KeyVaultAccessControlClient Class
Manages role-based access to Azure Key Vault.
- Inheritance
-
azure.keyvault.administration._internal.async_client_base.AsyncKeyVaultClientBaseKeyVaultAccessControlClient
Constructor
KeyVaultAccessControlClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)
Parameters
- vault_url
- str
URL of the vault the client will manage. This is also called the vault's "DNS Name".
- credential
an object which can provide an access token for the vault, such as a credential from identity
Methods
| create_role_assignment |
Create a role assignment. |
| delete_role_assignment |
Delete a role assignment. |
| delete_role_definition |
Deletes a custom role definition. |
| get_role_assignment |
Get a role assignment. |
| get_role_definition |
Get the specified role definition. |
| list_role_assignments |
List all role assignments for a scope. |
| list_role_definitions |
List all role definitions applicable at and above a scope. |
| set_role_definition |
Creates or updates a custom role definition. To update a role definition, specify the definition's |
create_role_assignment
Create a role assignment.
async create_role_assignment(scope: Union[str, KeyVaultRoleScope], definition_id: str, principal_id: str, **kwargs: Any) -> azure.keyvault.administration._models.KeyVaultRoleAssignment
Parameters
- scope
- str or KeyVaultRoleScope
scope the role assignment will apply over. <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string.
- principal_id
- str
Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.
Return type
delete_role_assignment
Delete a role assignment.
async delete_role_assignment(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) -> None
Parameters
- scope
- str or KeyVaultRoleScope
the assignment's scope, for example "/", "/keys", or "/keys/". <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string.
Returns
None
delete_role_definition
Deletes a custom role definition.
async delete_role_definition(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) -> None
Parameters
- scope
- str or KeyVaultRoleScope
scope of the role definition. <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.GLOBAL.
Returns
None
get_role_assignment
Get a role assignment.
async get_role_assignment(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) -> azure.keyvault.administration._models.KeyVaultRoleAssignment
Parameters
- scope
- str or KeyVaultRoleScope
the assignment's scope, for example "/", "/keys", or "/keys/". <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string.
Return type
get_role_definition
Get the specified role definition.
async get_role_definition(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) -> KeyVaultRoleDefinition
Parameters
- scope
- str or KeyVaultRoleScope
scope of the role definition. <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.GLOBAL.
Return type
list_role_assignments
List all role assignments for a scope.
list_role_assignments(scope: Union[str, KeyVaultRoleScope], **kwargs: Any) -> AsyncItemPaged[KeyVaultRoleAssignment]
Parameters
- scope
- str or KeyVaultRoleScope
scope of the role assignments. <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string.
Return type
list_role_definitions
List all role definitions applicable at and above a scope.
list_role_definitions(scope: Union[str, KeyVaultRoleScope], **kwargs: Any) -> AsyncItemPaged[KeyVaultRoleDefinition]
Parameters
- scope
- str or KeyVaultRoleScope
scope of the role definitions. <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string.
Return type
set_role_definition
Creates or updates a custom role definition.
To update a role definition, specify the definition's name.
async set_role_definition(scope: Union[str, KeyVaultRoleScope], **kwargs: Any) -> KeyVaultRoleDefinition
Parameters
- scope
- str or KeyVaultRoleScope
scope of the role definition. <xref:azure.keyvault.administration.aio.KeyVaultRoleScope> defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.GLOBAL.
the role definition's name, a UUID. When this argument has a value, the client will create a new role definition with this name or update an existing role definition, if one exists with the given name. When this argument has no value, a new role definition will be created with a generated name.
- role_name
- str
the role's display name. If unspecified when creating or updating a role definition, the role name will be set to an empty string.
- description
- str
a description of the role definition. If unspecified when creating or updating a role definition, the description will be set to an empty string.
- permissions
- <xref:Iterable>[KeyVaultPermission]
the role definition's permissions. If unspecified when creating or updating a role definition, the role definition will have no action permissions.
- assignable_scopes
- <xref:Iterable>[str] or <xref:Iterable>[KeyVaultRoleScope]
the scopes for which the role definition can be assigned.
Returns
The created or updated role definition
Return type
Feedback
Submit and view feedback for