CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-azure-mgmt-keyvault

Microsoft Azure Key Vault Management Client Library for Python providing comprehensive programmatic management of Azure Key Vault resources through the Azure Resource Manager API.

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

secret-management.mddocs/

Secret Management

ARM-level operations for managing secrets in Azure Key Vault, primarily intended for ARM template deployments and infrastructure automation rather than runtime secret operations. For runtime secret operations, use the Azure Key Vault data-plane SDK.

Capabilities

Secret Creation and Updates

Create or update secrets within a key vault using ARM deployment patterns. These operations are designed for infrastructure-as-code scenarios.

def create_or_update(
    resource_group_name: str,
    vault_name: str,
    secret_name: str, 
    parameters: SecretCreateOrUpdateParameters
) -> Secret:
    """
    Create or update a secret in a key vault.
    Note: This operation is intended for ARM deployments. 
    For runtime operations, use the data-plane REST service.
    
    Args:
        resource_group_name (str): The name of the resource group
        vault_name (str): The name of the key vault
        secret_name (str): The name of the secret
        parameters (SecretCreateOrUpdateParameters): Parameters to create or update the secret
        
    Returns:
        Secret: The created or updated secret
    """

def update(
    resource_group_name: str,
    vault_name: str,
    secret_name: str,
    parameters: SecretPatchParameters
) -> Secret:
    """
    Update a secret in the specified subscription.
    
    Args:
        resource_group_name (str): The name of the resource group
        vault_name (str): The name of the key vault
        secret_name (str): The name of the secret
        parameters (SecretPatchParameters): Parameters to patch the secret
        
    Returns:
        Secret: The updated secret
    """

Secret Retrieval

Get individual secrets or list secrets within a vault for management and monitoring purposes.

def get(resource_group_name: str, vault_name: str, secret_name: str) -> Secret:
    """
    Get the specified secret.
    
    Args:
        resource_group_name (str): The name of the resource group
        vault_name (str): The name of the key vault
        secret_name (str): The name of the secret
        
    Returns:
        Secret: The secret resource
    """

def list(
    resource_group_name: str,
    vault_name: str,
    top: Optional[int] = None
) -> ItemPaged[Secret]:
    """
    Get information about secrets in a vault.
    
    Args:
        resource_group_name (str): The name of the resource group
        vault_name (str): The name of the key vault
        top (int, optional): Maximum number of results to return
        
    Returns:
        ItemPaged[Secret]: Paginated list of secrets
    """

Usage Examples

Creating Secrets for ARM Deployments

from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.keyvault.models import (
    SecretCreateOrUpdateParameters, SecretProperties, SecretAttributes
)
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
client = KeyVaultManagementClient(credential, "subscription-id")

# Create a secret (for ARM deployments)
secret_params = SecretCreateOrUpdateParameters(
    properties=SecretProperties(
        value="my-secret-value",
        content_type="text/plain",
        attributes=SecretAttributes(
            enabled=True
        )
    ),
    tags={"environment": "production", "application": "webapp"}
)

secret = client.secrets.create_or_update(
    "my-resource-group",
    "my-vault", 
    "my-secret",
    secret_params
)
print(f"Created secret: {secret.name}")

Listing and Managing Secrets

# List all secrets in vault
for secret in client.secrets.list("my-resource-group", "my-vault"):
    print(f"Secret: {secret.name}")
    print(f"Content Type: {secret.properties.content_type}")
    print(f"Enabled: {secret.properties.attributes.enabled}")

# Get specific secret metadata
secret = client.secrets.get("my-resource-group", "my-vault", "my-secret")
print(f"Secret URI: {secret.properties.secret_uri}")
print(f"Version: {secret.properties.version}")

# Update secret properties
from azure.mgmt.keyvault.models import SecretPatchParameters, SecretPatchProperties

patch_params = SecretPatchParameters(
    properties=SecretPatchProperties(
        content_type="application/json",
        attributes=SecretAttributes(
            enabled=False
        )
    )
)

updated_secret = client.secrets.update(
    "my-resource-group",
    "my-vault",
    "my-secret", 
    patch_params
)

Types

Secret Parameters

class SecretCreateOrUpdateParameters:
    properties: SecretProperties
    tags: Optional[Dict[str, str]]

class SecretPatchParameters:
    properties: Optional[SecretPatchProperties]
    tags: Optional[Dict[str, str]]

Secret Properties

class SecretProperties:
    value: Optional[str]
    content_type: Optional[str]
    attributes: Optional[SecretAttributes]

class SecretPatchProperties:
    value: Optional[str]
    content_type: Optional[str]
    attributes: Optional[SecretAttributes]

Secret Resource

class Secret:
    id: Optional[str]
    name: Optional[str]
    type: Optional[str]
    location: Optional[str]
    tags: Optional[Dict[str, str]]
    properties: Optional[SecretProperties]

class SecretProperties:
    value: Optional[str]
    secret_uri: Optional[str]
    secret_uri_with_version: Optional[str]
    version: Optional[str]
    content_type: Optional[str]
    attributes: Optional[SecretAttributes]

Secret Attributes

class SecretAttributes:
    enabled: Optional[bool]
    not_before: Optional[int]
    expires: Optional[int]
    created: Optional[int]
    updated: Optional[int]
    recovery_level: Optional[DeletionRecoveryLevel]

List Results

class SecretListResult:
    value: Optional[List[Secret]]
    next_link: Optional[str]

Important Notes

ARM vs Data-Plane Operations

This secret management API is part of the Azure Resource Manager (ARM) control plane and is primarily designed for:

  • ARM template deployments
  • Infrastructure-as-code scenarios
  • Administrative secret management
  • Monitoring and compliance

For runtime secret operations (retrieving secret values for applications), use the Azure Key Vault data-plane SDK:

# For runtime secret operations, use data-plane SDK instead:
from azure.keyvault.secrets import SecretClient

secret_client = SecretClient(
    vault_url="https://my-vault.vault.azure.net/",
    credential=credential
)

# Runtime secret retrieval
secret_value = secret_client.get_secret("my-secret").value

Security Considerations

  • Secret values are not returned in list operations for security reasons
  • The ARM API is not intended for high-frequency secret retrieval
  • Use appropriate access policies and authentication for secret management
  • Consider using Managed Identity for service-to-service authentication

Install with Tessl CLI

npx tessl i tessl/pypi-azure-mgmt-keyvault

docs

index.md

key-management.md

managed-hsm.md

operations.md

private-endpoints.md

secret-management.md

vault-management.md

tile.json