CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-azure-mgmt-keyvault

Microsoft Azure Key Vault Management Client Library for Python providing comprehensive programmatic management of Azure Key Vault resources through the Azure Resource Manager API.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

managed-hsm.mddocs/

Managed HSM Operations

Complete lifecycle management for Azure Managed Hardware Security Module (HSM) instances, providing dedicated HSM resources with enhanced security, compliance capabilities, and hardware-backed cryptographic operations. Managed HSMs offer FIPS 140-2 Level 3 validated security for high-value cryptographic workloads.

Capabilities

HSM Creation and Updates

Create new Managed HSM instances or update existing configurations with support for long-running operations, geo-replication, and advanced security settings.

def begin_create_or_update(
    resource_group_name: str,
    name: str,
    parameters: ManagedHsm
) -> LROPoller[ManagedHsm]:
    """
    Create or update a managed HSM Pool in the specified subscription.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM Pool
        parameters (ManagedHsm): Parameters to create or update the managed HSM
        
    Returns:
        LROPoller[ManagedHsm]: Long-running operation poller for HSM creation/update
    """

def begin_update(
    resource_group_name: str,
    name: str,
    parameters: ManagedHsm
) -> LROPoller[ManagedHsm]:
    """
    Update a managed HSM Pool in the specified subscription.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM Pool
        parameters (ManagedHsm): Parameters to update the managed HSM
        
    Returns:
        LROPoller[ManagedHsm]: Long-running operation poller for HSM update
    """

HSM Retrieval and Listing

Retrieve individual Managed HSM instances or list HSMs within resource groups or subscriptions.

def get(resource_group_name: str, name: str) -> Optional[ManagedHsm]:
    """
    Get the specified managed HSM Pool.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM Pool
        
    Returns:
        Optional[ManagedHsm]: The managed HSM resource, or None if not found
    """

def list_by_resource_group(
    resource_group_name: str,
    top: Optional[int] = None
) -> ItemPaged[ManagedHsm]:
    """
    List managed HSM Pools within a resource group.
    
    Args:
        resource_group_name (str): Name of the resource group
        top (int, optional): Maximum number of results to return
        
    Returns:
        ItemPaged[ManagedHsm]: Paginated list of managed HSMs
    """

def list_by_subscription(top: Optional[int] = None) -> ItemPaged[ManagedHsm]:
    """
    List managed HSM Pools associated with the subscription.
    
    Args:
        top (int, optional): Maximum number of results to return
        
    Returns:
        ItemPaged[ManagedHsm]: Paginated list of managed HSMs
    """

HSM Deletion and Recovery

Delete Managed HSM instances with soft delete support, and permanently purge when needed.

def begin_delete(resource_group_name: str, name: str) -> LROPoller[None]:
    """
    Delete the specified managed HSM Pool.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM Pool
        
    Returns:
        LROPoller[None]: Long-running operation poller for HSM deletion
    """

def list_deleted() -> ItemPaged[DeletedManagedHsm]:
    """
    Get information about deleted managed HSMs in a subscription.
    
    Returns:
        ItemPaged[DeletedManagedHsm]: Paginated list of deleted HSMs
    """

def get_deleted(name: str, location: str) -> DeletedManagedHsm:
    """
    Get the specified deleted managed HSM.
    
    Args:
        name (str): The name of the deleted managed HSM
        location (str): The location of the deleted managed HSM
        
    Returns:
        DeletedManagedHsm: The deleted managed HSM information
    """

def begin_purge_deleted(name: str, location: str) -> LROPoller[None]:
    """
    Permanently delete the specified managed HSM. This action cannot be undone.
    
    Args:
        name (str): The name of the deleted managed HSM
        location (str): The location of the deleted managed HSM
        
    Returns:
        LROPoller[None]: Long-running operation poller for HSM purge
    """

HSM Key Management

Manage cryptographic keys within Managed HSM instances with hardware-backed security.

def create_if_not_exist(
    resource_group_name: str,
    name: str,
    key_name: str,
    parameters: ManagedHsmKeyCreateParameters
) -> ManagedHsmKey:
    """
    Create the first version of a new key if it does not exist in the HSM.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM
        key_name (str): The name of the key to create
        parameters (ManagedHsmKeyCreateParameters): Parameters to create the key
        
    Returns:
        ManagedHsmKey: The created HSM key
    """

def get(resource_group_name: str, name: str, key_name: str) -> ManagedHsmKey:
    """
    Get the current version of the specified key from the HSM.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM
        key_name (str): The name of the key to retrieve
        
    Returns:
        ManagedHsmKey: The HSM key resource
    """

def list(resource_group_name: str, name: str) -> ItemPaged[ManagedHsmKey]:
    """
    List keys in the specified managed HSM.
    
    Args:
        resource_group_name (str): Name of the resource group
        name (str): Name of the managed HSM
        
    Returns:
        ItemPaged[ManagedHsmKey]: Paginated list of HSM keys
    """

HSM Region Management

List and manage geo-replication regions for Managed HSM instances, providing information about regional availability and replication status.

def list_by_resource(resource_group_name: str, name: str) -> ItemPaged[MHSMGeoReplicatedRegion]:
    """
    List regions associated with the managed HSM Pool.
    
    Args:
        resource_group_name (str): The name of the Resource Group
        name (str): The name of the managed HSM Pool
        
    Returns:
        ItemPaged[MHSMGeoReplicatedRegion]: List of regions for the HSM
    """

Name Availability

Check availability of Managed HSM names before creation.

def check_mhsm_name_availability(
    mhsm_name: CheckMhsmNameAvailabilityParameters
) -> CheckMhsmNameAvailabilityResult:
    """
    Check that the managed HSM name is valid and not already in use.
    
    Args:
        mhsm_name (CheckMhsmNameAvailabilityParameters): The name to check
        
    Returns:
        CheckMhsmNameAvailabilityResult: The name availability result
    """

Usage Examples

Creating a Managed HSM

from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.keyvault.models import (
    ManagedHsm, ManagedHsmProperties, ManagedHsmSku, ManagedHsmSkuName,
    ManagedServiceIdentity, ManagedServiceIdentityType,
    MHSMNetworkRuleSet, NetworkRuleAction
)
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
client = KeyVaultManagementClient(credential, "subscription-id")

# Create Managed HSM
hsm_properties = ManagedHsmProperties(
    tenant_id="tenant-id",
    initial_admin_object_ids=["admin-object-id-1", "admin-object-id-2"],
    enable_soft_delete=True,
    soft_delete_retention_in_days=90,
    enable_purge_protection=True,
    network_acls=MHSMNetworkRuleSet(
        default_action=NetworkRuleAction.DENY,
        bypass="AzureServices"
    )
)

managed_hsm = ManagedHsm(
    location="East US",
    sku=ManagedHsmSku(
        family="B",
        name=ManagedHsmSkuName.STANDARD_B1
    ),
    identity=ManagedServiceIdentity(
        type=ManagedServiceIdentityType.SYSTEM_ASSIGNED
    ),
    properties=hsm_properties,
    tags={"environment": "production", "purpose": "key-management"}
)

# Start HSM creation (long-running operation)
poller = client.managed_hsms.begin_create_or_update(
    "my-resource-group",
    "my-managed-hsm",
    managed_hsm
)

hsm = poller.result()
print(f"Created Managed HSM: {hsm.name}")
print(f"HSM URI: {hsm.properties.hsm_uri}")

Managing HSM Keys

from azure.mgmt.keyvault.models import (
    ManagedHsmKeyCreateParameters, ManagedHsmKeyProperties,
    JsonWebKeyType, JsonWebKeyOperation
)

# Create HSM-backed key
key_params = ManagedHsmKeyCreateParameters(
    properties=ManagedHsmKeyProperties(
        kty=JsonWebKeyType.RSA_HSM,
        key_size=3072,
        key_ops=[
            JsonWebKeyOperation.ENCRYPT,
            JsonWebKeyOperation.DECRYPT,
            JsonWebKeyOperation.SIGN,
            JsonWebKeyOperation.VERIFY
        ]
    )
)

hsm_key = client.managed_hsm_keys.create_if_not_exist(
    "my-resource-group",
    "my-managed-hsm",
    "my-hsm-key",
    key_params
)
print(f"Created HSM key: {hsm_key.name}")

# List all keys in HSM
for key in client.managed_hsm_keys.list("my-resource-group", "my-managed-hsm"):
    print(f"HSM Key: {key.name}, Type: {key.properties.kty}")

Managing Deleted HSMs

# List deleted HSMs
for deleted_hsm in client.managed_hsms.list_deleted():
    print(f"Deleted HSM: {deleted_hsm.name}")
    print(f"Deletion date: {deleted_hsm.properties.deletion_date}")

# Permanently purge deleted HSM
purge_poller = client.managed_hsms.begin_purge_deleted("my-hsm", "East US")
purge_poller.wait()
print("HSM permanently purged")

Managing HSM Geo-Replication

# Check geo-replication status for Managed HSM
for region in client.mhsm_regions.list_by_resource("my-resource-group", "my-managed-hsm"):
    print(f"Region: {region.name}")
    print(f"Provisioning State: {region.provisioning_state}")
    print(f"Is Primary: {region.is_primary}")
    if region.is_primary:
        print("  This is the primary region")
    else:
        print("  This is a replica region")
    print()

Types

Managed HSM Resource

class ManagedHsm:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    location: Optional[str]
    sku: Optional[ManagedHsmSku]
    tags: Optional[Dict[str, str]]
    identity: Optional[ManagedServiceIdentity]
    properties: Optional[ManagedHsmProperties]
    system_data: Optional[SystemData]

HSM Properties

class ManagedHsmProperties:
    tenant_id: Optional[str]
    initial_admin_object_ids: Optional[List[str]]
    hsm_uri: Optional[str]
    enable_soft_delete: Optional[bool]
    soft_delete_retention_in_days: Optional[int]
    enable_purge_protection: Optional[bool]
    create_mode: Optional[CreateMode]
    status_message: Optional[str]
    provisioning_state: Optional[ProvisioningState]
    network_acls: Optional[MHSMNetworkRuleSet]
    regions: Optional[List[MHSMGeoReplicatedRegion]]
    private_endpoint_connections: Optional[List[MHSMPrivateEndpointConnectionItem]]
    public_network_access: Optional[PublicNetworkAccess]
    scheduled_purge_date: Optional[datetime]
    security_domain_properties: Optional[ManagedHSMSecurityDomainProperties]

HSM SKU

class ManagedHsmSku:
    family: ManagedHsmSkuFamily
    name: ManagedHsmSkuName

class ManagedHsmSkuName(str, Enum):
    STANDARD_B1 = "Standard_B1"
    CUSTOM_B32 = "Custom_B32"
    CUSTOM_B6 = "Custom_B6"

class ManagedHsmSkuFamily(str, Enum):
    B = "B"

HSM Keys

class ManagedHsmKey:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    location: Optional[str]
    tags: Optional[Dict[str, str]]
    properties: Optional[ManagedHsmKeyProperties]

class ManagedHsmKeyProperties:
    attributes: Optional[ManagedHsmKeyAttributes]
    kty: Optional[JsonWebKeyType]
    key_ops: Optional[List[JsonWebKeyOperation]]
    key_size: Optional[int]
    curve: Optional[JsonWebKeyCurveName]
    key_uri: Optional[str]
    key_uri_with_version: Optional[str]
    version: Optional[str]
    release_policy: Optional[ManagedHsmKeyReleasePolicy]
    rotation_policy: Optional[ManagedHsmRotationPolicy]

Network Security

class MHSMNetworkRuleSet:
    bypass: Optional[str]
    default_action: Optional[NetworkRuleAction]
    ip_rules: Optional[List[MHSMIPRule]]
    virtual_network_rules: Optional[List[MHSMVirtualNetworkRule]]

class MHSMIPRule:
    value: str

class MHSMVirtualNetworkRule:
    id: str

Deleted HSM

class DeletedManagedHsm:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    properties: Optional[DeletedManagedHsmProperties]

class DeletedManagedHsmProperties:
    mhsm_id: Optional[str]
    location: Optional[str]
    deletion_date: Optional[datetime]
    scheduled_purge_date: Optional[datetime]
    purge_protection_enabled: Optional[bool]
    tags: Optional[Dict[str, str]]

Geo-Replication Regions

class MHSMGeoReplicatedRegion:
    name: Optional[str]
    provisioning_state: Optional[GeoReplicationRegionProvisioningState]
    is_primary: Optional[bool]

class GeoReplicationRegionProvisioningState(str, Enum):
    PROVISIONING = "Provisioning"
    SUCCEEDED = "Succeeded"
    DELETING = "Deleting"
    FAILED = "Failed"
    CLEANUP = "Cleanup"

Name Availability

class CheckMhsmNameAvailabilityParameters:
    name: str

class CheckMhsmNameAvailabilityResult:
    name_available: Optional[bool]
    reason: Optional[Reason]
    message: Optional[str]

Security and Compliance Features

FIPS 140-2 Level 3 Compliance

Managed HSMs provide hardware-backed cryptographic operations with FIPS 140-2 Level 3 validated security modules, ensuring the highest level of cryptographic protection for sensitive workloads.

Multi-Admin Control

Initial admin object IDs enable multi-person control for HSM administration, supporting security policies that require multiple administrators for sensitive operations.

Geo-Replication

Managed HSMs support geo-replication for high availability and disaster recovery, with configurable regions for key backup and recovery scenarios.

Install with Tessl CLI

npx tessl i tessl/pypi-azure-mgmt-keyvault

docs

index.md

key-management.md

managed-hsm.md

operations.md

private-endpoints.md

secret-management.md

vault-management.md

tile.json