Azure · evelyn-ys · Jul 16, 2025 · Jul 9, 2025 · Jul 10, 2025 · Jul 14, 2025
@@ -188,10 +188,7 @@ def default_api_version(self):
         ResourceType.MGMT_RESOURCE_MANAGEDAPPLICATIONS: '2019-07-01',
         ResourceType.MGMT_NETWORK_DNS: '2018-05-01',
         ResourceType.MGMT_NETWORK_PRIVATEDNS: None,
-        ResourceType.MGMT_KEYVAULT: SDKProfile('2024-11-01', {
-            'vaults': '2023-02-01',
-            'managed_hsms': '2024-11-01'
-        }),
+        ResourceType.MGMT_KEYVAULT: None,
         ResourceType.MGMT_AUTHORIZATION: SDKProfile('2022-04-01', {
             'role_definitions': '2022-05-01-preview',
             'provider_operations_metadata': '2018-01-01-preview'

@@ -39,7 +39,7 @@ class Clients(str, Enum):
 
 KEYVAULT_TEMPLATE_STRINGS = {
     ResourceType.MGMT_KEYVAULT:
-        'azure.mgmt.keyvault{api_version}.{module_name}#{class_name}{obj_name}',
+        'azure.mgmt.keyvault.{module_name}#{class_name}{obj_name}',
     ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP:
         'azure.keyvault.administration._backup_client#KeyVaultBackupClient{obj_name}',
     ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL:
@@ -73,7 +73,6 @@ def get_operations_tmpl(resource_type, client_name):
 
     class_name = OPERATIONS_NAME.get(client_name, '') if is_mgmt_plane(resource_type) else 'KeyVaultClient'
     return KEYVAULT_TEMPLATE_STRINGS[resource_type].format(
-        api_version='',
         module_name='operations',
         class_name=class_name,
         obj_name='.{}')
@@ -89,18 +88,11 @@ def get_docs_tmpl(cli_ctx, resource_type, client_name, module_name='operations')
                          ResourceType.DATA_KEYVAULT_ADMINISTRATION_SETTING]:
         return KEYVAULT_TEMPLATE_STRINGS[resource_type].format(obj_name='.{}')
 
-    api_version = get_api_version(cli_ctx, resource_type, as_sdk_profile=True)
-    from azure.cli.core.profiles import SDKProfile
-    if isinstance(api_version, SDKProfile):
-        api_version = api_version.profile[client_name] if api_version.profile.get(client_name, None) else \
-            api_version.profile[None]
-    api_version = '.v' + api_version.replace('.', '_').replace('-', '_')
     if is_mgmt_plane(resource_type):
         class_name = OPERATIONS_NAME.get(client_name, '') + '.' if module_name == 'operations' else ''
     else:
         class_name = 'KeyVaultClient.'
     return KEYVAULT_TEMPLATE_STRINGS[resource_type].format(
-        api_version=api_version,
         module_name=module_name,
         class_name=class_name,
         obj_name='{}')

@@ -137,7 +137,7 @@ class CLISecurityDomainOperation(str, Enum):
                    help='Control permission for data plane traffic coming from public networks '
                         'while private endpoint is enabled')
 
-    with self.argument_context('keyvault', arg_group='Network Rule', min_api='2018-02-14') as c:
+    with self.argument_context('keyvault', arg_group='Network Rule') as c:
         c.argument('bypass', arg_type=get_enum_type(NetworkRuleBypassOptions),
                    help='Bypass traffic for space-separated uses.')
         c.argument('default_action', arg_type=get_enum_type(NetworkRuleAction),
@@ -167,7 +167,7 @@ class CLISecurityDomainOperation(str, Enum):
                    help='Soft delete data retention days. It accepts >=7 and <=90. '
                         'Defaults to 90 for keyvault creation. Required for MHSM creation')
         c.argument('user_identities', options_list=['--mi-user-assigned'], nargs='*',
-                   min_api='2023-07-01', resource_type=ResourceType.MGMT_KEYVAULT, operation_group="managed_hsms",
+                   resource_type=ResourceType.MGMT_KEYVAULT, operation_group="managed_hsms",
                    help="[HSM Only] Enable user-assigned managed identities for managed HSM. "
                         "Accept space-separated list of identity resource IDs.")
 
@@ -189,8 +189,7 @@ class CLISecurityDomainOperation(str, Enum):
         c.argument('secondary_locations', nargs='+',
                    help='--secondary-locations extends/contracts an HSM pool to listed regions. The primary location '
                         'where the resource was originally created CANNOT be removed.')
-        c.argument('user_identities', options_list=['--mi-user-assigned'],
-                   nargs='*', min_api='2023-07-01',
+        c.argument('user_identities', options_list=['--mi-user-assigned'],nargs='*',
                    help="Enable user-assigned managed identities for managed HSM. "
                         "Accept space-separated list of identity resource IDs.")
 
@@ -244,18 +243,18 @@ class CLISecurityDomainOperation(str, Enum):
         c.argument('storage_permissions', arg_type=get_enum_type(StoragePermissions), metavar='PERM', nargs='*',
                    help='Space-separated list of storage permissions to assign.')
 
-    with self.argument_context('keyvault network-rule', min_api='2018-02-14') as c:
+    with self.argument_context('keyvault network-rule') as c:
         c.argument('ip_address', help='IPv4 address or CIDR range.')
         c.argument('subnet', help='Name or ID of subnet. If name is supplied, `--vnet-name` must be supplied.')
         c.argument('vnet_name', help='Name of a virtual network.', validator=validate_subnet)
 
     for item in ['add', 'remove']:
-        with self.argument_context('keyvault network-rule {}'.format(item), min_api='2018-02-14') as c:
+        with self.argument_context('keyvault network-rule {}'.format(item)) as c:
             c.argument('ip_address', nargs='*', help='IPv4 address or CIDR range. Can supply a list: --ip-address ip1 '
                                                      '[ip2]...', validator=validate_ip_address)
 
     for item in ['approve', 'reject', 'delete', 'show', 'wait']:
-        with self.argument_context('keyvault private-endpoint-connection {}'.format(item), min_api='2018-02-14') as c:
+        with self.argument_context('keyvault private-endpoint-connection {}'.format(item)) as c:
             c.extra('connection_id', options_list=['--id'], required=False,
                     help='The ID of the private endpoint connection associated with the Key Vault/HSM. '
                          'If specified --vault-name/--hsm-name and --name/-n, this should be omitted.')
@@ -265,16 +264,14 @@ class CLISecurityDomainOperation(str, Enum):
                             'Required if --id is not specified')
             c.argument('vault_name', vault_name_type, required=False,
                        help='Name of the Key Vault. Required if --id is not specified')
-            c.argument('hsm_name', mgmt_plane_hsm_name_type, min_api='2021-04-01-preview',
+            c.argument('hsm_name', mgmt_plane_hsm_name_type,
                        help='Name of the HSM. Required if --id is not specified.'
                             '(--hsm-name and --vault-name are mutually exclusive, please specify just one of them)')
 
     with self.argument_context('keyvault private-endpoint-connection list') as c:
         c.argument("hsm_name", hsm_name_type)
 
-    with self.argument_context('keyvault private-link-resource', min_api='2018-02-14', max_api='2020-04-01-preview') as c:
-        c.argument('vault_name', vault_name_type, required=True)
-    with self.argument_context('keyvault private-link-resource', min_api='2021-04-01-preview') as c:
+    with self.argument_context('keyvault private-link-resource') as c:
         c.argument('vault_name', vault_name_type)
         c.argument('hsm_name', mgmt_plane_hsm_name_type)
     # endregion

@@ -6,7 +6,7 @@
 from collections import OrderedDict
 
 from azure.cli.core.commands import CliCommandType
-from azure.cli.core.profiles import get_api_version, ResourceType
+from azure.cli.core.profiles import ResourceType
 
 from azure.cli.command_modules.keyvault._client_factory import (
     get_client, get_client_factory, Clients)
@@ -96,7 +96,6 @@ def load_command_table(self, _):
 
     with self.command_group('keyvault network-rule',
                             mgmt_vaults_entity.command_type,
-                            min_api='2018-02-14',
                             client_factory=mgmt_vaults_entity.client_factory) as g:
         g.custom_command('add', 'add_network_rule', supports_no_wait=True)
         g.custom_command('remove', 'remove_network_rule', supports_no_wait=True)
@@ -105,7 +104,6 @@ def load_command_table(self, _):
 
     with self.command_group('keyvault private-endpoint-connection',
                             mgmt_pec_entity.command_type,
-                            min_api='2018-02-14',
                             client_factory=mgmt_pec_entity.client_factory) as g:
         g.custom_command('approve', 'approve_private_endpoint_connection', supports_no_wait=True,
                          validator=validate_private_endpoint_connection_id)
@@ -121,7 +119,6 @@ def load_command_table(self, _):
 
     with self.command_group('keyvault private-link-resource',
                             mgmt_plr_entity.command_type,
-                            min_api='2018-02-14',
                             client_factory=mgmt_plr_entity.client_factory) as g:
         from azure.cli.core.commands.transform import gen_dict_to_list_transform
         g.custom_command('list', 'list_private_link_resource', transform=gen_dict_to_list_transform(key='value'))
@@ -241,13 +238,9 @@ def load_command_table(self, _):
         g.keyvault_custom('download', 'download_certificate')
         g.keyvault_custom('get-default-policy', 'get_default_policy')
 
-    data_api_version = str(get_api_version(self.cli_ctx, ResourceType.DATA_KEYVAULT_CERTIFICATES)). \
-        replace('.', '_').replace('-', '_')
-
-    if data_api_version != '2016_10_01':
-        with self.command_group('keyvault certificate', data_certificate_entity.command_type) as g:
-            g.keyvault_custom('backup', 'backup_certificate')
-            g.keyvault_custom('restore', 'restore_certificate', transform=transform_certificate_show)
+    with self.command_group('keyvault certificate', data_certificate_entity.command_type) as g:
+        g.keyvault_custom('backup', 'backup_certificate')
+        g.keyvault_custom('restore', 'restore_certificate', transform=transform_certificate_show)
 
     with self.command_group('keyvault certificate pending', data_certificate_entity.command_type) as g:
         g.keyvault_command('merge', 'merge_certificate', transform=transform_certificate_show)
@@ -298,11 +291,11 @@ def load_command_table(self, _):
         g.keyvault_custom('update', 'update_hsm_setting')
 
     with self.command_group('keyvault region', mgmt_hsms_regions_entity.command_type,
-                            client_factory=mgmt_hsms_regions_entity.client_factory, min_api='2023-02-01') as g:
+                            client_factory=mgmt_hsms_regions_entity.client_factory) as g:
         g.command('list', 'list_by_resource', client_factory=mgmt_hsms_regions_entity.client_factory)
 
     with self.command_group('keyvault region', mgmt_hsms_entity.command_type,
-                            client_factory=mgmt_hsms_entity.client_factory, min_api='2023-02-01') as g:
+                            client_factory=mgmt_hsms_entity.client_factory) as g:
         g.custom_command('add', 'add_hsm_region', supports_no_wait=True)
         g.custom_command('remove', 'remove_hsm_region', supports_no_wait=True)
         g.wait_command('wait')
@@ -25,7 +25,7 @@
 from azure.cli.command_modules.keyvault.security_domain.utils import Utils
 from azure.cli.core.azclierror import InvalidArgumentValueError, RequiredArgumentMissingError, \
     MutuallyExclusiveArgumentError
-from azure.cli.core.profiles import ResourceType, AZURE_API_PROFILES, SDKProfile
+from azure.cli.core.profiles import ResourceType
 from azure.cli.core.util import sdk_no_wait
 
 from cryptography.hazmat.backends import default_backend
@@ -41,31 +41,6 @@
 logger = get_logger(__name__)
 
 
-def _not_less_than(current_profile, resource_type, min_api_version, sub_resource_name=None):
-    if current_profile not in AZURE_API_PROFILES:
-        raise CLIError('Unsupported profile: {}'.format(current_profile))
-
-    profile = AZURE_API_PROFILES[current_profile]
-    if resource_type not in profile:
-        raise CLIError('ResourceType {} not in Profile {}'.format(resource_type, current_profile))
-
-    if not sub_resource_name:
-        api_version = profile[resource_type]
-        if isinstance(api_version, SDKProfile):
-            return api_version.default_api_version >= min_api_version
-        return api_version >= min_api_version
-
-    sdk_profile = profile[resource_type]
-    if not isinstance(sdk_profile, SDKProfile):
-        raise CLIError('Invalid SDKProfile {} in Profile {}'.format(resource_type, current_profile))
-    sub_profile = sdk_profile.profile
-    if sub_resource_name not in sub_profile:
-        raise CLIError('SubResource {} not in ResourceType {} under Profile {}'.
-                       format(sub_resource_name, resource_type, current_profile))
-    api_version = sub_profile[sub_resource_name]
-    return api_version >= min_api_version
-
-
 def _default_certificate_profile(cmd):
     def get_model(x):
         return cmd.loader.get_sdk(x, resource_type=ResourceType.DATA_KEYVAULT_CERTIFICATES, mod='_generated_models')
@@ -621,64 +596,19 @@ def create_vault(cmd, client,  # pylint: disable=too-many-locals, too-many-state
 
     # if bypass or default_action was specified create a NetworkRuleSet
     # if neither were specified we will parse it from parameter `--network-acls`
-    if cmd.supported_api_version(resource_type=ResourceType.MGMT_KEYVAULT, min_api='2018-02-14'):
-        if network_acls or network_acls_ips or network_acls_vnets:
-            network_acls = _parse_network_acls(
-                cmd, resource_group_name, network_acls, network_acls_ips, network_acls_vnets, bypass, default_action)
-        else:
-            network_acls = _create_network_rule_set(cmd, bypass, default_action)
+    if network_acls or network_acls_ips or network_acls_vnets:
+        network_acls = _parse_network_acls(
+            cmd, resource_group_name, network_acls, network_acls_ips, network_acls_vnets, bypass, default_action)
+    else:
+        network_acls = _create_network_rule_set(cmd, bypass, default_action)
 
     if no_self_perms or enable_rbac_authorization:
         access_policies = []
     else:
-        if cmd.supported_api_version(resource_type=ResourceType.MGMT_KEYVAULT, min_api='2019-09-01'):
-            permissions = Permissions(keys=[KeyPermissions.all],
-                                      secrets=[SecretPermissions.all],
-                                      certificates=[CertificatePermissions.all],
-                                      storage=[StoragePermissions.all])
-        else:
-            permissions = Permissions(keys=[KeyPermissions.get,
-                                            KeyPermissions.create,
-                                            KeyPermissions.delete,
-                                            KeyPermissions.list,
-                                            KeyPermissions.update,
-                                            KeyPermissions.import_enum,
-                                            KeyPermissions.backup,
-                                            KeyPermissions.restore,
-                                            KeyPermissions.recover],
-                                      secrets=[
-                                          SecretPermissions.get,
-                                          SecretPermissions.list,
-                                          SecretPermissions.set,
-                                          SecretPermissions.delete,
-                                          SecretPermissions.backup,
-                                          SecretPermissions.restore,
-                                          SecretPermissions.recover],
-                                      certificates=[
-                                          CertificatePermissions.get,
-                                          CertificatePermissions.list,
-                                          CertificatePermissions.delete,
-                                          CertificatePermissions.create,
-                                          CertificatePermissions.import_enum,
-                                          CertificatePermissions.update,
-                                          CertificatePermissions.managecontacts,
-                                          CertificatePermissions.getissuers,
-                                          CertificatePermissions.listissuers,
-                                          CertificatePermissions.setissuers,
-                                          CertificatePermissions.deleteissuers,
-                                          CertificatePermissions.manageissuers,
-                                          CertificatePermissions.recover],
-                                      storage=[
-                                          StoragePermissions.get,
-                                          StoragePermissions.list,
-                                          StoragePermissions.delete,
-                                          StoragePermissions.set,
-                                          StoragePermissions.update,
-                                          StoragePermissions.regeneratekey,
-                                          StoragePermissions.setsas,
-                                          StoragePermissions.listsas,
-                                          StoragePermissions.getsas,
-                                          StoragePermissions.deletesas])
+        permissions = Permissions(keys=[KeyPermissions.all],
+                                  secrets=[SecretPermissions.all],
+                                  certificates=[CertificatePermissions.all],
+                                  storage=[StoragePermissions.all])
 
         from azure.cli.command_modules.role.util import get_current_identity_object_id
         object_id = get_current_identity_object_id(cmd.cli_ctx)