diff --git a/sdk/keyvault/azure-keyvault-keys/README.md b/sdk/keyvault/azure-keyvault-keys/README.md index 01b7a7961e72..ab6ccebcb68f 100644 --- a/sdk/keyvault/azure-keyvault-keys/README.md +++ b/sdk/keyvault/azure-keyvault-keys/README.md @@ -251,7 +251,7 @@ from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotatio credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) -# Set the key's automated rotation policy to rotate the key 30 days before expiry +# Set the key's automated rotation policy to rotate the key 30 days before the key expires actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_before_expiry="P30D")] # You may also specify the duration after which the newly rotated key will expire # In this example, any new key versions will expire after 90 days diff --git a/sdk/keyvault/azure-keyvault-keys/samples/README.md b/sdk/keyvault/azure-keyvault-keys/samples/README.md index fe94b32c0b40..2128948be5d0 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/README.md +++ b/sdk/keyvault/azure-keyvault-keys/samples/README.md @@ -20,7 +20,9 @@ These code snippets highlight this SDK's common use cases. [backup_restore_operations_async.py][backup_operations_async_sample] - backup and recover keys * [recover_purge_operations.py][recover_purge_sample] and -[recover_purge_operations_async.py][recover_purge_async_sample] - recovering and purging keys +[recover_purge_operations_async.py][recover_purge_async_sample] - recover and purge keys +* [key_rotation.py][key_rotation_sample] and +[key_rotation_async.py][key_rotation_async_sample] - rotate keys automatically and on-demand [hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py [hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py @@ -29,4 +31,6 @@ recover keys [list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py [list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py [recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py -[recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py \ No newline at end of file +[recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py +[key_rotation_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py +[key_rotation_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py index cd7424badadd..11df264614db 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py @@ -4,19 +4,23 @@ # ------------------------------------ import os import time -from azure.keyvault.keys import KeyClient from azure.identity import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, backup, delete, purge, and restore permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- # Sample - demonstrates the basic backup and restore operations on a vault(key) resource for Azure Key Vault # @@ -32,9 +36,7 @@ # ---------------------------------------------------------------------------------------------------------- # Instantiate a key client that will be used to call the service. -# Notice that the client is using default Azure credentials. -# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', -# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. +# Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) diff --git a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py index eadb15fb53c2..3add5d21edc9 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py @@ -4,19 +4,23 @@ # ------------------------------------ import asyncio import os -from azure.keyvault.keys.aio import KeyClient from azure.identity.aio import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys.aio import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, backup, delete, purge, and restore permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- # Sample - demonstrates the basic backup and restore operations on a vault(key) resource for Azure Key Vault # @@ -30,11 +34,10 @@ # # 5. Restore a key (restore_key_backup) # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. - # Notice that the client is using default Azure credentials. - # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', - # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. + # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) diff --git a/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py b/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py index dc81fad7e9eb..e5d4290af592 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py @@ -4,19 +4,23 @@ # ------------------------------------ import datetime import os -from azure.keyvault.keys import KeyClient from azure.identity import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, get, update, and delete permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- # Sample - demonstrates the basic CRUD operations on a vault(key) resource for Azure Key Vault # @@ -32,9 +36,7 @@ # ---------------------------------------------------------------------------------------------------------- # Instantiate a key client that will be used to call the service. -# Notice that the client is using default Azure credentials. -# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', -# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. +# Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) diff --git a/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py b/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py index e1eae6af8052..390c087604a6 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py @@ -2,22 +2,26 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -import datetime import asyncio +import datetime import os -from azure.keyvault.keys.aio import KeyClient from azure.identity.aio import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys.aio import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, get, update, and delete permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- # Sample - demonstrates the basic CRUD operations on a vault(key) resource for Azure Key Vault # @@ -31,11 +35,10 @@ # # 5. Delete a key (delete_key) # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. - # Notice that the client is using default Azure credentials. - # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', - # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. + # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) diff --git a/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py new file mode 100644 index 000000000000..a596c1fb3d96 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py @@ -0,0 +1,79 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import os +from azure.identity import DefaultAzureCredential +from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction + +# ---------------------------------------------------------------------------------------------------------- +# Prerequisites: +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) +# +# 2. azure-keyvault-keys and azure-identity libraries (pip install these) +# +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID +# (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) +# +# 5. Key rotation permissions for your service principal in your vault +# +# ---------------------------------------------------------------------------------------------------------- +# Sample - creates and updates a key's automated rotation policy, and rotates a key on-demand +# +# 1. Create a new key rotation policy (update_key_rotation_policy) +# +# 2. Get a key's current rotation policy (get_key_rotation_policy) +# +# 3. Update a key's rotation policy (update_key_rotation_policy) +# +# 4. Rotate a key on-demand (rotate_key) +# +# 5. Delete a key (begin_delete_key) +# ---------------------------------------------------------------------------------------------------------- + +# Instantiate a key client that will be used to call the service. +# Here we use the DefaultAzureCredential, but any azure-identity credential can be used. +VAULT_URL = os.environ["VAULT_URL"] +credential = DefaultAzureCredential() +client = KeyClient(vault_url=VAULT_URL, credential=credential) + +# First, create a key +key_name = "rotation-sample-key" +key = client.create_rsa_key(key_name) +print("\nCreated a key; new version is {}".format(key.properties.version)) + +# Set the key's automated rotation policy to rotate the key two months after the key was created +actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_after_create="P2M")] +updated_policy = client.update_key_rotation_policy(key_name, lifetime_actions=actions) + +# The created policy should only have one action +assert len(updated_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action" +policy_action = updated_policy.lifetime_actions[0] +print("\nCreated a new key rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)) + +# Get the key's current rotation policy +current_policy = client.get_key_rotation_policy(key_name) +policy_action = current_policy.lifetime_actions[0] +print("\nCurrent rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)) + +# Update the key's automated rotation policy to notify 30 days before the key expires +new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY, time_before_expiry="P30D")] +# You may also specify the duration after which the newly rotated key will expire +# In this example, any new key versions will expire after 90 days +new_policy = client.update_key_rotation_policy(key_name, expires_in="P90D", lifetime_actions=new_actions) + +# The updated policy should only have one action +assert len(new_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action" +policy_action = new_policy.lifetime_actions[0] +print("\nUpdated rotation policy: {} {} before expiry".format(policy_action.action, policy_action.time_before_expiry)) + +# Finally, you can rotate a key on-demand by creating a new version of the key +rotated_key = client.rotate_key(key_name) +print("\nRotated the key on-demand; new version is {}".format(rotated_key.properties.version)) + +# To clean up, delete the key +client.begin_delete_key(key_name) +print("\nDeleted the key") diff --git a/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py new file mode 100644 index 000000000000..cb39430918dc --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py @@ -0,0 +1,95 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import asyncio +import os +from azure.identity.aio import DefaultAzureCredential +from azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicyAction +from azure.keyvault.keys.aio import KeyClient + +# ---------------------------------------------------------------------------------------------------------- +# Prerequisites: +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) +# +# 2. azure-keyvault-keys and azure-identity libraries (pip install these) +# +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID +# (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) +# +# 5. Key rotation permissions for your service principal in your vault +# +# ---------------------------------------------------------------------------------------------------------- +# Sample - creates and updates a key's automated rotation policy, and rotates a key on-demand +# +# 1. Create a new key rotation policy (update_key_rotation_policy) +# +# 2. Get a key's current rotation policy (get_key_rotation_policy) +# +# 3. Update a key's rotation policy (update_key_rotation_policy) +# +# 4. Rotate a key on-demand (rotate_key) +# +# 5. Delete a key (delete_key) +# ---------------------------------------------------------------------------------------------------------- + +async def run_sample(): + # Instantiate a key client that will be used to call the service. + # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. + VAULT_URL = os.environ["VAULT_URL"] + credential = DefaultAzureCredential() + client = KeyClient(vault_url=VAULT_URL, credential=credential) + + # First, create a key + key_name = "rotation-sample-key" + key = await client.create_rsa_key(key_name) + print("\nCreated a key; new version is {}".format(key.properties.version)) + + # Set the key's automated rotation policy to rotate the key two months after the key was created + actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_after_create="P2M")] + updated_policy = await client.update_key_rotation_policy(key_name, lifetime_actions=actions) + + # The created policy should only have one action + assert len(updated_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action" + policy_action = updated_policy.lifetime_actions[0] + print( + "\nCreated a new key rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create) + ) + + # Get the key's current rotation policy + current_policy = await client.get_key_rotation_policy(key_name) + policy_action = current_policy.lifetime_actions[0] + print("\nCurrent rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)) + + # Update the key's automated rotation policy to notify 30 days before the key expires + new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY, time_before_expiry="P30D")] + # You may also specify the duration after which the newly rotated key will expire + # In this example, any new key versions will expire after 90 days + new_policy = await client.update_key_rotation_policy(key_name, expires_in="P90D", lifetime_actions=new_actions) + + # The updated policy should only have one action + assert len(new_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action" + policy_action = new_policy.lifetime_actions[0] + print( + "\nUpdated rotation policy: {} {} before expiry".format(policy_action.action, policy_action.time_before_expiry) + ) + + # Finally, you can rotate a key on-demand by creating a new version of the key + rotated_key = await client.rotate_key(key_name) + print("\nRotated the key on-demand; new version is {}".format(rotated_key.properties.version)) + + # To clean up, delete the key + await client.delete_key(key_name) + print("\nDeleted the key") + + await credential.close() + await client.close() + + +if __name__ == "__main__": + loop = asyncio.get_event_loop() + loop.run_until_complete(run_sample()) + loop.close() diff --git a/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py b/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py index bfc490be671b..707a8f952203 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py @@ -2,42 +2,41 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -import time import os -from azure.keyvault.keys import KeyClient from azure.identity import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # -# 2. Microsoft Azure Key Vault PyPI package - -# https://pypi.python.org/pypi/azure-keyvault-keys/ +# 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, list, and delete permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- -# Sample - demonstrates the basic list operations on a vault(key) resource for Azure Key Vault. -# The vault has to be soft-delete enabled to perform one of the following operations. See -# https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete for more information about soft-delete. +# Sample - demonstrates the basic list operations for keys # -# 1. Create key (create_key) +# 1. Create a key (create_key) # # 2. List keys from the Key Vault (list_keys) # # 3. List key versions from the Key Vault (list_properties_of_key_versions) # -# 4. List deleted keys from the Key Vault (list_deleted_keys). The vault has to be soft-delete enabled to perform this -# operation. +# 4. Delete keys (begin_delete_key) +# +# 5. List deleted keys from the Key Vault (list_deleted_keys) # # ---------------------------------------------------------------------------------------------------------- # Instantiate a key client that will be used to call the service. -# Notice that the client is using default Azure credentials. -# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', -# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. +# Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) @@ -79,7 +78,7 @@ for key_name in (ec_key.name, rsa_key.name): client.begin_delete_key(key_name).wait() -# You can list all the deleted and non-purged keys, assuming Key Vault is soft-delete enabled. +# You can list all the deleted and non-purged keys. print("\n.. List deleted keys from the Key Vault (requires soft-delete)") deleted_keys = client.list_deleted_keys() for deleted_key in deleted_keys: diff --git a/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py b/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py index 7b912f79f622..ed05792392e8 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py @@ -4,40 +4,41 @@ # ------------------------------------ import asyncio import os -from azure.keyvault.keys.aio import KeyClient from azure.identity.aio import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys.aio import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: # 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) # -# 2. Microsoft Azure Key Vault PyPI package - -# https://pypi.python.org/pypi/azure-keyvault-keys/ +# 2. azure-keyvault-keys and azure-identity libraries (pip install these) +# +# 3. Set environment variable VAULT_URL with the URL of your key vault # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, list, and delete permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- -# Sample - demonstrates the basic list operations on a vault(key) resource for Azure Key Vault. -# The vault has to be soft-delete enabled to perform one of the following operations. See -# https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete for more information about soft-delete. +# Sample - demonstrates the basic list operations for keys # -# 1. Create key (create_key) +# 1. Create a key (create_key) # # 2. List keys from the Key Vault (list_keys) # # 3. List key versions from the Key Vault (list_properties_of_key_versions) # -# 4. List deleted keys from the Key Vault (list_deleted_keys). The vault has to be soft-delete enabled to perform this -# operation. +# 4. Delete keys (delete_key) +# +# 5. List deleted keys from the Key Vault (list_deleted_keys) # # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. - # Notice that the client is using default Azure credentials. - # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', - # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. + # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) @@ -81,7 +82,7 @@ async def run_sample(): await client.delete_key(rsa_key.name) await client.delete_key(ec_key.name) - # You can list all the deleted and non-purged keys, assuming Key Vault is soft-delete enabled. + # You can list all the deleted and non-purged keys. print("\n.. List deleted keys from the Key Vault") deleted_keys = client.list_deleted_keys() async for deleted_key in deleted_keys: diff --git a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py index 3a51c81aa84e..470e9dc8193d 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py @@ -2,26 +2,26 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -import time import os -from azure.keyvault.keys import KeyClient from azure.identity import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # -# 2. Microsoft Azure Key Vault PyPI package - -# https://pypi.python.org/pypi/azure-keyvault-keys/ +# 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, delete, recover, and purge permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- -# Sample - demonstrates deleting and purging a vault(key) resource for Azure Key Vault. -# The vault has to be soft-delete enabled to perform one of the following operations. See -# https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete for more information about soft-delete. +# Sample - demonstrates deleting and purging keys # # 1. Create a key (create_key) # @@ -33,9 +33,7 @@ # ---------------------------------------------------------------------------------------------------------- # Instantiate a key client that will be used to call the service. -# Notice that the client is using default Azure credentials. -# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', -# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. +# Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) @@ -60,8 +58,7 @@ recover_key_poller.wait() print("Recovered key '{0}'".format(recovered_key.name)) -# deleting the recovered key so it doesn't outlast this script -# If the keyvault is soft-delete enabled, then for permanent deletion, the deleted key needs to be purged. +# To permanently delete the key, the deleted key needs to be purged. # Calling result() on the method will immediately return the `DeletedKey`, but calling wait() blocks # until the key is deleted server-side so it can be purged. client.begin_delete_key(recovered_key.name).wait() diff --git a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py index f2b7e9f1219c..d42ebb83a31c 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py @@ -4,24 +4,25 @@ # ------------------------------------ import asyncio import os -from azure.keyvault.keys.aio import KeyClient from azure.identity.aio import DefaultAzureCredential -from azure.core.exceptions import HttpResponseError +from azure.keyvault.keys.aio import KeyClient # ---------------------------------------------------------------------------------------------------------- # Prerequisites: -# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) +# 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) # -# 2. Microsoft Azure Key Vault PyPI package - -# https://pypi.python.org/pypi/azure-keyvault-keys/ +# 2. azure-keyvault-keys and azure-identity libraries (pip install these) # -# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL +# 3. Set environment variable VAULT_URL with the URL of your key vault +# +# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with +# environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys#authenticate-the-client) # +# 5. Key create, delete, recover, and purge permissions for your service principal in your vault +# # ---------------------------------------------------------------------------------------------------------- -# Sample - demonstrates deleting and purging a vault(key) resource for Azure Key Vault. -# The vault has to be soft-delete enabled to perform one of the following operations. See -# https://docs.microsoft.com/en-us/azure/key-vault/key-vault-ovw-soft-delete for more information about soft-delete. +# Sample - demonstrates deleting and purging keys # # 1. Create a key (create_key) # @@ -33,9 +34,7 @@ # ---------------------------------------------------------------------------------------------------------- async def run_sample(): # Instantiate a key client that will be used to call the service. - # Notice that the client is using default Azure credentials. - # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', - # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. + # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) @@ -56,8 +55,7 @@ async def run_sample(): recovered_key = await client.recover_deleted_key(rsa_key.name) print("Recovered key '{0}'".format(recovered_key.name)) - # deleting the recovered key so it doesn't outlast this script - # If the keyvault is soft-delete enabled, then for permanent deletion, the deleted key needs to be purged. + # To permanently delete the key, the deleted key needs to be purged. await client.delete_key(recovered_key.name) # Keys will still purge eventually on their scheduled purge date, but calling `purge_deleted_key` immediately