0
# Vault Management
1
2
Comprehensive Azure Key Vault lifecycle management operations including creation, configuration, access policy management, deletion, and soft delete recovery. Supports both Standard and Premium vault SKUs with advanced security features, network access controls, and compliance capabilities.
3
4
## Capabilities
5
6
### Vault Creation and Updates
7
8
Creates new key vaults or updates existing vault configurations with support for long-running operations, SKU selection, access policies, network rules, and security settings.
9
10
```python { .api }
11
def begin_create_or_update(
12
resource_group_name: str,
13
vault_name: str,
14
parameters: VaultCreateOrUpdateParameters
15
) -> LROPoller[Vault]:
16
"""
17
Create or update a key vault in the specified subscription.
18
19
Args:
20
resource_group_name (str): The name of the Resource Group to which the server belongs
21
vault_name (str): Name of the key vault
22
parameters (VaultCreateOrUpdateParameters): Parameters to create or update the vault
23
24
Returns:
25
LROPoller[Vault]: Long-running operation poller for the vault creation/update
26
"""
27
28
def update(
29
resource_group_name: str,
30
vault_name: str,
31
parameters: VaultPatchParameters
32
) -> Vault:
33
"""
34
Update a key vault in the specified subscription.
35
36
Args:
37
resource_group_name (str): The name of the Resource Group to which the server belongs
38
vault_name (str): Name of the key vault
39
parameters (VaultPatchParameters): Parameters to patch the vault
40
41
Returns:
42
Vault: The updated vault resource
43
"""
44
```
45
46
### Vault Retrieval and Listing
47
48
Retrieve individual vaults or list vaults within resource groups or subscriptions with optional filtering and pagination support.
49
50
```python { .api }
51
def get(resource_group_name: str, vault_name: str) -> Vault:
52
"""
53
Get the specified Azure key vault.
54
55
Args:
56
resource_group_name (str): The name of the Resource Group to which the vault belongs
57
vault_name (str): The name of the key vault
58
59
Returns:
60
Vault: The vault resource
61
"""
62
63
def list_by_resource_group(
64
resource_group_name: str,
65
top: Optional[int] = None
66
) -> ItemPaged[Vault]:
67
"""
68
List vaults within a specified resource group.
69
70
Args:
71
resource_group_name (str): The name of the Resource Group to which the vault belongs
72
top (int, optional): Maximum number of results to return
73
74
Returns:
75
ItemPaged[Vault]: Paginated list of vaults
76
"""
77
78
def list_by_subscription(top: Optional[int] = None) -> ItemPaged[Vault]:
79
"""
80
List vaults associated with the subscription.
81
82
Args:
83
top (int, optional): Maximum number of results to return
84
85
Returns:
86
ItemPaged[Vault]: Paginated list of vaults
87
"""
88
89
def list(top: Optional[int] = None) -> ItemPaged[Resource]:
90
"""
91
List vaults associated with the subscription using resource API.
92
93
Args:
94
top (int, optional): Maximum number of results to return
95
96
Returns:
97
ItemPaged[Resource]: Paginated list of vault resources
98
"""
99
```
100
101
### Vault Deletion and Recovery
102
103
Delete vaults with soft delete support, list and retrieve deleted vaults, and permanently purge vaults when needed.
104
105
```python { .api }
106
def delete(resource_group_name: str, vault_name: str) -> None:
107
"""
108
Delete the specified Azure key vault.
109
110
Args:
111
resource_group_name (str): The name of the Resource Group to which the vault belongs
112
vault_name (str): The name of the key vault to delete
113
"""
114
115
def list_deleted() -> ItemPaged[DeletedVault]:
116
"""
117
Get information about deleted vaults in a subscription.
118
119
Returns:
120
ItemPaged[DeletedVault]: Paginated list of deleted vaults
121
"""
122
123
def get_deleted(vault_name: str, location: str) -> DeletedVault:
124
"""
125
Get the deleted Azure key vault.
126
127
Args:
128
vault_name (str): The name of the key vault
129
location (str): The location of the deleted vault
130
131
Returns:
132
DeletedVault: The deleted vault information
133
"""
134
135
def begin_purge_deleted(vault_name: str, location: str) -> LROPoller[None]:
136
"""
137
Permanently delete the specified vault. This action cannot be undone.
138
139
Args:
140
vault_name (str): The name of the key vault to purge
141
location (str): The location of the deleted vault
142
143
Returns:
144
LROPoller[None]: Long-running operation poller for the purge operation
145
"""
146
```
147
148
### Access Policy Management
149
150
Manage access policies for key vault resources, controlling permissions for keys, secrets, certificates, and storage accounts.
151
152
```python { .api }
153
def update_access_policy(
154
resource_group_name: str,
155
vault_name: str,
156
operation_kind: AccessPolicyUpdateKind,
157
parameters: VaultAccessPolicyParameters
158
) -> VaultAccessPolicyParameters:
159
"""
160
Update access policies in a key vault in the specified subscription.
161
162
Args:
163
resource_group_name (str): The name of the Resource Group to which the vault belongs
164
vault_name (str): Name of the key vault
165
operation_kind (AccessPolicyUpdateKind): Name of the operation (add, replace, remove)
166
parameters (VaultAccessPolicyParameters): Access policy to update
167
168
Returns:
169
VaultAccessPolicyParameters: The updated access policy parameters
170
"""
171
```
172
173
### Name Availability
174
175
Check availability of vault names before creation to avoid naming conflicts.
176
177
```python { .api }
178
def check_name_availability(vault_name: VaultCheckNameAvailabilityParameters) -> CheckNameAvailabilityResult:
179
"""
180
Check that the vault name is valid and not already in use.
181
182
Args:
183
vault_name (VaultCheckNameAvailabilityParameters): The name of the key vault to check
184
185
Returns:
186
CheckNameAvailabilityResult: The name availability result
187
"""
188
```
189
190
## Usage Examples
191
192
### Creating a Key Vault with Access Policies
193
194
```python
195
from azure.mgmt.keyvault import KeyVaultManagementClient
196
from azure.mgmt.keyvault.models import (
197
VaultCreateOrUpdateParameters, VaultProperties,
198
AccessPolicyEntry, Permissions, Sku, SkuName,
199
KeyPermissions, SecretPermissions
200
)
201
from azure.identity import DefaultAzureCredential
202
203
credential = DefaultAzureCredential()
204
client = KeyVaultManagementClient(credential, "subscription-id")
205
206
# Define access policy for a user
207
access_policy = AccessPolicyEntry(
208
tenant_id="tenant-id",
209
object_id="user-object-id",
210
permissions=Permissions(
211
keys=[KeyPermissions.GET, KeyPermissions.LIST, KeyPermissions.CREATE],
212
secrets=[SecretPermissions.GET, SecretPermissions.LIST, SecretPermissions.SET]
213
)
214
)
215
216
# Create vault parameters
217
vault_properties = VaultProperties(
218
tenant_id="tenant-id",
219
sku=Sku(family="A", name=SkuName.STANDARD),
220
access_policies=[access_policy],
221
enabled_for_deployment=True,
222
enabled_for_template_deployment=True,
223
enable_soft_delete=True,
224
soft_delete_retention_in_days=90
225
)
226
227
vault_params = VaultCreateOrUpdateParameters(
228
location="East US",
229
properties=vault_properties
230
)
231
232
# Create the vault
233
poller = client.vaults.begin_create_or_update(
234
"my-resource-group",
235
"my-vault",
236
vault_params
237
)
238
vault = poller.result()
239
print(f"Created vault: {vault.name} at {vault.properties.vault_uri}")
240
```
241
242
### Managing Soft-Deleted Vaults
243
244
```python
245
# List all deleted vaults
246
for deleted_vault in client.vaults.list_deleted():
247
print(f"Deleted vault: {deleted_vault.name} in {deleted_vault.properties.location}")
248
print(f"Deletion date: {deleted_vault.properties.deletion_date}")
249
print(f"Scheduled purge: {deleted_vault.properties.scheduled_purge_date}")
250
251
# Get specific deleted vault
252
deleted_vault = client.vaults.get_deleted("my-vault", "East US")
253
print(f"Vault {deleted_vault.name} was deleted on {deleted_vault.properties.deletion_date}")
254
255
# Permanently purge a vault (cannot be undone)
256
purge_poller = client.vaults.begin_purge_deleted("my-vault", "East US")
257
purge_poller.wait()
258
print("Vault permanently purged")
259
```
260
261
### Updating Access Policies
262
263
```python
264
from azure.mgmt.keyvault.models import (
265
VaultAccessPolicyParameters, VaultAccessPolicyProperties,
266
AccessPolicyUpdateKind
267
)
268
269
# Add new access policy
270
new_policy = AccessPolicyEntry(
271
tenant_id="tenant-id",
272
object_id="new-user-object-id",
273
permissions=Permissions(
274
secrets=[SecretPermissions.GET, SecretPermissions.LIST]
275
)
276
)
277
278
access_policy_params = VaultAccessPolicyParameters(
279
properties=VaultAccessPolicyProperties(
280
access_policies=[new_policy]
281
)
282
)
283
284
client.vaults.update_access_policy(
285
"my-resource-group",
286
"my-vault",
287
AccessPolicyUpdateKind.ADD,
288
access_policy_params
289
)
290
```
291
292
## Types
293
294
### Request Parameters
295
296
```python { .api }
297
class VaultCreateOrUpdateParameters:
298
location: str
299
tags: Optional[Dict[str, str]]
300
properties: VaultProperties
301
302
class VaultPatchParameters:
303
tags: Optional[Dict[str, str]]
304
properties: Optional[VaultPatchProperties]
305
306
class VaultCheckNameAvailabilityParameters:
307
name: str
308
type: str = "Microsoft.KeyVault/vaults"
309
```
310
311
### Vault Properties
312
313
```python { .api }
314
class VaultProperties:
315
tenant_id: str
316
sku: Sku
317
access_policies: Optional[List[AccessPolicyEntry]]
318
vault_uri: Optional[str]
319
enabled_for_deployment: Optional[bool]
320
enabled_for_disk_encryption: Optional[bool]
321
enabled_for_template_deployment: Optional[bool]
322
enable_soft_delete: Optional[bool]
323
soft_delete_retention_in_days: Optional[int]
324
enable_purge_protection: Optional[bool]
325
network_acls: Optional[NetworkRuleSet]
326
provisioning_state: Optional[VaultProvisioningState]
327
create_mode: Optional[CreateMode]
328
329
class VaultPatchProperties:
330
tenant_id: Optional[str]
331
sku: Optional[Sku]
332
access_policies: Optional[List[AccessPolicyEntry]]
333
enabled_for_deployment: Optional[bool]
334
enabled_for_disk_encryption: Optional[bool]
335
enabled_for_template_deployment: Optional[bool]
336
enable_soft_delete: Optional[bool]
337
soft_delete_retention_in_days: Optional[int]
338
enable_purge_protection: Optional[bool]
339
network_acls: Optional[NetworkRuleSet]
340
create_mode: Optional[CreateMode]
341
```
342
343
### Deleted Vault Information
344
345
```python { .api }
346
class DeletedVault:
347
id: Optional[str]
348
name: Optional[str]
349
type: Optional[str]
350
properties: Optional[DeletedVaultProperties]
351
352
class DeletedVaultProperties:
353
vault_id: Optional[str]
354
location: Optional[str]
355
deletion_date: Optional[datetime]
356
scheduled_purge_date: Optional[datetime]
357
tags: Optional[Dict[str, str]]
358
purge_protection_enabled: Optional[bool]
359
```
360
361
### Network and Security
362
363
```python { .api }
364
class NetworkRuleSet:
365
bypass: Optional[NetworkRuleBypassOptions]
366
default_action: Optional[NetworkRuleAction]
367
ip_rules: Optional[List[IPRule]]
368
virtual_network_rules: Optional[List[VirtualNetworkRule]]
369
370
class IPRule:
371
value: str
372
373
class VirtualNetworkRule:
374
id: str
375
ignore_missing_vnet_service_endpoint: Optional[bool]
376
```
377
378
### Enumerations
379
380
```python { .api }
381
class AccessPolicyUpdateKind(str, Enum):
382
ADD = "add"
383
REPLACE = "replace"
384
REMOVE = "remove"
385
386
class VaultProvisioningState(str, Enum):
387
SUCCEEDED = "Succeeded"
388
REGISTER_RESOURCE_PROVIDER = "RegisteringResourceProvider"
389
390
class CreateMode(str, Enum):
391
RECOVER = "recover"
392
DEFAULT = "default"
393
394
class NetworkRuleAction(str, Enum):
395
ALLOW = "Allow"
396
DENY = "Deny"
397
398
class NetworkRuleBypassOptions(str, Enum):
399
AZURE_SERVICES = "AzureServices"
400
NONE = "None"
401
```