azure.keyvault.administration package¶
-
class
azure.keyvault.administration.
ApiVersion
[source]¶ Key Vault API versions supported by this package
-
V7_2_preview
= '7.2-preview'¶ this is the default version
-
-
class
azure.keyvault.administration.
BackupOperation
(**kwargs)[source]¶ A Key Vault full backup operation.
- Variables
status (str) – status of the backup operation
status_details (str) – more details of the operation’s status
error – Error encountered, if any, during the operation
start_time (datetime.datetime) – UTC start time of the operation
end_time (datetime.datetime) – UTC end time of the operation
job_id (str) – identifier for the operation
folder_url (str) – URL of the Azure blob storage container which contains the backup
-
class
azure.keyvault.administration.
KeyVaultAccessControlClient
(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶ Manages role-based access to Azure Key Vault.
- Parameters
vault_url (str) – URL of the vault the client will manage. This is also called the vault’s “DNS Name”.
credential – an object which can provide an access token for the vault, such as a credential from
azure.identity
-
close
() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
create_role_assignment
(role_scope: Union[str, KeyVaultRoleScope], role_definition_id: str, principal_id: str, **kwargs: Any) → KeyVaultRoleAssignment[source]¶ Create a role assignment.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope the role assignment will apply over.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.role_definition_id (str) – ID of the role’s definition
principal_id (str) – Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.
- Keyword Arguments
role_assignment_name – a name for the role assignment. Must be a UUID.
- Return type
-
delete_role_assignment
(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleAssignment[source]¶ Delete a role assignment.
- Parameters
role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.role_assignment_name (str or uuid.UUID) – the assignment’s name.
- Returns
the deleted assignment
- Return type
-
delete_role_definition
(role_scope: Union[str, KeyVaultRoleScope], role_definition_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Deletes a custom role definition.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.role_definition_name (str or uuid.UUID) – the role definition’s name.
- Returns
the deleted role definition
- Return type
-
get_role_assignment
(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleAssignment[source]¶ Get a role assignment.
- Parameters
role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.role_assignment_name (str or uuid.UUID) – the assignment’s name.
- Return type
-
get_role_definition
(role_scope: Union[str, KeyVaultRoleScope], role_definition_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Get the specified role definition.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.role_definition_name (str or uuid.UUID) – the role definition’s name.
- Return type
-
list_role_assignments
(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → ItemPaged[KeyVaultRoleAssignment][source]¶ List all role assignments for a scope.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role assignments.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.- Return type
-
list_role_definitions
(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → ItemPaged[KeyVaultRoleDefinition][source]¶ List all role definitions applicable at and above a scope.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definitions.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.- Return type
-
set_role_definition
(role_scope: Union[str, KeyVaultRoleScope], permissions: Iterable[KeyVaultPermission], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Creates or updates a custom role definition.
- Parameters
role_scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.permissions (Iterable[KeyVaultPermission]) – the role definition’s permissions. An empty list results in a role definition with no action permissions.
- Keyword Arguments
role_name (str) – the role’s name. If unspecified when creating or updating a role definition, the role name will be set to an empty string.
role_definition_name – the role definition’s name. Must be a UUID.
description (str) – a description of the role definition. If unspecified when creating or updating a role definition, the description will be set to an empty string.
- Returns
The created or updated role definition
- Return type
-
property
vault_url
¶
-
class
azure.keyvault.administration.
KeyVaultBackupClient
(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶ Performs Key Vault backup and restore operations.
- Parameters
vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”.
credential – an object which can provide an access token for the vault, such as a credential from
azure.identity
-
begin_backup
(blob_storage_url: str, sas_token: str, **kwargs: Any) → LROPoller[BackupOperation][source]¶ Begin a full backup of the Key Vault.
- Parameters
- Keyword Arguments
continuation_token (str) – a continuation token to restart polling from a saved state
- Returns
An instance of an LROPoller. Call result() on the poller object to get a
BackupOperation
.- Return type
-
begin_restore
(folder_url: str, sas_token: str, **kwargs: Any) → LROPoller[RestoreOperation][source]¶ Restore a full backup of a Key Vault.
- Parameters
folder_url (str) – URL of the blob holding the backup. This would be the folder_url of a
BackupOperation
returned bybegin_backup()
orget_backup_status()
, for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource
- Return type
-
begin_selective_restore
(folder_url: str, sas_token: str, key_name: str, **kwargs: Any) → LROPoller[SelectiveKeyRestoreOperation][source]¶ Restore a single key from a full Key Vault backup.
- Parameters
folder_url (str) – URL for the blob storage resource, including the path to the blob holding the backup. This would be the folder_url of a
BackupOperation
returned bybegin_backup()
orget_backup_status()
, for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource
key_name (str) – name of the key to restore from the backup
- Return type
-
close
() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
get_backup_status
(job_id: str, **kwargs: Any) → BackupOperation[source]¶ Returns the status of a full backup operation.
- Parameters
job_id (str) – The job ID returned as part of the backup request
- Returns
The full backup operation status as a
BackupOperation
- Return type
-
get_restore_status
(job_id: str, **kwargs: Any) → RestoreOperation[source]¶ Returns the status of a restore operation.
- Parameters
job_id (str) – The job ID returned as part of the restore request
- Returns
The restore operation status as a
RestoreOperation
- Return type
-
property
vault_url
¶
-
class
azure.keyvault.administration.
KeyVaultDataAction
[source]¶ Supported permissions for data actions.
-
BACKUP_HSM_KEYS
= 'Microsoft.KeyVault/managedHsm/keys/backup/action'¶ Backup HSM keys.
-
CREATE_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/create'¶ Create an HSM key.
-
DECRYPT_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/decrypt/action'¶ Decrypt using an HSM key.
-
DELETE_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/delete'¶ Delete an HSM key.
-
DELETE_ROLE_ASSIGNMENT
= 'Microsoft.KeyVault/managedHsm/roleAssignments/delete/action'¶ Delete role assignment.
-
DOWNLOAD_HSM_SECURITY_DOMAIN
= 'Microsoft.KeyVault/managedHsm/securitydomain/download/action'¶ Download an HSM security domain.
-
ENCRYPT_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/encrypt/action'¶ Encrypt using an HSM key.
-
EXPORT_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/export/action'¶ Export an HSM key.
-
GET_ROLE_ASSIGNMENT
= 'Microsoft.KeyVault/managedHsm/roleAssignments/read/action'¶ Get role assignment.
-
IMPORT_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/import/action'¶ Import an HSM key.
-
PURGE_DELETED_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete'¶ Purge a deleted HSM key.
-
READ_DELETED_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action'¶ Read deleted HSM key.
-
READ_HSM_BACKUP_STATUS
= 'Microsoft.KeyVault/managedHsm/backup/status/action'¶ Read an HSM backup status.
-
READ_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/read/action'¶ Read HSM key metadata.
-
READ_HSM_RESTORE_STATUS
= 'Microsoft.KeyVault/managedHsm/restore/status/action'¶ Read an HSM restore status.
-
READ_HSM_SECURITY_DOMAIN_STATUS
= 'Microsoft.KeyVault/managedHsm/securitydomain/upload/read'¶ Check the status of the HSM security domain exchange file.
-
READ_HSM_SECURITY_DOMAIN_TRANSFER_KEY
= 'Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read'¶ Download an HSM security domain transfer key.
-
READ_ROLE_DEFINITION
= 'Microsoft.KeyVault/managedHsm/roleDefinitions/read/action'¶ Get role definition.
-
RECOVER_DELETED_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action'¶ Recover deleted HSM key.
-
RESTORE_HSM_KEYS
= 'Microsoft.KeyVault/managedHsm/keys/restore/action'¶ Restore HSM keys.
-
SIGN_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/sign/action'¶ Sign using an HSM key.
-
START_HSM_BACKUP
= 'Microsoft.KeyVault/managedHsm/backup/start/action'¶ Start an HSM backup.
-
START_HSM_RESTORE
= 'Microsoft.KeyVault/managedHsm/restore/start/action'¶ Start an HSM restore.
-
UNWRAP_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/unwrap/action'¶ Unwrap using an HSM key.
-
UPLOAD_HSM_SECURITY_DOMAIN
= 'Microsoft.KeyVault/managedHsm/securitydomain/upload/action'¶ Upload an HSM security domain.
-
VERIFY_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/verify/action'¶ Verify using an HSM key.
-
WRAP_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/wrap/action'¶ Wrap using an HSM key.
-
WRITE_HSM_KEY
= 'Microsoft.KeyVault/managedHsm/keys/write/action'¶ Update an HSM key.
-
WRITE_ROLE_ASSIGNMENT
= 'Microsoft.KeyVault/managedHsm/roleAssignments/write/action'¶ Create or update role assignment.
-
-
class
azure.keyvault.administration.
KeyVaultPermission
(**kwargs: Any)[source]¶ Role definition permissions.
-
class
azure.keyvault.administration.
KeyVaultRoleAssignment
(**kwargs: Any)[source]¶ Represents the assignment to a principal of a role over a scope
-
property
name
¶ name of the assignment
-
property
principal_id
¶ ID of the principal this assignment applies to.
This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.
-
property
role_assignment_id
¶ unique identifier for this assignment
-
property
role_definition_id
¶ ID of the role’s definition
-
property
scope
¶ scope of the assignment
-
property
type
¶ the type of this assignment
-
property
-
class
azure.keyvault.administration.
KeyVaultRoleDefinition
(**kwargs: Any)[source]¶ Represents the definition of a role over a scope.
-
property
assignable_scopes
¶ scopes that can be assigned to the role
-
property
description
¶ description of the role definition
-
property
id
¶ unique identifier for this role definition
-
property
name
¶ name of the role definition
-
property
permissions
¶ permissions defined for the role
-
property
role_name
¶ name of the role
-
property
role_type
¶ type of the role
-
property
type
¶ type of the role definition
-
property
-
class
azure.keyvault.administration.
KeyVaultRoleScope
[source]¶ Collection of well known role scopes. This list is not exhaustive.
-
GLOBAL
= '/'¶ use this if you want role assignments to apply to everything on the resource
-
KEYS
= '/keys'¶ use this if you want role assignments to apply to all keys
-
-
class
azure.keyvault.administration.
RestoreOperation
(**kwargs)[source]¶ A Key Vault restore operation.
- Variables
status (str) – status of the operation
status_details (str) – more details of the operation’s status
error – Error encountered, if any, during the operation
start_time (datetime.datetime) – UTC start time of the operation
end_time (datetime.datetime) – UTC end time of the operation
job_id (str) – identifier for the operation
-
class
azure.keyvault.administration.
SelectiveKeyRestoreOperation
(**kwargs)[source]¶ A Key Vault operation restoring a single key.
- Variables
status (str) – status of the operation
status_details (str) – more details of the operation’s status
error – Error encountered, if any, during the operation
start_time (datetime.datetime) – UTC start time of the operation
end_time (datetime.datetime) – UTC end time of the operation
job_id (str) – identifier for the operation