azure.keyvault.administration package

class azure.keyvault.administration.ApiVersion[source]

Key Vault API versions supported by this package

V7_2_preview = '7.2-preview'

this is the default version

class azure.keyvault.administration.BackupOperation(**kwargs)[source]

A Key Vault full backup operation.

Variables

  • status (str) – status of the backup operation

  • status_details (str) – more details of the operation’s status

  • error – Error encountered, if any, during the operation

  • start_time (datetime.datetime) – UTC start time of the operation

  • end_time (datetime.datetime) – UTC end time of the operation

  • job_id (str) – identifier for the operation

  • azure_storage_blob_container_uri (str) – URI of the Azure blob storage container which contains the backup

class azure.keyvault.administration.KeyVaultAccessControlClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]

Manages role-based access to Azure Key Vault.

Parameters

  • vault_url (str) – URL of the vault the client will manage. This is also called the vault’s “DNS Name”.

  • credential – an object which can provide an access token for the vault, such as a credential from azure.identity

close()None

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

create_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_definition_id: str, principal_id: str, **kwargs: Any) → KeyVaultRoleAssignment[source]

Create a role assignment.

Parameters

  • role_scope (str or KeyVaultRoleScope) – scope the role assignment will apply over. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

  • role_definition_id (str) – ID of the role’s definition

  • principal_id (str) – Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.

Keyword Arguments

role_assignment_name – a name for the role assignment. Must be a UUID.

Return type

KeyVaultRoleAssignment

delete_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleAssignment[source]

Delete a role assignment.

Parameters

  • role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>” KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

  • role_assignment_name (str or uuid.UUID) – the assignment’s name. Must be a UUID.

Returns

the deleted assignment

Return type

KeyVaultRoleAssignment

get_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleAssignment[source]

Get a role assignment.

Parameters

  • role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>” KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

  • role_assignment_name (str or uuid.UUID) – the assignment’s name. Must be a UUID.

Return type

KeyVaultRoleAssignment

list_role_assignments(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → ItemPaged[KeyVaultRoleAssignment][source]

List all role assignments for a scope.

Parameters

role_scope (str or KeyVaultRoleScope) – scope of the role assignments. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

Return type

ItemPaged[KeyVaultRoleAssignment]

list_role_definitions(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → ItemPaged[KeyVaultRoleDefinition][source]

List all role definitions applicable at and above a scope.

Parameters

role_scope (str or KeyVaultRoleScope) – scope of the role definitions. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

Return type

ItemPaged[KeyVaultRoleDefinition]

property vault_url
class azure.keyvault.administration.KeyVaultBackupClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]

Performs Key Vault backup and restore operations.

Parameters

  • vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”.

  • credential – an object which can provide an access token for the vault, such as a credential from azure.identity

begin_full_backup(blob_storage_uri: str, sas_token: str, **kwargs: Any) → LROPoller[BackupOperation][source]

Begin a full backup of the Key Vault.

Parameters

  • blob_storage_uri (str) – URI of the blob storage resource in which the backup will be stored

  • sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

Keyword Arguments

continuation_token (str) – a continuation token to restart polling from a saved state

Returns

An instance of an LROPoller. Call result() on the poller object to get a BackupOperation.

Return type

LROPoller[BackupOperation]

begin_full_restore(blob_storage_uri: str, sas_token: str, folder_name: str, **kwargs: Any) → LROPoller[RestoreOperation][source]

Restore a full backup of a Key Vault.

Parameters

  • blob_storage_uri (str) – URI of the blob storage resource in which the backup is stored

  • sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

  • folder_name (str) – name of the blob container which contains the backup

Return type

LROPoller[RestoreOperation]

begin_selective_restore(blob_storage_uri: str, sas_token: str, folder_name: str, key_name: str, **kwargs: Any) → LROPoller[SelectiveKeyRestoreOperation][source]

Restore a single key from a full Key Vault backup.

Parameters

  • blob_storage_uri (str) – URI of the blob storage resource in which the backup is stored

  • sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

  • folder_name (str) – name of the blob container which contains the backup

  • key_name (str) – name of the key to restore from the backup

Return type

LROPoller[RestoreOperation]

close()None

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

get_backup_status(job_id: str, **kwargs: Any) → BackupOperation[source]

Returns the status of a full backup operation.

Parameters

job_id (str) – The job ID returned as part of the backup request

Returns

The full backup operation status as a BackupOperation

Return type

BackupOperation

get_restore_status(job_id: str, **kwargs: Any) → RestoreOperation[source]

Returns the status of a restore operation.

Parameters

job_id (str) – The job ID returned as part of the restore request

Returns

The restore operation status as a RestoreOperation

Return type

RestoreOperation

property vault_url
class azure.keyvault.administration.KeyVaultPermission(**kwargs: Any)[source]

Role definition permissions.

Variables

  • actions (list[str]) – allowed actions

  • not_actions (list[str]) – denied actions

  • data_actions (list[str]) – allowed data actions

  • not_data_actions (list[str]) – denied data actions

class azure.keyvault.administration.KeyVaultRoleAssignment(**kwargs: Any)[source]

Represents the assignment to a principal of a role over a scope

property assignment_id

unique identifier for this assignment

property name

name of the assignment

property principal_id

ID of the principal this assignment applies to.

This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.

property role_definition_id

ID of the role’s definition

property scope

scope of the assignment

property type

the type of this assignment

class azure.keyvault.administration.KeyVaultRoleDefinition(**kwargs: Any)[source]

Role definition.

Variables

  • id (str) – The role definition ID.

  • name (str) – The role definition name.

  • type (str) – The role definition type.

  • role_name (str) – The role name.

  • description (str) – The role definition description.

  • role_type (str) – The role type.

  • permissions (list[KeyVaultPermission]) – Role definition permissions.

  • assignable_scopes (list[str]) – Role definition assignable scopes.

class azure.keyvault.administration.KeyVaultRoleScope[source]

Collection of well known role scopes. This list is not exhaustive

global_value = '/'

use this if you want role assignments to apply to everything on the resource

keys_value = '/keys'

use this if you want role assignments to apply to all keys

class azure.keyvault.administration.RestoreOperation(**kwargs)[source]

A Key Vault restore operation.

Variables

  • status (str) – status of the operation

  • status_details (str) – more details of the operation’s status

  • error – Error encountered, if any, during the operation

  • start_time (datetime.datetime) – UTC start time of the operation

  • end_time (datetime.datetime) – UTC end time of the operation

  • job_id (str) – identifier for the operation

class azure.keyvault.administration.SelectiveKeyRestoreOperation(**kwargs)[source]

A Key Vault operation restoring a single key.

Variables

  • status (str) – status of the operation

  • status_details (str) – more details of the operation’s status

  • error – Error encountered, if any, during the operation

  • start_time (datetime.datetime) – UTC start time of the operation

  • end_time (datetime.datetime) – UTC end time of the operation

  • job_id (str) – identifier for the operation