KeyVaultClient Class

The key vault client performs cryptographic key operations and vault operations against the Key Vault service.

Inheritance
KeyVaultClient

Constructor

KeyVaultClient(credentials)

Parameters

credentials
azure_active_directory
Required

Credentials needed for the client to connect to Azure.

Variables

config
<xref:KeyVaultClientConfiguration>

Configuration for client.

Methods

backup_key

Requests that a backup of the specified key be downloaded to the client.

The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does NOT return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to GENERATE a key in one Azure Key Vault instance, BACKUP the key, and then RESTORE it into another Azure Key Vault instance. The BACKUP operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. BACKUP / RESTORE can be performed within geographical boundaries only; meaning that a BACKUP from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

backup_secret

Backs up the specified secret.

Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.

create_certificate

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.

create_key

Creates a new key, stores it, then returns key parameters and attributes to the client.

The create key operation can be used to create any key type in Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

decrypt

Decrypts a single block of encrypted data.

The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission.

delete_certificate

Deletes a certificate from a specified key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

delete_certificate_contacts

Deletes the certificate contacts for a specified key vault.

Deletes the certificate contacts for a specified key vault certificate. This operation requires the certificates/managecontacts permission.

delete_certificate_issuer

Deletes the specified certificate issuer.

The DeleteCertificateIssuer operation permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.

delete_certificate_operation

Deletes the creation operation for a specific certificate.

Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.

delete_key

Deletes a key of any type from storage in Azure Key Vault.

The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.

delete_sas_definition

Deletes a SAS definition from a specified storage account. This operation requires the storage/deletesas permission.

delete_secret

Deletes a secret from a specified key vault.

The DELETE operation applies to any secret stored in Azure Key Vault. DELETE cannot be applied to an individual version of a secret. This operation requires the secrets/delete permission.

delete_storage_account

Deletes a storage account. This operation requires the storage/delete permission.

encrypt

Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault.

The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encypt permission.

get_certificate

Gets information about a certificate.

Gets information about a specific certificate. This operation requires the certificates/get permission.

get_certificate_contacts

Lists the certificate contacts for a specified key vault.

The GetCertificateContacts operation returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.

get_certificate_issuer

Lists the specified certificate issuer.

The GetCertificateIssuer operation returns the specified certificate issuer resources in the specified key vault. This operation requires the certificates/manageissuers/getissuers permission.

get_certificate_issuers

List certificate issuers for a specified key vault.

The GetCertificateIssuers operation returns the set of certificate issuer resources in the specified key vault. This operation requires the certificates/manageissuers/getissuers permission.

get_certificate_operation

Gets the creation operation of a certificate.

Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.

get_certificate_policy

Lists the policy for a certificate.

The GetCertificatePolicy operation returns the specified certificate policy resources in the specified key vault. This operation requires the certificates/get permission.

get_certificate_versions

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the specified key vault. This operation requires the certificates/list permission.

get_certificates

List certificates in a specified key vault.

The GetCertificates operation returns the set of certificates resources in the specified key vault. This operation requires the certificates/list permission.

get_deleted_certificate

Retrieves information about the specified deleted certificate.

The GetDeletedCertificate operation retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion and the current deletion recovery level. This operation requires the certificates/get permission.

get_deleted_certificates

Lists the deleted certificates in the specified vault currently available for recovery.

The GetDeletedCertificates operation retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.

get_deleted_key

Gets the public part of a deleted key.

The Get Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/get permission. .

get_deleted_keys

Lists the deleted keys in the specified vault.

Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a deleted key. This operation includes deletion-specific information. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/list permission.

get_deleted_secret

Gets the specified deleted secret.

The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.

get_deleted_secrets

Lists deleted secrets for the specified vault.

The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.

get_key

Gets the public part of a stored key.

The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.

get_key_versions

Retrieves a list of individual key versions with the same key name.

The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission.

get_keys

List keys in the specified vault.

Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission.

get_sas_definition

Gets information about a SAS definition for the specified storage account. This operation requires the storage/getsas permission.

get_sas_definitions

List storage SAS definitions for the given storage account. This operation requires the storage/listsas permission.

get_secret

Get a specified secret from a given key vault.

The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.

get_secret_versions

List all versions of the specified secret.

The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.

get_secrets

List secrets in a specified key vault.

The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.

get_storage_account

Gets information about a specified storage account. This operation requires the storage/get permission.

get_storage_accounts

List storage accounts managed by the specified key vault. This operation requires the storage/list permission.

import_certificate

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

import_key

Imports an externally created key, stores it, and returns key parameters and attributes to the client.

The import key operation may be used to import any key type into an Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

merge_certificate

Merges a certificate or a certificate chain with a key pair existing on the server.

The MergeCertificate operation performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission.

purge_deleted_certificate

Permanently deletes the specified deleted certificate.

The PurgeDeletedCertificate operation performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specify 'Purgeable'. This operation requires the certificate/purge permission.

purge_deleted_key

Permanently deletes the specified key.

The Purge Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/purge permission.

purge_deleted_secret

Permanently deletes the specified secret.

The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.

recover_deleted_certificate

Recovers the deleted certificate back to its current version under /certificates.

The RecoverDeletedCertificate operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate's attributes). This operation requires the certificates/recover permission.

recover_deleted_key

Recovers the deleted key to its latest version.

The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled vaults. It recovers the deleted key back to its latest version under /keys. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.

recover_deleted_secret

Recovers the deleted secret to the latest version.

Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.

regenerate_storage_account_key

Regenerates the specified key value for the given storage account. This operation requires the storage/regeneratekey permission.

restore_key

Restores a backed up key to a vault.

Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The RESTORE operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the RESTORE operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The RESTORE operation is subject to security constraints: The target Key Vault must be owned by the same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission.

restore_secret

Restores a backed up secret to a vault.

Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.

set_certificate_contacts

Sets the certificate contacts for the specified key vault.

Sets the certificate contacts for the specified key vault. This operation requires the certificates/managecontacts permission.

set_certificate_issuer

Sets the specified certificate issuer.

The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.

set_sas_definition

Creates or updates a new SAS definition for the specified storage account. This operation requires the storage/setsas permission.

set_secret

Sets a secret in a specified key vault.

The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret. This operation requires the secrets/set permission.

set_storage_account

Creates or updates a new storage account. This operation requires the storage/set permission.

sign

Creates a signature from a digest using the specified key.

The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault since this operation uses the private portion of the key. This operation requires the keys/sign permission.

unwrap_key

Unwraps a symmetric key using the specified key that was initially used for wrapping that key.

The UNWRAP operation supports decryption of a symmetric key using the target key encryption key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission.

update_certificate

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate's attributes. This operation requires the certificates/update permission.

update_certificate_issuer

Updates the specified certificate issuer.

The UpdateCertificateIssuer operation performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.

update_certificate_operation

Updates a certificate operation.

Updates a certificate creation operation that is already in progress. This operation requires the certificates/update permission.

update_certificate_policy

Updates the policy for a certificate.

Set specified members in the certificate policy. Leave others as null. This operation requires the certificates/update permission.

update_key

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.

In order to perform this operation, the key must already exist in the Key Vault. Note: The cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission.

update_sas_definition

Updates the specified attributes associated with the given SAS definition. This operation requires the storage/setsas permission.

update_secret

Updates the attributes associated with a specified secret in a given key vault.

The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.

update_storage_account

Updates the specified attributes associated with the given storage account. This operation requires the storage/set/update permission.

verify

Verifies a signature using a specified key.

The VERIFY operation is applicable to symmetric keys stored in Azure Key Vault. VERIFY is not strictly necessary for asymmetric keys stored in Azure Key Vault since signature verification can be performed using the public portion of the key but this operation is supported as a convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission.

wrap_key

Wraps a symmetric key using a specified key.

The WRAP operation supports encryption of a symmetric key using a key encryption key that has previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using the public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission.

backup_key

Requests that a backup of the specified key be downloaded to the client.

The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this operation does NOT return key material in a form that can be used outside the Azure Key Vault system, the returned key material is either protected to a Azure Key Vault HSM or to Azure Key Vault itself. The intent of this operation is to allow a client to GENERATE a key in one Azure Key Vault instance, BACKUP the key, and then RESTORE it into another Azure Key Vault instance. The BACKUP operation may be used to export, in protected form, any key type from Azure Key Vault. Individual versions of a key cannot be backed up. BACKUP / RESTORE can be performed within geographical boundaries only; meaning that a BACKUP from one geographical area cannot be restored to another geographical area. For example, a backup from the US geographical area cannot be restored in an EU geographical area. This operation requires the key/backup permission.

backup_key(vault_base_url, key_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

BackupKeyResult or ClientRawResponse if raw=true

Return type

Exceptions

backup_secret

Backs up the specified secret.

Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded. This operation requires the secrets/backup permission.

backup_secret(vault_base_url, secret_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

BackupSecretResult or ClientRawResponse if raw=true

Return type

Exceptions

create_certificate

Creates a new certificate.

If this is the first version, the certificate resource is created. This operation requires the certificates/create permission.

create_certificate(vault_base_url, certificate_name, certificate_policy=None, certificate_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

certificate_policy
CertificatePolicy
default value: None

The management policy for the certificate.

certificate_attributes
CertificateAttributes
default value: None

The attributes of the certificate (optional).

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateOperation or ClientRawResponse if raw=true

Return type

Exceptions

create_key

Creates a new key, stores it, then returns key parameters and attributes to the client.

The create key operation can be used to create any key type in Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission.

create_key(vault_base_url, key_name, kty, key_size=None, key_ops=None, key_attributes=None, tags=None, curve=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name for the new key. The system will generate the version name for the new key.

kty
str or JsonWebKeyType
Required

The type of key to create. For valid values, see JsonWebKeyType. Possible values include: 'EC', 'EC-HSM', 'RSA', 'RSA-HSM', 'oct'

key_size
int
default value: None

The key size in bits. For example: 2048, 3072, or 4096 for RSA.

key_ops
list[str or JsonWebKeyOperation]
default value: None
key_attributes
KeyAttributes
default value: None
tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

curve
str or JsonWebKeyCurveName
default value: None

Elliptic curve name. For valid values, see JsonWebKeyCurveName. Possible values include: 'P-256', 'P-384', 'P-521', 'SECP256K1'

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

decrypt

Decrypts a single block of encrypted data.

The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a single block of data may be decrypted, the size of this block is dependent on the target key and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission.

decrypt(vault_base_url, key_name, key_version, algorithm, value, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

key_version
str
Required

The version of the key.

algorithm
str or JsonWebKeyEncryptionAlgorithm
Required

algorithm identifier. Possible values include: 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5'

value
bytes
Required
custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyOperationResult or ClientRawResponse if raw=true

Return type

Exceptions

delete_certificate

Deletes a certificate from a specified key vault.

Deletes all versions of a certificate object along with its associated policy. Delete certificate cannot be used to remove individual versions of a certificate object. This operation requires the certificates/delete permission.

delete_certificate(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

DeletedCertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

delete_certificate_contacts

Deletes the certificate contacts for a specified key vault.

Deletes the certificate contacts for a specified key vault certificate. This operation requires the certificates/managecontacts permission.

delete_certificate_contacts(vault_base_url, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

Contacts or ClientRawResponse if raw=true

Return type

Exceptions

delete_certificate_issuer

Deletes the specified certificate issuer.

The DeleteCertificateIssuer operation permanently removes the specified certificate issuer from the vault. This operation requires the certificates/manageissuers/deleteissuers permission.

delete_certificate_issuer(vault_base_url, issuer_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

issuer_name
str
Required

The name of the issuer.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

IssuerBundle or ClientRawResponse if raw=true

Return type

Exceptions

delete_certificate_operation

Deletes the creation operation for a specific certificate.

Deletes the creation operation for a specified certificate that is in the process of being created. The certificate is no longer created. This operation requires the certificates/update permission.

delete_certificate_operation(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateOperation or ClientRawResponse if raw=true

Return type

Exceptions

delete_key

Deletes a key of any type from storage in Azure Key Vault.

The delete key operation cannot be used to remove individual versions of a key. This operation removes the cryptographic material associated with the key, which means the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission.

delete_key(vault_base_url, key_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key to delete.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

DeletedKeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

delete_sas_definition

Deletes a SAS definition from a specified storage account. This operation requires the storage/deletesas permission.

delete_sas_definition(vault_base_url, storage_account_name, sas_definition_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

sas_definition_name
str
Required

The name of the SAS definition.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SasDefinitionBundle or ClientRawResponse if raw=true

Return type

Exceptions

delete_secret

Deletes a secret from a specified key vault.

The DELETE operation applies to any secret stored in Azure Key Vault. DELETE cannot be applied to an individual version of a secret. This operation requires the secrets/delete permission.

delete_secret(vault_base_url, secret_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

DeletedSecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

delete_storage_account

Deletes a storage account. This operation requires the storage/delete permission.

delete_storage_account(vault_base_url, storage_account_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

StorageBundle or ClientRawResponse if raw=true

Return type

Exceptions

encrypt

Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault.

The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used. The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/encypt permission.

encrypt(vault_base_url, key_name, key_version, algorithm, value, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

key_version
str
Required

The version of the key.

algorithm
str or JsonWebKeyEncryptionAlgorithm
Required

algorithm identifier. Possible values include: 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5'

value
bytes
Required
custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyOperationResult or ClientRawResponse if raw=true

Return type

Exceptions

get_certificate

Gets information about a certificate.

Gets information about a specific certificate. This operation requires the certificates/get permission.

get_certificate(vault_base_url, certificate_name, certificate_version, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate in the given vault.

certificate_version
str
Required

The version of the certificate.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_certificate_contacts

Lists the certificate contacts for a specified key vault.

The GetCertificateContacts operation returns the set of certificate contact resources in the specified key vault. This operation requires the certificates/managecontacts permission.

get_certificate_contacts(vault_base_url, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

Contacts or ClientRawResponse if raw=true

Return type

Exceptions

get_certificate_issuer

Lists the specified certificate issuer.

The GetCertificateIssuer operation returns the specified certificate issuer resources in the specified key vault. This operation requires the certificates/manageissuers/getissuers permission.

get_certificate_issuer(vault_base_url, issuer_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

issuer_name
str
Required

The name of the issuer.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

IssuerBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_certificate_issuers

List certificate issuers for a specified key vault.

The GetCertificateIssuers operation returns the set of certificate issuer resources in the specified key vault. This operation requires the certificates/manageissuers/getissuers permission.

get_certificate_issuers(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of CertificateIssuerItem

Return type

Exceptions

get_certificate_operation

Gets the creation operation of a certificate.

Gets the creation operation associated with a specified certificate. This operation requires the certificates/get permission.

get_certificate_operation(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateOperation or ClientRawResponse if raw=true

Return type

Exceptions

get_certificate_policy

Lists the policy for a certificate.

The GetCertificatePolicy operation returns the specified certificate policy resources in the specified key vault. This operation requires the certificates/get permission.

get_certificate_policy(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate in a given key vault.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificatePolicy or ClientRawResponse if raw=true

Return type

Exceptions

get_certificate_versions

List the versions of a certificate.

The GetCertificateVersions operation returns the versions of a certificate in the specified key vault. This operation requires the certificates/list permission.

get_certificate_versions(vault_base_url, certificate_name, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of CertificateItem

Return type

Exceptions

get_certificates

List certificates in a specified key vault.

The GetCertificates operation returns the set of certificates resources in the specified key vault. This operation requires the certificates/list permission.

get_certificates(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of CertificateItem

Return type

Exceptions

get_deleted_certificate

Retrieves information about the specified deleted certificate.

The GetDeletedCertificate operation retrieves the deleted certificate information plus its attributes, such as retention interval, scheduled permanent deletion and the current deletion recovery level. This operation requires the certificates/get permission.

get_deleted_certificate(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

DeletedCertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_deleted_certificates

Lists the deleted certificates in the specified vault currently available for recovery.

The GetDeletedCertificates operation retrieves the certificates in the current vault which are in a deleted state and ready for recovery or purging. This operation includes deletion-specific information. This operation requires the certificates/get/list permission. This operation can only be enabled on soft-delete enabled vaults.

get_deleted_certificates(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of DeletedCertificateItem

Return type

Exceptions

get_deleted_key

Gets the public part of a deleted key.

The Get Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/get permission. .

get_deleted_key(vault_base_url, key_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

DeletedKeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_deleted_keys

Lists the deleted keys in the specified vault.

Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a deleted key. This operation includes deletion-specific information. The Get Deleted Keys operation is applicable for vaults enabled for soft-delete. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/list permission.

get_deleted_keys(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of DeletedKeyItem

Return type

Exceptions

get_deleted_secret

Gets the specified deleted secret.

The Get Deleted Secret operation returns the specified deleted secret along with its attributes. This operation requires the secrets/get permission.

get_deleted_secret(vault_base_url, secret_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

DeletedSecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_deleted_secrets

Lists deleted secrets for the specified vault.

The Get Deleted Secrets operation returns the secrets that have been deleted for a vault enabled for soft-delete. This operation requires the secrets/list permission.

get_deleted_secrets(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of DeletedSecretItem

Return type

Exceptions

get_key

Gets the public part of a stored key.

The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission.

get_key(vault_base_url, key_name, key_version, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key to get.

key_version
str
Required

Adding the version parameter retrieves a specific version of a key.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_key_versions

Retrieves a list of individual key versions with the same key name.

The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission.

get_key_versions(vault_base_url, key_name, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of KeyItem

Return type

Exceptions

get_keys

List keys in the specified vault.

Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored key. The LIST operation is applicable to all key types, however only the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission.

get_keys(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of KeyItem

Return type

Exceptions

get_sas_definition

Gets information about a SAS definition for the specified storage account. This operation requires the storage/getsas permission.

get_sas_definition(vault_base_url, storage_account_name, sas_definition_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

sas_definition_name
str
Required

The name of the SAS definition.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SasDefinitionBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_sas_definitions

List storage SAS definitions for the given storage account. This operation requires the storage/listsas permission.

get_sas_definitions(vault_base_url, storage_account_name, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of SasDefinitionItem

Return type

Exceptions

get_secret

Get a specified secret from a given key vault.

The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.

get_secret(vault_base_url, secret_name, secret_version, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

secret_version
str
Required

The version of the secret.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_secret_versions

List all versions of the specified secret.

The full secret identifier and attributes are provided in the response. No values are returned for the secrets. This operations requires the secrets/list permission.

get_secret_versions(vault_base_url, secret_name, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of SecretItem

Return type

Exceptions

get_secrets

List secrets in a specified key vault.

The Get Secrets operation is applicable to the entire vault. However, only the base secret identifier and its attributes are provided in the response. Individual secret versions are not listed in the response. This operation requires the secrets/list permission.

get_secrets(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified, the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of SecretItem

Return type

Exceptions

get_storage_account

Gets information about a specified storage account. This operation requires the storage/get permission.

get_storage_account(vault_base_url, storage_account_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

StorageBundle or ClientRawResponse if raw=true

Return type

Exceptions

get_storage_accounts

List storage accounts managed by the specified key vault. This operation requires the storage/list permission.

get_storage_accounts(vault_base_url, maxresults=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

maxresults
int
default value: None

Maximum number of results to return in a page. If not specified the service will return up to 25 results.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

An iterator like instance of StorageAccountItem

Return type

Exceptions

import_certificate

Imports a certificate into a specified key vault.

Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported can be in either PFX or PEM format. If the certificate is in PEM format the PEM file must contain the key as well as x509 certificates. This operation requires the certificates/import permission.

import_certificate(vault_base_url, certificate_name, base64_encoded_certificate, password=None, certificate_policy=None, certificate_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

base64_encoded_certificate
str
Required

Base64 encoded representation of the certificate object to import. This certificate needs to contain the private key.

password
str
default value: None

If the private key in base64EncodedCertificate is encrypted, the password used for encryption.

certificate_policy
CertificatePolicy
default value: None

The management policy for the certificate.

certificate_attributes
CertificateAttributes
default value: None

The attributes of the certificate (optional).

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

import_key

Imports an externally created key, stores it, and returns key parameters and attributes to the client.

The import key operation may be used to import any key type into an Azure Key Vault. If the named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission.

import_key(vault_base_url, key_name, key, hsm=None, key_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

Name for the imported key.

key
JsonWebKey
Required

The Json web key

hsm
bool
default value: None

Whether to import as a hardware key (HSM) or software key.

key_attributes
KeyAttributes
default value: None

The key management attributes.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

merge_certificate

Merges a certificate or a certificate chain with a key pair existing on the server.

The MergeCertificate operation performs the merging of a certificate or certificate chain with a key pair currently available in the service. This operation requires the certificates/create permission.

merge_certificate(vault_base_url, certificate_name, x509_certificates, certificate_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

x509_certificates
list[bytearray]
Required

The certificate or the certificate chain to merge.

certificate_attributes
CertificateAttributes
default value: None

The attributes of the certificate (optional).

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

purge_deleted_certificate

Permanently deletes the specified deleted certificate.

The PurgeDeletedCertificate operation performs an irreversible deletion of the specified certificate, without possibility for recovery. The operation is not available if the recovery level does not specify 'Purgeable'. This operation requires the certificate/purge permission.

purge_deleted_certificate(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

None or ClientRawResponse if raw=true

Return type

None,

Exceptions

purge_deleted_key

Permanently deletes the specified key.

The Purge Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/purge permission.

purge_deleted_key(vault_base_url, key_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

None or ClientRawResponse if raw=true

Return type

None,

Exceptions

purge_deleted_secret

Permanently deletes the specified secret.

The purge deleted secret operation removes the secret permanently, without the possibility of recovery. This operation can only be enabled on a soft-delete enabled vault. This operation requires the secrets/purge permission.

purge_deleted_secret(vault_base_url, secret_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

None or ClientRawResponse if raw=true

Return type

None,

Exceptions

recover_deleted_certificate

Recovers the deleted certificate back to its current version under /certificates.

The RecoverDeletedCertificate operation performs the reversal of the Delete operation. The operation is applicable in vaults enabled for soft-delete, and must be issued during the retention interval (available in the deleted certificate's attributes). This operation requires the certificates/recover permission.

recover_deleted_certificate(vault_base_url, certificate_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the deleted certificate

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

recover_deleted_key

Recovers the deleted key to its latest version.

The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled vaults. It recovers the deleted key back to its latest version under /keys. An attempt to recover an non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission.

recover_deleted_key(vault_base_url, key_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the deleted key.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

recover_deleted_secret

Recovers the deleted secret to the latest version.

Recovers the deleted secret in the specified vault. This operation can only be performed on a soft-delete enabled vault. This operation requires the secrets/recover permission.

recover_deleted_secret(vault_base_url, secret_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the deleted secret.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

regenerate_storage_account_key

Regenerates the specified key value for the given storage account. This operation requires the storage/regeneratekey permission.

regenerate_storage_account_key(vault_base_url, storage_account_name, key_name, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

key_name
str
Required

The storage account key name.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

StorageBundle or ClientRawResponse if raw=true

Return type

Exceptions

restore_key

Restores a backed up key to a vault.

Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, attributes and access control policies. The RESTORE operation may be used to import a previously backed up key. Individual versions of a key cannot be restored. The key is restored in its entirety with the same key name as it had when it was backed up. If the key name is not available in the target Key Vault, the RESTORE operation will be rejected. While the key name is retained during restore, the final key identifier will change if the key is restored to a different vault. Restore will restore all versions and preserve version identifiers. The RESTORE operation is subject to security constraints: The target Key Vault must be owned by the same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission.

restore_key(vault_base_url, key_bundle_backup, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_bundle_backup
bytes
Required

The backup blob associated with a key bundle.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

restore_secret

Restores a backed up secret to a vault.

Restores a backed up secret, and all its versions, to a vault. This operation requires the secrets/restore permission.

restore_secret(vault_base_url, secret_bundle_backup, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_bundle_backup
bytes
Required

The backup blob associated with a secret bundle.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

set_certificate_contacts

Sets the certificate contacts for the specified key vault.

Sets the certificate contacts for the specified key vault. This operation requires the certificates/managecontacts permission.

set_certificate_contacts(vault_base_url, contact_list=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

contact_list
list[Contact]
default value: None

The contact list for the vault certificates.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

Contacts or ClientRawResponse if raw=true

Return type

Exceptions

set_certificate_issuer

Sets the specified certificate issuer.

The SetCertificateIssuer operation adds or updates the specified certificate issuer. This operation requires the certificates/setissuers permission.

set_certificate_issuer(vault_base_url, issuer_name, provider, credentials=None, organization_details=None, attributes=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

issuer_name
str
Required

The name of the issuer.

provider
str
Required

The issuer provider.

credentials
IssuerCredentials
default value: None

The credentials to be used for the issuer.

organization_details
OrganizationDetails
default value: None

Details of the organization as provided to the issuer.

attributes
IssuerAttributes
default value: None

Attributes of the issuer object.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

IssuerBundle or ClientRawResponse if raw=true

Return type

Exceptions

set_sas_definition

Creates or updates a new SAS definition for the specified storage account. This operation requires the storage/setsas permission.

set_sas_definition(vault_base_url, storage_account_name, sas_definition_name, parameters, sas_definition_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

sas_definition_name
str
Required

The name of the SAS definition.

parameters
dict[str, str]
Required

Sas definition creation metadata in the form of key-value pairs.

sas_definition_attributes
SasDefinitionAttributes
default value: None

The attributes of the SAS definition.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SasDefinitionBundle or ClientRawResponse if raw=true

Return type

Exceptions

set_secret

Sets a secret in a specified key vault.

The SET operation adds a secret to the Azure Key Vault. If the named secret already exists, Azure Key Vault creates a new version of that secret. This operation requires the secrets/set permission.

set_secret(vault_base_url, secret_name, value, tags=None, content_type=None, secret_attributes=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

value
str
Required

The value of the secret.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

content_type
str
default value: None

Type of the secret value such as a password.

secret_attributes
SecretAttributes
default value: None

The secret management attributes.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

set_storage_account

Creates or updates a new storage account. This operation requires the storage/set permission.

set_storage_account(vault_base_url, storage_account_name, resource_id, active_key_name, auto_regenerate_key, regeneration_period=None, storage_account_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

resource_id
str
Required

Storage account resource id.

active_key_name
str
Required

Current active storage account key name.

auto_regenerate_key
bool
Required

whether keyvault should manage the storage account for the user.

regeneration_period
str
default value: None

The key regeneration time duration specified in ISO-8601 format.

storage_account_attributes
StorageAccountAttributes
default value: None

The attributes of the storage account.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

StorageBundle or ClientRawResponse if raw=true

Return type

Exceptions

sign

Creates a signature from a digest using the specified key.

The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault since this operation uses the private portion of the key. This operation requires the keys/sign permission.

sign(vault_base_url, key_name, key_version, algorithm, value, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

key_version
str
Required

The version of the key.

algorithm
str or JsonWebKeySignatureAlgorithm
Required

The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. Possible values include: 'PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512', 'RSNULL', 'ES256', 'ES384', 'ES512', 'ECDSA256'

value
bytes
Required
custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyOperationResult or ClientRawResponse if raw=true

Return type

Exceptions

unwrap_key

Unwraps a symmetric key using the specified key that was initially used for wrapping that key.

The UNWRAP operation supports decryption of a symmetric key using the target key encryption key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission.

unwrap_key(vault_base_url, key_name, key_version, algorithm, value, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

key_version
str
Required

The version of the key.

algorithm
str or JsonWebKeyEncryptionAlgorithm
Required

algorithm identifier. Possible values include: 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5'

value
bytes
Required
custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyOperationResult or ClientRawResponse if raw=true

Return type

Exceptions

update_certificate

Updates the specified attributes associated with the given certificate.

The UpdateCertificate operation applies the specified update on the given certificate; the only elements updated are the certificate's attributes. This operation requires the certificates/update permission.

update_certificate(vault_base_url, certificate_name, certificate_version, certificate_policy=None, certificate_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate in the given key vault.

certificate_version
str
Required

The version of the certificate.

certificate_policy
CertificatePolicy
default value: None

The management policy for the certificate.

certificate_attributes
CertificateAttributes
default value: None

The attributes of the certificate (optional).

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateBundle or ClientRawResponse if raw=true

Return type

Exceptions

update_certificate_issuer

Updates the specified certificate issuer.

The UpdateCertificateIssuer operation performs an update on the specified certificate issuer entity. This operation requires the certificates/setissuers permission.

update_certificate_issuer(vault_base_url, issuer_name, provider=None, credentials=None, organization_details=None, attributes=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

issuer_name
str
Required

The name of the issuer.

provider
str
default value: None

The issuer provider.

credentials
IssuerCredentials
default value: None

The credentials to be used for the issuer.

organization_details
OrganizationDetails
default value: None

Details of the organization as provided to the issuer.

attributes
IssuerAttributes
default value: None

Attributes of the issuer object.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

IssuerBundle or ClientRawResponse if raw=true

Return type

Exceptions

update_certificate_operation

Updates a certificate operation.

Updates a certificate creation operation that is already in progress. This operation requires the certificates/update permission.

update_certificate_operation(vault_base_url, certificate_name, cancellation_requested, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate.

cancellation_requested
bool
Required

Indicates if cancellation was requested on the certificate operation.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificateOperation or ClientRawResponse if raw=true

Return type

Exceptions

update_certificate_policy

Updates the policy for a certificate.

Set specified members in the certificate policy. Leave others as null. This operation requires the certificates/update permission.

update_certificate_policy(vault_base_url, certificate_name, certificate_policy, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

certificate_name
str
Required

The name of the certificate in the given vault.

certificate_policy
CertificatePolicy
Required

The policy for the certificate.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

CertificatePolicy or ClientRawResponse if raw=true

Return type

Exceptions

update_key

The update key operation changes specified attributes of a stored key and can be applied to any key type and key version stored in Azure Key Vault.

In order to perform this operation, the key must already exist in the Key Vault. Note: The cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission.

update_key(vault_base_url, key_name, key_version, key_ops=None, key_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of key to update.

key_version
str
Required

The version of the key to update.

key_ops
list[str or JsonWebKeyOperation]
default value: None

Json web key operations. For more information on possible key operations, see JsonWebKeyOperation.

key_attributes
KeyAttributes
default value: None
tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyBundle or ClientRawResponse if raw=true

Return type

Exceptions

update_sas_definition

Updates the specified attributes associated with the given SAS definition. This operation requires the storage/setsas permission.

update_sas_definition(vault_base_url, storage_account_name, sas_definition_name, parameters=None, sas_definition_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

sas_definition_name
str
Required

The name of the SAS definition.

parameters
dict[str, str]
default value: None

Sas definition update metadata in the form of key-value pairs.

sas_definition_attributes
SasDefinitionAttributes
default value: None

The attributes of the SAS definition.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SasDefinitionBundle or ClientRawResponse if raw=true

Return type

Exceptions

update_secret

Updates the attributes associated with a specified secret in a given key vault.

The UPDATE operation changes specified attributes of an existing stored secret. Attributes that are not specified in the request are left unchanged. The value of a secret itself cannot be changed. This operation requires the secrets/set permission.

update_secret(vault_base_url, secret_name, secret_version, content_type=None, secret_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

secret_name
str
Required

The name of the secret.

secret_version
str
Required

The version of the secret.

content_type
str
default value: None

Type of the secret value such as a password.

secret_attributes
SecretAttributes
default value: None

The secret management attributes.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

SecretBundle or ClientRawResponse if raw=true

Return type

Exceptions

update_storage_account

Updates the specified attributes associated with the given storage account. This operation requires the storage/set/update permission.

update_storage_account(vault_base_url, storage_account_name, active_key_name=None, auto_regenerate_key=None, regeneration_period=None, storage_account_attributes=None, tags=None, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

storage_account_name
str
Required

The name of the storage account.

active_key_name
str
default value: None

The current active storage account key name.

auto_regenerate_key
bool
default value: None

whether keyvault should manage the storage account for the user.

regeneration_period
str
default value: None

The key regeneration time duration specified in ISO-8601 format.

storage_account_attributes
StorageAccountAttributes
default value: None

The attributes of the storage account.

tags
dict[str, str]
default value: None

Application specific metadata in the form of key-value pairs.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

StorageBundle or ClientRawResponse if raw=true

Return type

Exceptions

verify

Verifies a signature using a specified key.

The VERIFY operation is applicable to symmetric keys stored in Azure Key Vault. VERIFY is not strictly necessary for asymmetric keys stored in Azure Key Vault since signature verification can be performed using the public portion of the key but this operation is supported as a convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission.

verify(vault_base_url, key_name, key_version, algorithm, digest, signature, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

key_version
str
Required

The version of the key.

algorithm
str or JsonWebKeySignatureAlgorithm
Required

The signing/verification algorithm. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. Possible values include: 'PS256', 'PS384', 'PS512', 'RS256', 'RS384', 'RS512', 'RSNULL', 'ES256', 'ES384', 'ES512', 'ECDSA256'

digest
bytes
Required

The digest used for signing.

signature
bytes
Required

The signature to be verified.

custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyVerifyResult or ClientRawResponse if raw=true

Return type

Exceptions

wrap_key

Wraps a symmetric key using a specified key.

The WRAP operation supports encryption of a symmetric key using a key encryption key that has previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be performed using the public portion of the key. This operation is supported for asymmetric keys as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission.

wrap_key(vault_base_url, key_name, key_version, algorithm, value, custom_headers=None, raw=False, **operation_config)

Parameters

vault_base_url
str
Required

The vault name, for example https://myvault.vault.azure.net.

key_name
str
Required

The name of the key.

key_version
str
Required

The version of the key.

algorithm
str or JsonWebKeyEncryptionAlgorithm
Required

algorithm identifier. Possible values include: 'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5'

value
bytes
Required
custom_headers
dict
default value: None

headers that will be added to the request

raw
bool
default value: False

returns the direct response alongside the deserialized response

operation_config
Required

Operation configuration overrides.

Returns

KeyOperationResult or ClientRawResponse if raw=true

Return type

Exceptions