-
Notifications
You must be signed in to change notification settings - Fork 3.3k
[Key Vault] Add executable key rotation samples #21161
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| # ------------------------------------ | ||
| # Copyright (c) Microsoft Corporation. | ||
| # Licensed under the MIT License. | ||
| # ------------------------------------ | ||
| import os | ||
| from azure.identity import DefaultAzureCredential | ||
| from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction | ||
|
|
||
| # ---------------------------------------------------------------------------------------------------------- | ||
| # Prerequisites: | ||
| # 1. An Azure Key Vault (https://docs.microsoft.com/azure/key-vault/quick-create-cli) | ||
| # | ||
| # 2. azure-keyvault-keys and azure-identity libraries (pip install these) | ||
| # | ||
| # 3. Set environment variable VAULT_URL with the URL of your key vault | ||
| # | ||
| # 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with | ||
| # environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID | ||
| # (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration#authenticate-the-client) | ||
| # | ||
| # 5. Key rotation permissions for your service principal in your vault | ||
| # | ||
| # ---------------------------------------------------------------------------------------------------------- | ||
| # Sample - creates and updates a key's automated rotation policy, and rotates a key on-demand | ||
| # | ||
| # 1. Create a new key rotation policy (update_key_rotation_policy) | ||
| # | ||
| # 2. Get a key's current rotation policy (get_key_rotation_policy) | ||
| # | ||
| # 3. Update a key's rotation policy (update_key_rotation_policy) | ||
| # | ||
| # 4. Rotate a key on-demand (rotate_key) | ||
| # | ||
| # 5. Delete a key (begin_delete_key) | ||
| # ---------------------------------------------------------------------------------------------------------- | ||
|
|
||
| # Instantiate a key client that will be used to call the service. | ||
| # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. | ||
| VAULT_URL = os.environ["VAULT_URL"] | ||
| credential = DefaultAzureCredential() | ||
| client = KeyClient(vault_url=VAULT_URL, credential=credential) | ||
|
|
||
| # First, create a key | ||
| key_name = "rotation-sample-key" | ||
| key = client.create_rsa_key(key_name) | ||
| print("\nCreated a key; new version is {}".format(key.properties.version)) | ||
|
|
||
| # Set the key's automated rotation policy to rotate the key two months after the key was created | ||
| actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_after_create="P2M")] | ||
| updated_policy = client.update_key_rotation_policy(key_name, lifetime_actions=actions) | ||
|
|
||
| # The created policy should only have one action | ||
| assert len(updated_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action" | ||
| policy_action = updated_policy.lifetime_actions[0] | ||
| print("\nCreated a new key rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)) | ||
|
|
||
| # Get the key's current rotation policy | ||
| current_policy = client.get_key_rotation_policy(key_name) | ||
| policy_action = current_policy.lifetime_actions[0] | ||
| print("\nCurrent rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)) | ||
|
|
||
| # Update the key's automated rotation policy to notify 30 days before the key expires | ||
| new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY, time_before_expiry="P30D")] | ||
| # You may also specify the duration after which the newly rotated key will expire | ||
| # In this example, any new key versions will expire after 90 days | ||
| new_policy = client.update_key_rotation_policy(key_name, expires_in="P90D", lifetime_actions=new_actions) | ||
|
|
||
| # The updated policy should only have one action | ||
| assert len(new_policy.lifetime_actions) == 1, "There should be exactly one rotation policy action" | ||
| policy_action = new_policy.lifetime_actions[0] | ||
| print("\nUpdated rotation policy: {} {} before expiry".format(policy_action.action, policy_action.time_before_expiry)) | ||
|
|
||
| # Finally, you can rotate a key on-demand by creating a new version of the key | ||
| rotated_key = client.rotate_key(key_name) | ||
| print("\nRotated the key on-demand; new version is {}".format(rotated_key.properties.version)) | ||
|
|
||
| # To clean up, delete the key | ||
| client.begin_delete_key(key_name) | ||
| print("\nDeleted the key") |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I know where you copied this from 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been found out! Thank you for saving me from embarrassment