azure.keyvault.administration package¶

class azure.keyvault.administration.ApiVersion[source]¶

Key Vault API versions supported by this package

V7_2_preview = '7.2-preview'¶: this is the default version

class azure.keyvault.administration.BackupOperation(**kwargs)[source]¶

A Key Vault full backup operation.

Variables

status (str) – status of the backup operation
status_details (str) – more details of the operation’s status
error – Error encountered, if any, during the operation
start_time (datetime.datetime) – UTC start time of the operation
end_time (datetime.datetime) – UTC end time of the operation
job_id (str) – identifier for the operation
folder_url (str) – URL of the Azure blob storage container which contains the backup

class azure.keyvault.administration.KeyVaultAccessControlClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶

Manages role-based access to Azure Key Vault.

Parameters

vault_url (str) – URL of the vault the client will manage. This is also called the vault’s “DNS Name”.
credential – an object which can provide an access token for the vault, such as a credential from azure.identity

close() → None ¶

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

create_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_definition_id: str, principal_id: str, **kwargs: Any) → KeyVaultRoleAssignment[source]¶

Create a role assignment.

Parameters

role_scope (str or KeyVaultRoleScope) – scope the role assignment will apply over. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.
role_definition_id (str) – ID of the role’s definition
principal_id (str) – Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.

Keyword Arguments

role_assignment_name – a name for the role assignment. Must be a UUID.

Return type

KeyVaultRoleAssignment

delete_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleAssignment[source]¶

Delete a role assignment.

Parameters

role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>” KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.
role_assignment_name (str or uuid.UUID) – the assignment’s name.

Returns

the deleted assignment

Return type

KeyVaultRoleAssignment

delete_role_definition(role_scope: Union[str, KeyVaultRoleScope], role_definition_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶

Deletes a custom role definition.

Parameters

role_scope (str or KeyVaultRoleScope) – scope of the role definition. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.
role_definition_name (str or uuid.UUID) – the role definition’s name.

Returns

the deleted role definition

Return type

KeyVaultRoleDefinition

get_role_assignment(role_scope: Union[str, KeyVaultRoleScope], role_assignment_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleAssignment[source]¶

Get a role assignment.

Parameters

role_scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>” KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.
role_assignment_name (str or uuid.UUID) – the assignment’s name.

Return type

KeyVaultRoleAssignment

get_role_definition(role_scope: Union[str, KeyVaultRoleScope], role_definition_name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶

Get the specified role definition.

Parameters

role_scope (str or KeyVaultRoleScope) – scope of the role definition. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.
role_definition_name (str or uuid.UUID) – the role definition’s name.

Return type

KeyVaultRoleDefinition

list_role_assignments(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → ItemPaged[KeyVaultRoleAssignment][source]¶

List all role assignments for a scope.

Parameters: role_scope (str or KeyVaultRoleScope) – scope of the role assignments. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.
Return type: ItemPaged[KeyVaultRoleAssignment]

list_role_definitions(role_scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → ItemPaged[KeyVaultRoleDefinition][source]¶

List all role definitions applicable at and above a scope.

Parameters: role_scope (str or KeyVaultRoleScope) – scope of the role definitions. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.
Return type: ItemPaged[KeyVaultRoleDefinition]

set_role_definition(role_scope: Union[str, KeyVaultRoleScope], permissions: Iterable[KeyVaultPermission], **kwargs: Any) → KeyVaultRoleDefinition[source]¶

Creates or updates a custom role definition.

Parameters

role_scope (str or KeyVaultRoleScope) – scope of the role definition. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.
permissions (Iterable[KeyVaultPermission]) – the role definition’s permissions. An empty list results in a role definition with no action permissions.

Keyword Arguments

role_name (str) – the role’s name. If unspecified when creating or updating a role definition, the role name will be set to an empty string.
role_definition_name – the role definition’s name. Must be a UUID.
description (str) – a description of the role definition. If unspecified when creating or updating a role definition, the description will be set to an empty string.

Returns

The created or updated role definition

Return type

KeyVaultRoleDefinition

property vault_url¶

class azure.keyvault.administration.KeyVaultBackupClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶

Performs Key Vault backup and restore operations.

Parameters

vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”.
credential – an object which can provide an access token for the vault, such as a credential from azure.identity

begin_backup(blob_storage_url: str, sas_token: str, **kwargs: Any) → LROPoller[BackupOperation][source]¶

Begin a full backup of the Key Vault.

Parameters

blob_storage_url (str) – URL of the blob storage container in which the backup will be stored, for example https://<account>.blob.core.windows.net/backup
sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

Keyword Arguments

continuation_token (str) – a continuation token to restart polling from a saved state

Returns

An instance of an LROPoller. Call result() on the poller object to get a BackupOperation.

Return type

LROPoller[BackupOperation]

begin_restore(folder_url: str, sas_token: str, **kwargs: Any) → LROPoller[RestoreOperation][source]¶

Restore a full backup of a Key Vault.

Parameters

folder_url (str) – URL of the blob holding the backup. This would be the folder_url of a BackupOperation returned by begin_backup() or get_backup_status(), for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313
sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

Return type

LROPoller[RestoreOperation]

begin_selective_restore(folder_url: str, sas_token: str, key_name: str, **kwargs: Any) → LROPoller[SelectiveKeyRestoreOperation][source]¶

Restore a single key from a full Key Vault backup.

Parameters

folder_url (str) – URL for the blob storage resource, including the path to the blob holding the backup. This would be the folder_url of a BackupOperation returned by begin_backup() or get_backup_status(), for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313
sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource
key_name (str) – name of the key to restore from the backup

Return type

LROPoller[RestoreOperation]

close() → None ¶

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

get_backup_status(job_id: str, **kwargs: Any) → BackupOperation[source]¶

Returns the status of a full backup operation.

Parameters: job_id (str) – The job ID returned as part of the backup request
Returns: The full backup operation status as a BackupOperation
Return type: BackupOperation

get_restore_status(job_id: str, **kwargs: Any) → RestoreOperation[source]¶

Returns the status of a restore operation.

Parameters: job_id (str) – The job ID returned as part of the restore request
Returns: The restore operation status as a RestoreOperation
Return type: RestoreOperation

property vault_url¶

class azure.keyvault.administration.KeyVaultDataAction[source]¶

Supported permissions for data actions.

BACKUP_HSM_KEYS = 'Microsoft.KeyVault/managedHsm/keys/backup/action'¶: Backup HSM keys.

CREATE_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/create'¶: Create an HSM key.

DECRYPT_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/decrypt/action'¶: Decrypt using an HSM key.

DELETE_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/delete'¶: Delete an HSM key.

DELETE_ROLE_ASSIGNMENT = 'Microsoft.KeyVault/managedHsm/roleAssignments/delete/action'¶: Delete role assignment.

DOWNLOAD_HSM_SECURITY_DOMAIN = 'Microsoft.KeyVault/managedHsm/securitydomain/download/action'¶: Download an HSM security domain.

ENCRYPT_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/encrypt/action'¶: Encrypt using an HSM key.

EXPORT_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/export/action'¶: Export an HSM key.

GET_ROLE_ASSIGNMENT = 'Microsoft.KeyVault/managedHsm/roleAssignments/read/action'¶: Get role assignment.

IMPORT_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/import/action'¶: Import an HSM key.

PURGE_DELETED_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete'¶: Purge a deleted HSM key.

READ_DELETED_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action'¶: Read deleted HSM key.

READ_HSM_BACKUP_STATUS = 'Microsoft.KeyVault/managedHsm/backup/status/action'¶: Read an HSM backup status.

READ_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/read/action'¶: Read HSM key metadata.

READ_HSM_RESTORE_STATUS = 'Microsoft.KeyVault/managedHsm/restore/status/action'¶: Read an HSM restore status.

READ_HSM_SECURITY_DOMAIN_STATUS = 'Microsoft.KeyVault/managedHsm/securitydomain/upload/read'¶: Check the status of the HSM security domain exchange file.

READ_HSM_SECURITY_DOMAIN_TRANSFER_KEY = 'Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read'¶: Download an HSM security domain transfer key.

READ_ROLE_DEFINITION = 'Microsoft.KeyVault/managedHsm/roleDefinitions/read/action'¶: Get role definition.

RECOVER_DELETED_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action'¶: Recover deleted HSM key.

RESTORE_HSM_KEYS = 'Microsoft.KeyVault/managedHsm/keys/restore/action'¶: Restore HSM keys.

SIGN_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/sign/action'¶: Sign using an HSM key.

START_HSM_BACKUP = 'Microsoft.KeyVault/managedHsm/backup/start/action'¶: Start an HSM backup.

START_HSM_RESTORE = 'Microsoft.KeyVault/managedHsm/restore/start/action'¶: Start an HSM restore.

UNWRAP_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/unwrap/action'¶: Unwrap using an HSM key.

UPLOAD_HSM_SECURITY_DOMAIN = 'Microsoft.KeyVault/managedHsm/securitydomain/upload/action'¶: Upload an HSM security domain.

VERIFY_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/verify/action'¶: Verify using an HSM key.

WRAP_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/wrap/action'¶: Wrap using an HSM key.

WRITE_HSM_KEY = 'Microsoft.KeyVault/managedHsm/keys/write/action'¶: Update an HSM key.

WRITE_ROLE_ASSIGNMENT = 'Microsoft.KeyVault/managedHsm/roleAssignments/write/action'¶: Create or update role assignment.

class azure.keyvault.administration.KeyVaultPermission(**kwargs: Any)[source]¶

Role definition permissions.

Variables

allowed_actions (list[str]) –
denied_actions (list[str]) –
allowed_data_actions (list[str]) –
denied_data_actions (list[str]) –

class azure.keyvault.administration.KeyVaultRoleAssignment(**kwargs: Any)[source]¶

Represents the assignment to a principal of a role over a scope

property name¶: name of the assignment

property principal_id¶

ID of the principal this assignment applies to.

This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group.

property role_assignment_id¶: unique identifier for this assignment

property role_definition_id¶: ID of the role’s definition

property scope¶: scope of the assignment

property type¶: the type of this assignment

class azure.keyvault.administration.KeyVaultRoleDefinition(**kwargs: Any)[source]¶

Represents the definition of a role over a scope.

property assignable_scopes¶: scopes that can be assigned to the role

property description¶: description of the role definition

property id¶: unique identifier for this role definition

property name¶: name of the role definition

property permissions¶: permissions defined for the role

property role_name¶: name of the role

property role_type¶: type of the role

property type¶: type of the role definition

class azure.keyvault.administration.KeyVaultRoleScope[source]¶

Collection of well known role scopes. This list is not exhaustive.

GLOBAL = '/'¶: use this if you want role assignments to apply to everything on the resource

KEYS = '/keys'¶: use this if you want role assignments to apply to all keys

class azure.keyvault.administration.RestoreOperation(**kwargs)[source]¶

A Key Vault restore operation.

Variables

status (str) – status of the operation
status_details (str) – more details of the operation’s status
error – Error encountered, if any, during the operation
start_time (datetime.datetime) – UTC start time of the operation
end_time (datetime.datetime) – UTC end time of the operation
job_id (str) – identifier for the operation

class azure.keyvault.administration.SelectiveKeyRestoreOperation(**kwargs)[source]¶

A Key Vault operation restoring a single key.

Variables

status (str) – status of the operation
status_details (str) – more details of the operation’s status
error – Error encountered, if any, during the operation
start_time (datetime.datetime) – UTC start time of the operation
end_time (datetime.datetime) – UTC end time of the operation
job_id (str) – identifier for the operation

Subpackages¶

azure.keyvault.administration.aio package