tessl/pypi-azure-mgmt-keyvault
Microsoft Azure Key Vault Management Client Library for Python providing comprehensive programmatic management of Azure Key Vault resources through the Azure Resource Manager API.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
vault-management.mddocs/
Vault Management
Comprehensive Azure Key Vault lifecycle management operations including creation, configuration, access policy management, deletion, and soft delete recovery. Supports both Standard and Premium vault SKUs with advanced security features, network access controls, and compliance capabilities.
Capabilities
Vault Creation and Updates
Creates new key vaults or updates existing vault configurations with support for long-running operations, SKU selection, access policies, network rules, and security settings.
def begin_create_or_update(
resource_group_name: str,
vault_name: str,
parameters: VaultCreateOrUpdateParameters
) -> LROPoller[Vault]:
"""
Create or update a key vault in the specified subscription.
Args:
resource_group_name (str): The name of the Resource Group to which the server belongs
vault_name (str): Name of the key vault
parameters (VaultCreateOrUpdateParameters): Parameters to create or update the vault
Returns:
LROPoller[Vault]: Long-running operation poller for the vault creation/update
"""
def update(
resource_group_name: str,
vault_name: str,
parameters: VaultPatchParameters
) -> Vault:
"""
Update a key vault in the specified subscription.
Args:
resource_group_name (str): The name of the Resource Group to which the server belongs
vault_name (str): Name of the key vault
parameters (VaultPatchParameters): Parameters to patch the vault
Returns:
Vault: The updated vault resource
"""Vault Retrieval and Listing
Retrieve individual vaults or list vaults within resource groups or subscriptions with optional filtering and pagination support.
def get(resource_group_name: str, vault_name: str) -> Vault:
"""
Get the specified Azure key vault.
Args:
resource_group_name (str): The name of the Resource Group to which the vault belongs
vault_name (str): The name of the key vault
Returns:
Vault: The vault resource
"""
def list_by_resource_group(
resource_group_name: str,
top: Optional[int] = None
) -> ItemPaged[Vault]:
"""
List vaults within a specified resource group.
Args:
resource_group_name (str): The name of the Resource Group to which the vault belongs
top (int, optional): Maximum number of results to return
Returns:
ItemPaged[Vault]: Paginated list of vaults
"""
def list_by_subscription(top: Optional[int] = None) -> ItemPaged[Vault]:
"""
List vaults associated with the subscription.
Args:
top (int, optional): Maximum number of results to return
Returns:
ItemPaged[Vault]: Paginated list of vaults
"""
def list(top: Optional[int] = None) -> ItemPaged[Resource]:
"""
List vaults associated with the subscription using resource API.
Args:
top (int, optional): Maximum number of results to return
Returns:
ItemPaged[Resource]: Paginated list of vault resources
"""Vault Deletion and Recovery
Delete vaults with soft delete support, list and retrieve deleted vaults, and permanently purge vaults when needed.
def delete(resource_group_name: str, vault_name: str) -> None:
"""
Delete the specified Azure key vault.
Args:
resource_group_name (str): The name of the Resource Group to which the vault belongs
vault_name (str): The name of the key vault to delete
"""
def list_deleted() -> ItemPaged[DeletedVault]:
"""
Get information about deleted vaults in a subscription.
Returns:
ItemPaged[DeletedVault]: Paginated list of deleted vaults
"""
def get_deleted(vault_name: str, location: str) -> DeletedVault:
"""
Get the deleted Azure key vault.
Args:
vault_name (str): The name of the key vault
location (str): The location of the deleted vault
Returns:
DeletedVault: The deleted vault information
"""
def begin_purge_deleted(vault_name: str, location: str) -> LROPoller[None]:
"""
Permanently delete the specified vault. This action cannot be undone.
Args:
vault_name (str): The name of the key vault to purge
location (str): The location of the deleted vault
Returns:
LROPoller[None]: Long-running operation poller for the purge operation
"""Access Policy Management
Manage access policies for key vault resources, controlling permissions for keys, secrets, certificates, and storage accounts.
def update_access_policy(
resource_group_name: str,
vault_name: str,
operation_kind: AccessPolicyUpdateKind,
parameters: VaultAccessPolicyParameters
) -> VaultAccessPolicyParameters:
"""
Update access policies in a key vault in the specified subscription.
Args:
resource_group_name (str): The name of the Resource Group to which the vault belongs
vault_name (str): Name of the key vault
operation_kind (AccessPolicyUpdateKind): Name of the operation (add, replace, remove)
parameters (VaultAccessPolicyParameters): Access policy to update
Returns:
VaultAccessPolicyParameters: The updated access policy parameters
"""Name Availability
Check availability of vault names before creation to avoid naming conflicts.
def check_name_availability(vault_name: VaultCheckNameAvailabilityParameters) -> CheckNameAvailabilityResult:
"""
Check that the vault name is valid and not already in use.
Args:
vault_name (VaultCheckNameAvailabilityParameters): The name of the key vault to check
Returns:
CheckNameAvailabilityResult: The name availability result
"""Usage Examples
Creating a Key Vault with Access Policies
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, VaultProperties,
AccessPolicyEntry, Permissions, Sku, SkuName,
KeyPermissions, SecretPermissions
)
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
client = KeyVaultManagementClient(credential, "subscription-id")
# Define access policy for a user
access_policy = AccessPolicyEntry(
tenant_id="tenant-id",
object_id="user-object-id",
permissions=Permissions(
keys=[KeyPermissions.GET, KeyPermissions.LIST, KeyPermissions.CREATE],
secrets=[SecretPermissions.GET, SecretPermissions.LIST, SecretPermissions.SET]
)
)
# Create vault parameters
vault_properties = VaultProperties(
tenant_id="tenant-id",
sku=Sku(family="A", name=SkuName.STANDARD),
access_policies=[access_policy],
enabled_for_deployment=True,
enabled_for_template_deployment=True,
enable_soft_delete=True,
soft_delete_retention_in_days=90
)
vault_params = VaultCreateOrUpdateParameters(
location="East US",
properties=vault_properties
)
# Create the vault
poller = client.vaults.begin_create_or_update(
"my-resource-group",
"my-vault",
vault_params
)
vault = poller.result()
print(f"Created vault: {vault.name} at {vault.properties.vault_uri}")Managing Soft-Deleted Vaults
# List all deleted vaults
for deleted_vault in client.vaults.list_deleted():
print(f"Deleted vault: {deleted_vault.name} in {deleted_vault.properties.location}")
print(f"Deletion date: {deleted_vault.properties.deletion_date}")
print(f"Scheduled purge: {deleted_vault.properties.scheduled_purge_date}")
# Get specific deleted vault
deleted_vault = client.vaults.get_deleted("my-vault", "East US")
print(f"Vault {deleted_vault.name} was deleted on {deleted_vault.properties.deletion_date}")
# Permanently purge a vault (cannot be undone)
purge_poller = client.vaults.begin_purge_deleted("my-vault", "East US")
purge_poller.wait()
print("Vault permanently purged")Updating Access Policies
from azure.mgmt.keyvault.models import (
VaultAccessPolicyParameters, VaultAccessPolicyProperties,
AccessPolicyUpdateKind
)
# Add new access policy
new_policy = AccessPolicyEntry(
tenant_id="tenant-id",
object_id="new-user-object-id",
permissions=Permissions(
secrets=[SecretPermissions.GET, SecretPermissions.LIST]
)
)
access_policy_params = VaultAccessPolicyParameters(
properties=VaultAccessPolicyProperties(
access_policies=[new_policy]
)
)
client.vaults.update_access_policy(
"my-resource-group",
"my-vault",
AccessPolicyUpdateKind.ADD,
access_policy_params
)Types
Request Parameters
class VaultCreateOrUpdateParameters:
location: str
tags: Optional[Dict[str, str]]
properties: VaultProperties
class VaultPatchParameters:
tags: Optional[Dict[str, str]]
properties: Optional[VaultPatchProperties]
class VaultCheckNameAvailabilityParameters:
name: str
type: str = "Microsoft.KeyVault/vaults"Vault Properties
class VaultProperties:
tenant_id: str
sku: Sku
access_policies: Optional[List[AccessPolicyEntry]]
vault_uri: Optional[str]
enabled_for_deployment: Optional[bool]
enabled_for_disk_encryption: Optional[bool]
enabled_for_template_deployment: Optional[bool]
enable_soft_delete: Optional[bool]
soft_delete_retention_in_days: Optional[int]
enable_purge_protection: Optional[bool]
network_acls: Optional[NetworkRuleSet]
provisioning_state: Optional[VaultProvisioningState]
create_mode: Optional[CreateMode]
class VaultPatchProperties:
tenant_id: Optional[str]
sku: Optional[Sku]
access_policies: Optional[List[AccessPolicyEntry]]
enabled_for_deployment: Optional[bool]
enabled_for_disk_encryption: Optional[bool]
enabled_for_template_deployment: Optional[bool]
enable_soft_delete: Optional[bool]
soft_delete_retention_in_days: Optional[int]
enable_purge_protection: Optional[bool]
network_acls: Optional[NetworkRuleSet]
create_mode: Optional[CreateMode]Deleted Vault Information
class DeletedVault:
id: Optional[str]
name: Optional[str]
type: Optional[str]
properties: Optional[DeletedVaultProperties]
class DeletedVaultProperties:
vault_id: Optional[str]
location: Optional[str]
deletion_date: Optional[datetime]
scheduled_purge_date: Optional[datetime]
tags: Optional[Dict[str, str]]
purge_protection_enabled: Optional[bool]Network and Security
class NetworkRuleSet:
bypass: Optional[NetworkRuleBypassOptions]
default_action: Optional[NetworkRuleAction]
ip_rules: Optional[List[IPRule]]
virtual_network_rules: Optional[List[VirtualNetworkRule]]
class IPRule:
value: str
class VirtualNetworkRule:
id: str
ignore_missing_vnet_service_endpoint: Optional[bool]Enumerations
class AccessPolicyUpdateKind(str, Enum):
ADD = "add"
REPLACE = "replace"
REMOVE = "remove"
class VaultProvisioningState(str, Enum):
SUCCEEDED = "Succeeded"
REGISTER_RESOURCE_PROVIDER = "RegisteringResourceProvider"
class CreateMode(str, Enum):
RECOVER = "recover"
DEFAULT = "default"
class NetworkRuleAction(str, Enum):
ALLOW = "Allow"
DENY = "Deny"
class NetworkRuleBypassOptions(str, Enum):
AZURE_SERVICES = "AzureServices"
NONE = "None"Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-keyvault