KeyClient Class
A high-level interface for managing a vault's keys.
- Inheritance
-
azure.keyvault.keys._shared.client_base.KeyVaultClientBaseKeyClient
Constructor
KeyClient(vault_url: str, credential: TokenCredential, **kwargs: Any)Parameters
- vault_url
- str
URL of the vault the client will access. This is also called the vault's "DNS Name".
- credential
An object which can provide an access token for the vault, such as a credential from identity
- api_version
- ApiVersion
version of the Key Vault API to use. Defaults to the most recent.
- transport
- HttpTransport
transport to use. Defaults to RequestsTransport.
Examples
Create a new KeyClient
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
# Create a KeyClient using default Azure credentials
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url, credential)
Methods
| backup_key |
Back up a key in a protected form useable only by Azure Key Vault. Requires keys/backup permission. This is intended to allow copying a key from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region. |
| begin_delete_key |
Delete all versions of a key and its cryptographic material. Requires keys/delete permission. When this method returns Key Vault has begun deleting the key. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete. |
| begin_recover_deleted_key |
Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled. Requires keys/recover permission. When this method returns Key Vault has begun recovering the key. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered key in another operation immediately. |
| create_ec_key |
Create a new elliptic curve key or, if Requires the keys/create permission. |
| create_key |
Create a key or, if Requires keys/create permission. |
| create_oct_key |
Create a new octet sequence (symmetric) key or, if Requires the keys/create permission. |
| create_rsa_key |
Create a new RSA key or, if Requires the keys/create permission. |
| get_cryptography_client |
Gets a CryptographyClient for the given key. |
| get_deleted_key |
Get a deleted key. Possible only in a vault with soft-delete enabled. Requires keys/get permission. |
| get_key |
Get a key's attributes and, if it's an asymmetric key, its public material. Requires keys/get permission. |
| get_key_rotation_policy |
Get the rotation policy of a Key Vault key. |
| get_random_bytes |
Get the requested number of random bytes from a managed HSM. |
| import_key |
Import a key created externally. Requires keys/import permission. If |
| list_deleted_keys |
List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled. Requires keys/list permission. |
| list_properties_of_key_versions |
List the identifiers and properties of a key's versions. Requires keys/list permission. |
| list_properties_of_keys |
List identifiers and properties of all keys in the vault. Requires keys/list permission. |
| purge_deleted_key |
Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled. Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a key before its scheduled_purge_date. Requires keys/purge permission. |
| release_key |
Releases a key. The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. |
| restore_key_backup |
Restore a key backup to the vault. Requires keys/restore permission. This imports all versions of the key, with its name, attributes, and access control policies. If the key's name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault. |
| rotate_key |
Rotate the key based on the key policy by generating a new version of the key. This operation requires the keys/rotate permission. |
| update_key_properties |
Change a key's properties (not its cryptographic material). Requires keys/update permission. |
| update_key_rotation_policy |
Updates the rotation policy of a Key Vault key. This operation requires the keys/update permission. |
backup_key
Back up a key in a protected form useable only by Azure Key Vault.
Requires keys/backup permission.
This is intended to allow copying a key from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.
backup_key(name: str, **kwargs: Any) -> bytesParameters
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
Get a key backup
# backup key
key_backup = key_client.backup_key(key_name)
# returns the raw bytes of the backed up key
print(key_backup)
begin_delete_key
Delete all versions of a key and its cryptographic material.
Requires keys/delete permission. When this method returns Key Vault has begun deleting the key. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
begin_delete_key(name: str, **kwargs: Any) -> LROPollerParameters
Returns
A poller for the delete key operation. The poller's result method returns the DeletedKey without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the key with purge_deleted_key, call the poller's wait method first. It will block until the deletion is complete. The wait method requires keys/get permission.
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
Delete a key
# delete a key
deleted_key_poller = key_client.begin_delete_key(key_name)
deleted_key = deleted_key_poller.result()
print(deleted_key.name)
# if the vault has soft-delete enabled, the key's deleted_date,
# scheduled purge date and recovery id are set
print(deleted_key.deleted_date)
print(deleted_key.scheduled_purge_date)
print(deleted_key.recovery_id)
# if you want to block until deletion is complete, call wait() on the poller
deleted_key_poller.wait()
begin_recover_deleted_key
Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled.
Requires keys/recover permission.
When this method returns Key Vault has begun recovering the key. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered key in another operation immediately.
begin_recover_deleted_key(name: str, **kwargs: Any) -> LROPollerParameters
Returns
A poller for the recovery operation. The poller's result method returns the recovered KeyVaultKey without waiting for recovery to complete. If you want to use the recovered key immediately, call the poller's wait method, which blocks until the key is ready to use. The wait method requires keys/get permission.
Return type
Exceptions
Examples
Recover a deleted key
# recover a deleted key to its latest version (requires soft-delete enabled for the vault)
recover_key_poller = key_client.begin_recover_deleted_key(key_name)
recovered_key = recover_key_poller.result()
print(recovered_key.id)
print(recovered_key.name)
# if you want to block until key is recovered server-side, call wait() on the poller
recover_key_poller.wait()
create_ec_key
Create a new elliptic curve key or, if name is already in use, create a new version of the key.
Requires the keys/create permission.
create_ec_key(name: str, **kwargs: Any) -> KeyVaultKeyParameters
- curve
- KeyCurveName or str
Elliptic curve name. Defaults to the NIST P-256 elliptic curve.
- key_operations
- list[KeyOperation or str]
Allowed key operations
- hardware_protected
- bool
Whether the key should be created in a hardware security module.
Defaults to False.
- enabled
- bool
Whether the key is enabled for use.
- not_before
- datetime
Not before date of the key in UTC
- expires_on
- datetime
Expiry date of the key in UTC
- exportable
- bool
Whether the private key can be exported.
- release_policy
- KeyReleasePolicy
The policy rules under which the key can be exported.
Returns
The created key
Return type
Exceptions
Examples
Create an elliptic curve key
key_curve = "P-256"
# create an EC (Elliptic curve) key with curve specification
# EC key can be created with default curve of 'P-256'
ec_key = key_client.create_ec_key(key_name, curve=key_curve)
print(ec_key.id)
print(ec_key.properties.version)
print(ec_key.key_type)
print(ec_key.key.crv)
create_key
Create a key or, if name is already in use, create a new version of the key.
Requires keys/create permission.
create_key(name: str, key_type: Union[str, KeyType], **kwargs: Any) -> KeyVaultKeyParameters
- size
- int
Key size in bits. Applies only to RSA and symmetric keys. Consider using create_rsa_key or create_oct_key instead.
- curve
- KeyCurveName or str
Elliptic curve name. Applies only to elliptic curve keys. Defaults to the NIST P-256 elliptic curve. To create an elliptic curve key, consider using create_ec_key instead.
- public_exponent
- int
The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM.
- key_operations
- list[KeyOperation or str]
Allowed key operations
- enabled
- bool
Whether the key is enabled for use.
- not_before
- datetime
Not before date of the key in UTC
- expires_on
- datetime
Expiry date of the key in UTC
- exportable
- bool
Whether the private key can be exported.
- release_policy
- KeyReleasePolicy
The policy rules under which the key can be exported.
Returns
The created key
Return type
Exceptions
Examples
Create a key
from dateutil import parser as date_parse
expires_on = date_parse.parse("2050-02-02T08:00:00.000Z")
# create a key with optional arguments
key = key_client.create_key(key_name, KeyType.rsa_hsm, expires_on=expires_on)
print(key.name)
print(key.id)
print(key.key_type)
print(key.properties.expires_on)
create_oct_key
Create a new octet sequence (symmetric) key or, if name is in use, create a new version of the key.
Requires the keys/create permission.
create_oct_key(name: str, **kwargs: Any) -> KeyVaultKeyParameters
- size
- int
Key size in bits, for example 128, 192, or 256.
- key_operations
- list[KeyOperation or str]
Allowed key operations.
- hardware_protected
- bool
Whether the key should be created in a hardware security module.
Defaults to False.
- enabled
- bool
Whether the key is enabled for use.
- not_before
- datetime
Not before date of the key in UTC
- expires_on
- datetime
Expiry date of the key in UTC
- exportable
- bool
Whether the key can be exported.
- release_policy
- KeyReleasePolicy
The policy rules under which the key can be exported.
Returns
The created key
Return type
Exceptions
Examples
Create an octet sequence (symmetric) key
key = key_client.create_oct_key(key_name, size=256, hardware_protected=True)
print(key.id)
print(key.name)
print(key.key_type)
create_rsa_key
Create a new RSA key or, if name is already in use, create a new version of the key
Requires the keys/create permission.
create_rsa_key(name: str, **kwargs: Any) -> KeyVaultKeyParameters
- size
- int
Key size in bits, for example 2048, 3072, or 4096.
- public_exponent
- int
The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM.
- hardware_protected
- bool
Whether the key should be created in a hardware security module.
Defaults to False.
- key_operations
- list[KeyOperation or str]
Allowed key operations
- enabled
- bool
Whether the key is enabled for use.
- not_before
- datetime
Not before date of the key in UTC
- expires_on
- datetime
Expiry date of the key in UTC
- exportable
- bool
Whether the private key can be exported.
- release_policy
- KeyReleasePolicy
The policy rules under which the key can be exported.
Returns
The created key
Return type
Exceptions
Examples
Create RSA key
key_size = 2048
key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
# create an rsa key with size specification
# RSA key can be created with default size of '2048'
key = key_client.create_rsa_key(key_name, hardware_protected=True, size=key_size, key_operations=key_ops)
print(key.id)
print(key.name)
print(key.key_type)
print(key.key_operations)
get_cryptography_client
Gets a CryptographyClient for the given key.
get_cryptography_client(key_name: str, **kwargs: Any) -> CryptographyClientParameters
- key_version
- str
Optional version of the key used to perform cryptographic operations.
Returns
A CryptographyClient using the same options, credentials, and HTTP client as this KeyClient.
Return type
Exceptions
if the key doesn't exist,
for other errors
get_deleted_key
Get a deleted key. Possible only in a vault with soft-delete enabled.
Requires keys/get permission.
get_deleted_key(name: str, **kwargs: Any) -> DeletedKeyParameters
Returns
The deleted key
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
Get a deleted key
# get a deleted key (requires soft-delete enabled for the vault)
deleted_key = key_client.get_deleted_key(key_name)
print(deleted_key.name)
# if the vault has soft-delete enabled, the key's deleted_date
# scheduled purge date and recovery id are set
print(deleted_key.deleted_date)
print(deleted_key.scheduled_purge_date)
print(deleted_key.recovery_id)
get_key
Get a key's attributes and, if it's an asymmetric key, its public material.
Requires keys/get permission.
get_key(name: str, version: Optional[str] = None, **kwargs: Any) -> KeyVaultKeyParameters
- version
- str
(optional) A specific version of the key to get. If not specified, gets the latest version of the key.
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
Get a key
# get the latest version of a key
key = key_client.get_key(key_name)
# alternatively, specify a version
key_version = key.properties.version
key = key_client.get_key(key_name, key_version)
print(key.id)
print(key.name)
print(key.properties.version)
print(key.key_type)
print(key.properties.vault_url)
get_key_rotation_policy
Get the rotation policy of a Key Vault key.
get_key_rotation_policy(key_name: str, **kwargs: Any) -> KeyRotationPolicyParameters
Returns
The key rotation policy.
Return type
Exceptions
get_random_bytes
Get the requested number of random bytes from a managed HSM.
get_random_bytes(count: int, **kwargs: Any) -> bytesParameters
Returns
The random bytes.
Return type
Exceptions
if less than one random byte is requested,
for other errors
Examples
Get random bytes
# get eight random bytes from a managed HSM
random_bytes = client.get_random_bytes(count=8)
import_key
Import a key created externally.
Requires keys/import permission. If name is already in use, the key will be imported as a new version.
import_key(name: str, key: JsonWebKey, **kwargs: Any) -> KeyVaultKeyParameters
- hardware_protected
- bool
Whether the key should be backed by a hardware security module
- enabled
- bool
Whether the key is enabled for use.
- not_before
- datetime
Not before date of the key in UTC
- expires_on
- datetime
Expiry date of the key in UTC
- exportable
- bool
Whether the private key can be exported.
- release_policy
- KeyReleasePolicy
The policy rules under which the key can be exported.
Returns
The imported key
Return type
Exceptions
list_deleted_keys
List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled.
Requires keys/list permission.
list_deleted_keys(**kwargs: Any) -> ItemPaged[DeletedKey]Returns
An iterator of deleted keys
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
List all the deleted keys
# get an iterator of deleted keys (requires soft-delete enabled for the vault)
deleted_keys = key_client.list_deleted_keys()
for key in deleted_keys:
print(key.id)
print(key.name)
print(key.scheduled_purge_date)
print(key.recovery_id)
print(key.deleted_date)
list_properties_of_key_versions
List the identifiers and properties of a key's versions.
Requires keys/list permission.
list_properties_of_key_versions(name: str, **kwargs: Any) -> ItemPaged[KeyProperties]Parameters
Returns
An iterator of keys without their cryptographic material
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
List all versions of a key
# get an iterator of a key's versions
key_versions = key_client.list_properties_of_key_versions("key-name")
for key in key_versions:
print(key.id)
print(key.name)
list_properties_of_keys
List identifiers and properties of all keys in the vault.
Requires keys/list permission.
list_properties_of_keys(**kwargs: Any) -> ItemPaged[KeyProperties]Returns
An iterator of keys without their cryptographic material or version information
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
List all keys
# get an iterator of keys
keys = key_client.list_properties_of_keys()
for key in keys:
print(key.id)
print(key.name)
purge_deleted_key
Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled.
Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a key before its scheduled_purge_date.
Requires keys/purge permission.
purge_deleted_key(name: str, **kwargs: Any) -> NoneParameters
Returns
None
Exceptions
Examples
# if the vault has soft-delete enabled, purge permanently deletes a deleted key
# (with soft-delete disabled, begin_delete_key is permanent)
key_client.purge_deleted_key("key-name")
release_key
Releases a key.
The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.
release_key(name: str, target_attestation_token: str, **kwargs: Any) -> ReleaseKeyResultParameters
- version
- str
A specific version of the key to release. If unspecified, the latest version is released.
- algorithm
- <xref:Union>[str, KeyExportEncryptionAlgorithm]
The encryption algorithm to use to protect the released key material.
- nonce
- str
A client-provided nonce for freshness.
Returns
The result of the key release.
Return type
Exceptions
restore_key_backup
Restore a key backup to the vault.
Requires keys/restore permission.
This imports all versions of the key, with its name, attributes, and access control policies. If the key's name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.
restore_key_backup(backup: bytes, **kwargs: Any) -> KeyVaultKeyParameters
Returns
The restored key
Return type
Exceptions
if the backed up key's name is already in use,
for other errors
Examples
Restore a key backup
# restore a key backup
restored_key = key_client.restore_key_backup(key_backup)
print(restored_key.id)
print(restored_key.properties.version)
rotate_key
Rotate the key based on the key policy by generating a new version of the key.
This operation requires the keys/rotate permission.
rotate_key(name: str, **kwargs: Any) -> KeyVaultKeyParameters
Returns
The new version of the rotated key.
Return type
Exceptions
update_key_properties
Change a key's properties (not its cryptographic material).
Requires keys/update permission.
update_key_properties(name: str, version: Optional[str] = None, **kwargs: Any) -> KeyVaultKeyParameters
- version
- str
(optional) The version of the key to update. If unspecified, the latest version is updated.
- key_operations
- list[KeyOperation or str]
Allowed key operations
- enabled
- bool
Whether the key is enabled for use.
- not_before
- datetime
Not before date of the key in UTC
- expires_on
- datetime
Expiry date of the key in UTC
- release_policy
- KeyReleasePolicy
The policy rules under which the key can be exported.
Returns
The updated key
Return type
Exceptions
if the key doesn't exist,
for other errors
Examples
Update a key's attributes
# update attributes of an existing key
expires_on = date_parse.parse("2050-01-02T08:00:00.000Z")
tags = {"foo": "updated tag"}
updated_key = key_client.update_key_properties(key.name, expires_on=expires_on, tags=tags)
print(updated_key.properties.version)
print(updated_key.properties.updated_on)
print(updated_key.properties.expires_on)
print(updated_key.properties.tags)
print(key.key_type)
update_key_rotation_policy
Updates the rotation policy of a Key Vault key.
This operation requires the keys/update permission.
update_key_rotation_policy(key_name: str, policy: KeyRotationPolicy, **kwargs: Any) -> KeyRotationPolicyParameters
- lifetime_actions
- <xref:List>[KeyRotationLifetimeAction]
Actions that will be performed by Key Vault over the lifetime of a key. This will
override the lifetime actions of the provided policy.
- expires_in
- str
The expiry time of the policy that will be applied on new key versions, defined as an
ISO 8601 duration. For example: 90 days is "P90D", 3 months is "P3M", and 48 hours is "PT48H". See
Wikipedia for more information on ISO 8601 durations.
This will override the expiry time of the provided policy.
Returns
The updated rotation policy.
Return type
Exceptions
Saran dan Komentar
Kirim dan lihat umpan balik untuk