP error: {e.status_code} - {e.message}")
474
```
475
476
## Async Support
477
478
Full async support is available through the `aio` module:
479
480
```python
481
from azure.mgmt.keyvault.aio import KeyVaultManagementClient
482
from azure.identity.aio import DefaultAzureCredential
483
484
async def manage_vault():
485
credential = DefaultAzureCredential()
486
async with KeyVaultManagementClient(credential, subscription_id) as client:
487
vault = await client.vaults.get(resource_group_name, vault_name)
488
print(f"Vault: {vault.name}")
489
```