or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

index.mdkey-management.mdmanaged-hsm.mdoperations.mdprivate-endpoints.mdsecret-management.mdvault-management.md

secret-management.mddocs/

0
# Secret Management
1


2
ARM-level operations for managing secrets in Azure Key Vault, primarily intended for ARM template deployments and infrastructure automation rather than runtime secret operations. For runtime secret operations, use the Azure Key Vault data-plane SDK.
3


4
## Capabilities
5


6
### Secret Creation and Updates
7


8
Create or update secrets within a key vault using ARM deployment patterns. These operations are designed for infrastructure-as-code scenarios.
9


10
```python { .api }
11
def create_or_update(
12
    resource_group_name: str,
13
    vault_name: str,
14
    secret_name: str, 
15
    parameters: SecretCreateOrUpdateParameters
16
) -> Secret:
17
    """
18
    Create or update a secret in a key vault.
19
    Note: This operation is intended for ARM deployments. 
20
    For runtime operations, use the data-plane REST service.
21
    
22
    Args:
23
        resource_group_name (str): The name of the resource group
24
        vault_name (str): The name of the key vault
25
        secret_name (str): The name of the secret
26
        parameters (SecretCreateOrUpdateParameters): Parameters to create or update the secret
27
        
28
    Returns:
29
        Secret: The created or updated secret
30
    """
31


32
def update(
33
    resource_group_name: str,
34
    vault_name: str,
35
    secret_name: str,
36
    parameters: SecretPatchParameters
37
) -> Secret:
38
    """
39
    Update a secret in the specified subscription.
40
    
41
    Args:
42
        resource_group_name (str): The name of the resource group
43
        vault_name (str): The name of the key vault
44
        secret_name (str): The name of the secret
45
        parameters (SecretPatchParameters): Parameters to patch the secret
46
        
47
    Returns:
48
        Secret: The updated secret
49
    """
50
```
51


52
### Secret Retrieval
53


54
Get individual secrets or list secrets within a vault for management and monitoring purposes.
55


56
```python { .api }
57
def get(resource_group_name: str, vault_name: str, secret_name: str) -> Secret:
58
    """
59
    Get the specified secret.
60
    
61
    Args:
62
        resource_group_name (str): The name of the resource group
63
        vault_name (str): The name of the key vault
64
        secret_name (str): The name of the secret
65
        
66
    Returns:
67
        Secret: The secret resource
68
    """
69


70
def list(
71
    resource_group_name: str,
72
    vault_name: str,
73
    top: Optional[int] = None
74
) -> ItemPaged[Secret]:
75
    """
76
    Get information about secrets in a vault.
77
    
78
    Args:
79
        resource_group_name (str): The name of the resource group
80
        vault_name (str): The name of the key vault
81
        top (int, optional): Maximum number of results to return
82
        
83
    Returns:
84
        ItemPaged[Secret]: Paginated list of secrets
85
    """
86
```
87


88
## Usage Examples
89


90
### Creating Secrets for ARM Deployments
91


92
```python
93
from azure.mgmt.keyvault import KeyVaultManagementClient
94
from azure.mgmt.keyvault.models import (
95
    SecretCreateOrUpdateParameters, SecretProperties, SecretAttributes
96
)
97
from azure.identity import DefaultAzureCredential
98


99
credential = DefaultAzureCredential()
100
client = KeyVaultManagementClient(credential, "subscription-id")
101


102
# Create a secret (for ARM deployments)
103
secret_params = SecretCreateOrUpdateParameters(
104
    properties=SecretProperties(
105
        value="my-secret-value",
106
        content_type="text/plain",
107
        attributes=SecretAttributes(
108
            enabled=True
109
        )
110
    ),
111
    tags={"environment": "production", "application": "webapp"}
112
)
113


114
secret = client.secrets.create_or_update(
115
    "my-resource-group",
116
    "my-vault", 
117
    "my-secret",
118
    secret_params
119
)
120
print(f"Created secret: {secret.name}")
121
```
122


123
### Listing and Managing Secrets
124


125
```python
126
# List all secrets in vault
127
for secret in client.secrets.list("my-resource-group", "my-vault"):
128
    print(f"Secret: {secret.name}")
129
    print(f"Content Type: {secret.properties.content_type}")
130
    print(f"Enabled: {secret.properties.attributes.enabled}")
131


132
# Get specific secret metadata
133
secret = client.secrets.get("my-resource-group", "my-vault", "my-secret")
134
print(f"Secret URI: {secret.properties.secret_uri}")
135
print(f"Version: {secret.properties.version}")
136


137
# Update secret properties
138
from azure.mgmt.keyvault.models import SecretPatchParameters, SecretPatchProperties
139


140
patch_params = SecretPatchParameters(
141
    properties=SecretPatchProperties(
142
        content_type="application/json",
143
        attributes=SecretAttributes(
144
            enabled=False
145
        )
146
    )
147
)
148


149
updated_secret = client.secrets.update(
150
    "my-resource-group",
151
    "my-vault",
152
    "my-secret", 
153
    patch_params
154
)
155
```
156


157
## Types
158


159
### Secret Parameters
160


161
```python { .api }
162
class SecretCreateOrUpdateParameters:
163
    properties: SecretProperties
164
    tags: Optional[Dict[str, str]]
165


166
class SecretPatchParameters:
167
    properties: Optional[SecretPatchProperties]
168
    tags: Optional[Dict[str, str]]
169
```
170


171
### Secret Properties
172


173
```python { .api }
174
class SecretProperties:
175
    value: Optional[str]
176
    content_type: Optional[str]
177
    attributes: Optional[SecretAttributes]
178


179
class SecretPatchProperties:
180
    value: Optional[str]
181
    content_type: Optional[str]
182
    attributes: Optional[SecretAttributes]
183
```
184


185
### Secret Resource
186


187
```python { .api }
188
class Secret:
189
    id: Optional[str]
190
    name: Optional[str]
191
    type: Optional[str]
192
    location: Optional[str]
193
    tags: Optional[Dict[str, str]]
194
    properties: Optional[SecretProperties]
195


196
class SecretProperties:
197
    value: Optional[str]
198
    secret_uri: Optional[str]
199
    secret_uri_with_version: Optional[str]
200
    version: Optional[str]
201
    content_type: Optional[str]
202
    attributes: Optional[SecretAttributes]
203
```
204


205
### Secret Attributes
206


207
```python { .api }
208
class SecretAttributes:
209
    enabled: Optional[bool]
210
    not_before: Optional[int]
211
    expires: Optional[int]
212
    created: Optional[int]
213
    updated: Optional[int]
214
    recovery_level: Optional[DeletionRecoveryLevel]
215
```
216


217
### List Results
218


219
```python { .api }
220
class SecretListResult:
221
    value: Optional[List[Secret]]
222
    next_link: Optional[str]
223
```
224


225
## Important Notes
226


227
### ARM vs Data-Plane Operations
228


229
This secret management API is part of the Azure Resource Manager (ARM) control plane and is primarily designed for:
230


231
- ARM template deployments
232
- Infrastructure-as-code scenarios  
233
- Administrative secret management
234
- Monitoring and compliance
235


236
For runtime secret operations (retrieving secret values for applications), use the Azure Key Vault data-plane SDK:
237


238
```python
239
# For runtime secret operations, use data-plane SDK instead:
240
from azure.keyvault.secrets import SecretClient
241


242
secret_client = SecretClient(
243
    vault_url="https://my-vault.vault.azure.net/",
244
    credential=credential
245
)
246


247
# Runtime secret retrieval
248
secret_value = secret_client.get_secret("my-secret").value
249
```
250


251
### Security Considerations
252


253
- Secret values are not returned in list operations for security reasons
254
- The ARM API is not intended for high-frequency secret retrieval
255
- Use appropriate access policies and authentication for secret management
256
- Consider using Managed Identity for service-to-service authentication