or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

index.mdkey-management.mdmanaged-hsm.mdoperations.mdprivate-endpoints.mdsecret-management.mdvault-management.md

key-management.mddocs/

0
# Key Management
1


2
Management operations for cryptographic keys within Azure Key Vault through the Azure Resource Manager API. Provides key creation, versioning, metadata management, and rotation policy configuration for both software-protected and hardware-protected keys.
3


4
## Capabilities
5


6
### Key Creation
7


8
Create cryptographic keys with specified algorithms, key sizes, and security properties. Supports both software and hardware-backed keys with various cryptographic operations.
9


10
```python { .api }
11
def create_if_not_exist(
12
    resource_group_name: str,
13
    vault_name: str, 
14
    key_name: str,
15
    parameters: KeyCreateParameters
16
) -> Key:
17
    """
18
    Create the first version of a new key if it does not exist.
19
    
20
    Args:
21
        resource_group_name (str): The name of the resource group
22
        vault_name (str): The name of the key vault
23
        key_name (str): The name of the key to create
24
        parameters (KeyCreateParameters): The parameters to create a key
25
        
26
    Returns:
27
        Key: The created key resource
28
    """
29
```
30


31
### Key Retrieval
32


33
Retrieve specific keys or key versions, with support for getting the current version or accessing historical versions.
34


35
```python { .api }
36
def get(resource_group_name: str, vault_name: str, key_name: str) -> Key:
37
    """
38
    Get the current version of the specified key.
39
    
40
    Args:
41
        resource_group_name (str): The name of the resource group
42
        vault_name (str): The name of the key vault
43
        key_name (str): The name of the key to retrieve
44
        
45
    Returns:
46
        Key: The key resource
47
    """
48


49
def get_version(
50
    resource_group_name: str,
51
    vault_name: str,
52
    key_name: str, 
53
    key_version: str
54
) -> Key:
55
    """
56
    Get the specified version of the specified key.
57
    
58
    Args:
59
        resource_group_name (str): The name of the resource group
60
        vault_name (str): The name of the key vault
61
        key_name (str): The name of the key
62
        key_version (str): The version of the key
63
        
64
    Returns:
65
        Key: The specific key version
66
    """
67
```
68


69
### Key Listing
70


71
List keys within a vault or list all versions of a specific key with pagination support.
72


73
```python { .api }
74
def list(resource_group_name: str, vault_name: str) -> ItemPaged[Key]:
75
    """
76
    List keys in the specified key vault.
77
    
78
    Args:
79
        resource_group_name (str): The name of the resource group
80
        vault_name (str): The name of the key vault
81
        
82
    Returns:
83
        ItemPaged[Key]: Paginated list of keys
84
    """
85


86
def list_versions(
87
    resource_group_name: str,
88
    vault_name: str,
89
    key_name: str
90
) -> ItemPaged[Key]:
91
    """
92
    List versions of the specified key.
93
    
94
    Args:
95
        resource_group_name (str): The name of the resource group
96
        vault_name (str): The name of the key vault
97
        key_name (str): The name of the key
98
        
99
    Returns:
100
        ItemPaged[Key]: Paginated list of key versions
101
    """
102
```
103


104
## Usage Examples
105


106
### Creating Different Types of Keys
107


108
```python
109
from azure.mgmt.keyvault import KeyVaultManagementClient
110
from azure.mgmt.keyvault.models import (
111
    KeyCreateParameters, KeyProperties, KeyAttributes,
112
    JsonWebKeyType, JsonWebKeyOperation, JsonWebKeyCurveName
113
)
114
from azure.identity import DefaultAzureCredential
115


116
credential = DefaultAzureCredential()
117
client = KeyVaultManagementClient(credential, "subscription-id")
118


119
# Create RSA key for encryption/decryption
120
rsa_key_params = KeyCreateParameters(
121
    properties=KeyProperties(
122
        kty=JsonWebKeyType.RSA,
123
        key_size=2048,
124
        key_ops=[
125
            JsonWebKeyOperation.ENCRYPT,
126
            JsonWebKeyOperation.DECRYPT,
127
            JsonWebKeyOperation.SIGN,
128
            JsonWebKeyOperation.VERIFY
129
        ],
130
        attributes=KeyAttributes(
131
            enabled=True
132
        )
133
    )
134
)
135


136
rsa_key = client.keys.create_if_not_exist(
137
    "my-resource-group",
138
    "my-vault",
139
    "my-rsa-key",
140
    rsa_key_params
141
)
142
print(f"Created RSA key: {rsa_key.name}")
143


144
# Create Elliptic Curve key
145
ec_key_params = KeyCreateParameters(
146
    properties=KeyProperties(
147
        kty=JsonWebKeyType.EC,
148
        curve=JsonWebKeyCurveName.P_256,
149
        key_ops=[
150
            JsonWebKeyOperation.SIGN,
151
            JsonWebKeyOperation.VERIFY
152
        ],
153
        attributes=KeyAttributes(
154
            enabled=True,
155
            expires=1735689600  # Unix timestamp
156
        )
157
    )
158
)
159


160
ec_key = client.keys.create_if_not_exist(
161
    "my-resource-group", 
162
    "my-vault",
163
    "my-ec-key",
164
    ec_key_params
165
)
166
```
167


168
### Managing Key Versions
169


170
```python
171
# List all keys in vault
172
for key in client.keys.list("my-resource-group", "my-vault"):
173
    print(f"Key: {key.name}, Version: {key.properties.version}")
174


175
# Get current version of a key
176
current_key = client.keys.get("my-resource-group", "my-vault", "my-key")
177
print(f"Current version: {current_key.properties.version}")
178


179
# List all versions of a specific key
180
for key_version in client.keys.list_versions("my-resource-group", "my-vault", "my-key"):
181
    print(f"Version: {key_version.properties.version}")
182
    print(f"Created: {key_version.properties.attributes.created}")
183
    print(f"Enabled: {key_version.properties.attributes.enabled}")
184


185
# Get specific version
186
specific_version = client.keys.get_version(
187
    "my-resource-group",
188
    "my-vault", 
189
    "my-key",
190
    "version-id"
191
)
192
```
193


194
## Types
195


196
### Key Parameters
197


198
```python { .api }
199
class KeyCreateParameters:
200
    properties: KeyProperties
201
    tags: Optional[Dict[str, str]]
202


203
class KeyProperties:
204
    attributes: Optional[KeyAttributes]
205
    kty: Optional[JsonWebKeyType]
206
    key_ops: Optional[List[JsonWebKeyOperation]]
207
    key_size: Optional[int]
208
    curve: Optional[JsonWebKeyCurveName]
209
    release_policy: Optional[KeyReleasePolicy]
210
    rotation_policy: Optional[RotationPolicy]
211
```
212


213
### Key Resource
214


215
```python { .api }
216
class Key:
217
    id: Optional[str]
218
    name: Optional[str]
219
    type: Optional[str]
220
    location: Optional[str]
221
    tags: Optional[Dict[str, str]]
222
    properties: Optional[KeyProperties]
223


224
class KeyProperties:
225
    attributes: Optional[KeyAttributes]
226
    kty: Optional[JsonWebKeyType]
227
    key_ops: Optional[List[JsonWebKeyOperation]]
228
    key_size: Optional[int]
229
    curve: Optional[JsonWebKeyCurveName]
230
    key_uri: Optional[str]
231
    key_uri_with_version: Optional[str]
232
    version: Optional[str]
233
    release_policy: Optional[KeyReleasePolicy]
234
    rotation_policy: Optional[RotationPolicy]
235
```
236


237
### Key Attributes
238


239
```python { .api }
240
class KeyAttributes:
241
    enabled: Optional[bool]
242
    not_before: Optional[int]
243
    expires: Optional[int]
244
    created: Optional[int]
245
    updated: Optional[int]
246
    recovery_level: Optional[DeletionRecoveryLevel]
247
    exportable: Optional[bool]
248
```
249


250
### Key Rotation
251


252
```python { .api }
253
class RotationPolicy:
254
    attributes: Optional[KeyRotationPolicyAttributes]
255
    lifetime_actions: Optional[List[LifetimeAction]]
256


257
class KeyRotationPolicyAttributes:
258
    expires_in: Optional[str]
259
    created: Optional[int]
260
    updated: Optional[int]
261


262
class LifetimeAction:
263
    trigger: Optional[Trigger]
264
    action: Optional[Action]
265


266
class Trigger:
267
    time_after_create: Optional[str]
268
    time_before_expiry: Optional[str]
269


270
class Action:
271
    type: Optional[KeyRotationPolicyActionType]
272
```
273


274
### Key Release Policy
275


276
```python { .api }
277
class KeyReleasePolicy:
278
    content_type: Optional[str]
279
    data: Optional[bytes]
280
```
281


282
### Enumerations
283


284
```python { .api }
285
class JsonWebKeyType(str, Enum):
286
    EC = "EC"
287
    EC_HSM = "EC-HSM"
288
    RSA = "RSA"
289
    RSA_HSM = "RSA-HSM"
290
    OCT = "oct"
291
    OCT_HSM = "oct-HSM"
292


293
class JsonWebKeyOperation(str, Enum):
294
    ENCRYPT = "encrypt"
295
    DECRYPT = "decrypt"
296
    SIGN = "sign"
297
    VERIFY = "verify"
298
    WRAP_KEY = "wrapKey"
299
    UNWRAP_KEY = "unwrapKey"
300
    IMPORT = "import"
301
    RELEASE = "release"
302


303
class JsonWebKeyCurveName(str, Enum):
304
    P_256 = "P-256"
305
    P_384 = "P-384" 
306
    P_521 = "P-521"
307
    P_256K = "P-256K"
308


309
class KeyRotationPolicyActionType(str, Enum):
310
    ROTATE = "Rotate"
311
    NOTIFY = "Notify"
312


313
class DeletionRecoveryLevel(str, Enum):
314
    PURGEABLE = "Purgeable"
315
    RECOVERABLE = "Recoverable"
316
    RECOVERABLE_PROTECTED_SUBSCRIPTION = "Recoverable+ProtectedSubscription"
317
    RECOVERABLE_PURGEABLE = "Recoverable+Purgeable"
318
    CUSTOMIZED_RECOVERABLE = "CustomizedRecoverable"
319
    CUSTOMIZED_RECOVERABLE_PROTECTED_SUBSCRIPTION = "CustomizedRecoverable+ProtectedSubscription"
320
    CUSTOMIZED_RECOVERABLE_PURGEABLE = "CustomizedRecoverable+Purgeable"
321
```