azure.keyvault.administration.aio package¶
-
class
azure.keyvault.administration.aio.KeyVaultAccessControlClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]¶ Manages role-based access to Azure Key Vault.
- Parameters
vault_url (str) – URL of the vault the client will manage. This is also called the vault’s “DNS Name”.
credential – an object which can provide an access token for the vault, such as a credential from
azure.identity
-
async
close() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
async
create_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_definition_id: str, principal_id: str, **kwargs: Any) → azure.keyvault.administration._models.KeyVaultRoleAssignment[source]¶ Create a role assignment.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope the role assignment will apply over.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string.role_definition_id (str) – ID of the role’s definition
principal_id (str) – Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.
- Keyword Arguments
role_assignment_name – a name for the role assignment. Must be a UUID.
- Return type
-
async
delete_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → azure.keyvault.administration._models.KeyVaultRoleAssignment[source]¶ Delete a role assignment.
- Parameters
role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string.role_assignment_name (str or uuid.UUID) – the assignment’s name.
- Returns
the deleted assignment
- Return type
-
async
delete_role_definition(role_scope: Union[str, KeyVaultRoleScope], role_definition_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Deletes a custom role definition.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.role_definition_name (str or uuid.UUID) – the role definition’s name.
- Returns
the deleted role definition
- Return type
-
async
get_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → azure.keyvault.administration._models.KeyVaultRoleAssignment[source]¶ Get a role assignment.
- Parameters
role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string.role_assignment_name (str or uuid.UUID) – the assignment’s name.
- Return type
-
async
get_role_definition(role_scope: Union[str, KeyVaultRoleScope], role_definition_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Get the specified role definition.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.role_definition_name (str or uuid.UUID) – the role definition’s name.
- Return type
-
list_role_assignments(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → AsyncItemPaged[KeyVaultRoleAssignment][source]¶ List all role assignments for a scope.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role assignments.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string.- Return type
-
list_role_definitions(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → AsyncItemPaged[KeyVaultRoleDefinition][source]¶ List all role definitions applicable at and above a scope.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definitions.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string.- Return type
-
async
set_role_definition(role_scope: Union[str, KeyVaultRoleScope], permissions: Iterable[KeyVaultPermission], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Creates or updates a custom role definition.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScopedefines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.permissions (Iterable[KeyVaultPermission]) – the role definition’s permissions. An empty list results in a role definition with no action permissions.
- Keyword Arguments
role_name (str) – the role’s name. If unspecified when creating or updating a role definition, the role name will be set to an empty string.
role_definition_name – the role definition’s name. Must be a UUID.
description (str) – a description of the role definition. If unspecified when creating or updating a role definition, the description will be set to an empty string.
- Returns
The created or updated role definition
- Return type
-
property
vault_url¶
-
class
azure.keyvault.administration.aio.KeyVaultBackupClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]¶ Performs Key Vault backup and restore operations.
- Parameters
vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”.
credential – an object which can provide an access token for the vault, such as a credential from
azure.identity.aio
-
async
begin_backup(blob_storage_url: str, sas_token: str, **kwargs: Any) → AsyncLROPoller[BackupOperation][source]¶ Begin a full backup of the Key Vault.
- Parameters
- Keyword Arguments
continuation_token (str) – a continuation token to restart polling from a saved state
- Returns
An AsyncLROPoller. Call result() on this object to get a
BackupOperation.- Return type
-
async
begin_restore(folder_url: str, sas_token: str, **kwargs: Any) → AsyncLROPoller[RestoreOperation][source]¶ Restore a full backup of a Key Vault.
- Parameters
folder_url (str) – URL for the blob storage resource, including the path to the blob holding the backup. This would be the folder_url of a
BackupOperationreturned bybegin_backup()orget_backup_status(), for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource
- Return type
-
async
begin_selective_restore(folder_url: str, sas_token: str, key_name: str, **kwargs: Any) → AsyncLROPoller[SelectiveKeyRestoreOperation][source]¶ Restore a single key from a full Key Vault backup.
- Parameters
folder_url (str) – URL for the blob storage resource, including the path to the blob holding the backup. This would be the folder_url of a
BackupOperationreturned bybegin_backup()orget_backup_status(), for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource
key_name (str) – name of the key to restore from the backup
- Return type
-
async
close() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
async
get_backup_status(job_id: str, **kwargs: Any) → BackupOperation[source]¶ Returns the status of a full backup operation.
- Parameters
job_id (str) – The job ID returned as part of the backup request
- Returns
The full backup operation status as a
BackupOperation- Return type
-
async
get_restore_status(job_id: str, **kwargs: Any) → RestoreOperation[source]¶ Returns the status of a restore operation.
- Parameters
job_id (str) – The ID returned as part of the restore request
- Returns
The restore operation status as a
RestoreOperation- Return type
-
property
vault_url¶