azure.keyvault.administration.aio package

class azure.keyvault.administration.aio.KeyVaultAccessControlClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]

Manages role-based access to Azure Key Vault.

Parameters

  • vault_url (str) – URL of the vault the client will manage. This is also called the vault’s “DNS Name”. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.

  • credential (AsyncTokenCredential) – An object which can provide an access token for the vault, such as a credential from azure.identity.aio

Keyword Arguments

  • api_version (ApiVersion) – Version of the service API to use. Defaults to the most recent.

  • verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.

async close()None

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

async create_role_assignment(scope: Union[str, KeyVaultRoleScope], definition_id: str, principal_id: str, **kwargs: Any)azure.keyvault.administration._models.KeyVaultRoleAssignment[source]

Create a role assignment.

Parameters

  • scope (str or KeyVaultRoleScope) – scope the role assignment will apply over. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

  • definition_id (str) – ID of the role’s definition

  • principal_id (str) – Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.

Keyword Arguments

name (str or uuid.UUID) – a name for the role assignment. Must be a UUID.

Return type

KeyVaultRoleAssignment

async delete_role_assignment(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any)None[source]

Delete a role assignment.

Parameters

  • scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

  • name (str or uuid.UUID) – the role assignment’s name.

Returns

None

async delete_role_definition(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any)None[source]

Deletes a custom role definition.

Parameters

  • scope (str or KeyVaultRoleScope) – scope of the role definition. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.

  • name (str or uuid.UUID) – the role definition’s name.

Returns

None

async get_role_assignment(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any)azure.keyvault.administration._models.KeyVaultRoleAssignment[source]

Get a role assignment.

Parameters

  • scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

  • name (str or uuid.UUID) – the role assignment’s name.

Return type

KeyVaultRoleAssignment

async get_role_definition(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any)KeyVaultRoleDefinition[source]

Get the specified role definition.

Parameters

  • scope (str or KeyVaultRoleScope) – scope of the role definition. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.

  • name (str or uuid.UUID) – the role definition’s name.

Return type

KeyVaultRoleDefinition

list_role_assignments(scope: Union[str, KeyVaultRoleScope], **kwargs: Any)AsyncItemPaged[KeyVaultRoleAssignment][source]

List all role assignments for a scope.

Parameters

scope (str or KeyVaultRoleScope) – scope of the role assignments. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

Return type

AsyncItemPaged[KeyVaultRoleAssignment]

list_role_definitions(scope: Union[str, KeyVaultRoleScope], **kwargs: Any)AsyncItemPaged[KeyVaultRoleDefinition][source]

List all role definitions applicable at and above a scope.

Parameters

scope (str or KeyVaultRoleScope) – scope of the role definitions. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string.

Return type

AsyncItemPaged[KeyVaultRoleDefinition]

async set_role_definition(scope: Union[str, KeyVaultRoleScope], **kwargs: Any)KeyVaultRoleDefinition[source]

Creates or updates a custom role definition.

To update a role definition, specify the definition’s name.

Parameters

scope (str or KeyVaultRoleScope) – scope of the role definition. KeyVaultRoleScope defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.

Keyword Arguments

  • name (str or uuid.UUID) – the role definition’s name, a UUID. When this argument has a value, the client will create a new role definition with this name or update an existing role definition, if one exists with the given name. When this argument has no value, a new role definition will be created with a generated name.

  • role_name (str) – the role’s display name. If unspecified when creating or updating a role definition, the role name will be set to an empty string.

  • description (str) – a description of the role definition. If unspecified when creating or updating a role definition, the description will be set to an empty string.

  • permissions (Iterable[KeyVaultPermission]) – the role definition’s permissions. If unspecified when creating or updating a role definition, the role definition will have no action permissions.

  • assignable_scopes (Iterable[str] or Iterable[KeyVaultRoleScope]) – the scopes for which the role definition can be assigned.

Returns

The created or updated role definition

Return type

KeyVaultRoleDefinition

property vault_url
class azure.keyvault.administration.aio.KeyVaultBackupClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]

Performs Key Vault backup and restore operations.

Parameters

  • vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.

  • credential (AsyncTokenCredential) – An object which can provide an access token for the vault, such as a credential from azure.identity.aio

Keyword Arguments

  • api_version (ApiVersion) – Version of the service API to use. Defaults to the most recent.

  • verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.

async begin_backup(blob_storage_url: str, sas_token: str, **kwargs: Any)AsyncLROPoller[KeyVaultBackupResult][source]

Begin a full backup of the Key Vault.

Parameters

  • blob_storage_url (str) – URL of the blob storage container in which the backup will be stored, for example https://<account>.blob.core.windows.net/backup

  • sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

Keyword Arguments

continuation_token (str) – a continuation token to restart polling from a saved state

Returns

An AsyncLROPoller. Call result() on this object to get a KeyVaultBackupResult.

Return type

AsyncLROPoller[KeyVaultBackupResult]

Example

Create a vault backup
# begin a vault backup
backup_poller = await backup_client.begin_backup(container_uri, sas_token)

# check if the backup completed
done = backup_poller.done()

# yield until the backup completes
# result() returns an object with a URL of the backup
backup_operation = await backup_poller.result()
async begin_restore(folder_url: str, sas_token: str, **kwargs: Any)AsyncLROPoller[source]

Restore a Key Vault backup.

This method restores either a complete Key Vault backup or when key_name has a value, a single key.

Parameters

  • folder_url (str) – URL for the blob storage resource, including the path to the blob holding the backup. This would be the folder_url of a KeyVaultBackupResult returned by begin_backup(), for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313

  • sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource

Keyword Arguments

  • continuation_token (str) – a continuation token to restart polling from a saved state

  • key_name (str) – name of a single key in the backup. When set, only this key will be restored.

Return type

AsyncLROPoller

Examples

Restore a vault backup
# begin a full vault restore
restore_poller = await backup_client.begin_restore(folder_url, sas_token)

# check if the restore completed
done = restore_poller.done()

# wait for the restore to complete
await restore_poller.wait()
Restore a single key
# begin a restore of a single key from a backed up vault
restore_poller = await backup_client.begin_restore(folder_url, sas_token, key_name=key_name)

# check if the restore completed
done = restore_poller.done()

# wait for the restore to complete
await restore_poller.wait()
async close()None

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

property vault_url
class azure.keyvault.administration.aio.KeyVaultSettingsClient(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]

Provides methods to update, get, and list settings for an Azure Key Vault.

Parameters

  • vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.

  • credential (AsyncTokenCredential) – An object which can provide an access token for the vault, such as a credential from azure.identity.aio

Keyword Arguments

  • api_version (ApiVersion) – Version of the service API to use. Defaults to the most recent.

  • verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.

async close()None

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

async get_setting(name: str, **kwargs)azure.keyvault.administration._models.KeyVaultSetting[source]

Gets the setting with the specified name.

Parameters

name (str) – The name of the account setting.

Returns

The account setting, as a KeyVaultSetting.

Return type

KeyVaultSetting

Raises

HttpResponseError

async list_settings(**kwargs)azure.core.async_paging.AsyncItemPaged[azure.keyvault.administration._models.KeyVaultSetting][source]

Lists all account settings.

Returns

A GetSettingsResult object containing the account’s settings.

Return type

AsyncItemPaged[KeyVaultSetting]

Raises

HttpResponseError

async update_setting(name: str, value: str, **kwargs)azure.keyvault.administration._models.KeyVaultSetting[source]

Updates a given account setting with the provided value.

Parameters

  • name (str) – The name of the account setting to update.

  • value (str) – The value to set.

Returns

The updated account setting, as a KeyVaultSetting.

Return type

KeyVaultSetting

Raises

HttpResponseError

property vault_url