azure.keyvault.administration.aio package¶
-
class
azure.keyvault.administration.aio.
KeyVaultAccessControlClient
(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]¶ Manages role-based access to Azure Key Vault.
- Parameters
vault_url (str) – URL of the vault the client will manage. This is also called the vault’s “DNS Name”. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.
credential (
AsyncTokenCredential
) – An object which can provide an access token for the vault, such as a credential fromazure.identity.aio
- Keyword Arguments
api_version (ApiVersion) – Version of the service API to use. Defaults to the most recent.
verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.
-
async
close
() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
async
create_role_assignment
(scope: Union[str, KeyVaultRoleScope], definition_id: str, principal_id: str, **kwargs: Any) → azure.keyvault.administration._models.KeyVaultRoleAssignment[source]¶ Create a role assignment.
- Parameters
scope (str or KeyVaultRoleScope) – scope the role assignment will apply over.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.definition_id (str) – ID of the role’s definition
principal_id (str) – Azure Active Directory object ID of the principal which will be assigned the role. The principal can be a user, service principal, or security group.
- Keyword Arguments
name (str or uuid.UUID) – a name for the role assignment. Must be a UUID.
- Return type
-
async
delete_role_assignment
(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) → None[source]¶ Delete a role assignment.
- Parameters
scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.
- Returns
None
-
async
delete_role_definition
(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) → None[source]¶ Deletes a custom role definition.
- Parameters
scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.
- Returns
None
-
async
get_role_assignment
(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) → azure.keyvault.administration._models.KeyVaultRoleAssignment[source]¶ Get a role assignment.
- Parameters
scope (str or KeyVaultRoleScope) – the assignment’s scope, for example “/”, “/keys”, or “/keys/<specific key identifier>”.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.
- Return type
-
async
get_role_definition
(scope: Union[str, KeyVaultRoleScope], name: Union[str, UUID], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Get the specified role definition.
- Parameters
scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.
- Return type
-
list_role_assignments
(scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → AsyncItemPaged[KeyVaultRoleAssignment][source]¶ List all role assignments for a scope.
- Parameters
scope (str or KeyVaultRoleScope) – scope of the role assignments.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.- Return type
-
list_role_definitions
(scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → AsyncItemPaged[KeyVaultRoleDefinition][source]¶ List all role definitions applicable at and above a scope.
- Parameters
scope (str or KeyVaultRoleScope) – scope of the role definitions.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string.- Return type
-
async
set_role_definition
(scope: Union[str, KeyVaultRoleScope], **kwargs: Any) → KeyVaultRoleDefinition[source]¶ Creates or updates a custom role definition.
To update a role definition, specify the definition’s
name
.- Parameters
scope (str or KeyVaultRoleScope) – scope of the role definition.
KeyVaultRoleScope
defines common broad scopes. Specify a narrower scope as a string. Managed HSM only supports ‘/’, or KeyVaultRoleScope.GLOBAL.- Keyword Arguments
name (str or uuid.UUID) – the role definition’s name, a UUID. When this argument has a value, the client will create a new role definition with this name or update an existing role definition, if one exists with the given name. When this argument has no value, a new role definition will be created with a generated name.
role_name (str) – the role’s display name. If unspecified when creating or updating a role definition, the role name will be set to an empty string.
description (str) – a description of the role definition. If unspecified when creating or updating a role definition, the description will be set to an empty string.
permissions (Iterable[KeyVaultPermission]) – the role definition’s permissions. If unspecified when creating or updating a role definition, the role definition will have no action permissions.
assignable_scopes (Iterable[str] or Iterable[KeyVaultRoleScope]) – the scopes for which the role definition can be assigned.
- Returns
The created or updated role definition
- Return type
-
property
vault_url
¶
-
class
azure.keyvault.administration.aio.
KeyVaultBackupClient
(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]¶ Performs Key Vault backup and restore operations.
- Parameters
vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.
credential (
AsyncTokenCredential
) – An object which can provide an access token for the vault, such as a credential fromazure.identity.aio
- Keyword Arguments
api_version (ApiVersion) – Version of the service API to use. Defaults to the most recent.
verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.
-
async
begin_backup
(blob_storage_url: str, sas_token: str, **kwargs: Any) → AsyncLROPoller[KeyVaultBackupResult][source]¶ Begin a full backup of the Key Vault.
- Parameters
- Keyword Arguments
continuation_token (str) – a continuation token to restart polling from a saved state
- Returns
An AsyncLROPoller. Call result() on this object to get a
KeyVaultBackupResult
.- Return type
Example
# begin a vault backup backup_poller = await backup_client.begin_backup(container_uri, sas_token) # check if the backup completed done = backup_poller.done() # yield until the backup completes # result() returns an object with a URL of the backup backup_operation = await backup_poller.result()
-
async
begin_restore
(folder_url: str, sas_token: str, **kwargs: Any) → AsyncLROPoller[source]¶ Restore a Key Vault backup.
This method restores either a complete Key Vault backup or when
key_name
has a value, a single key.- Parameters
folder_url (str) – URL for the blob storage resource, including the path to the blob holding the backup. This would be the folder_url of a
KeyVaultBackupResult
returned bybegin_backup()
, for example https://<account>.blob.core.windows.net/backup/mhsm-account-2020090117323313sas_token (str) – a Shared Access Signature (SAS) token authorizing access to the blob storage resource
- Keyword Arguments
- Return type
Examples
# begin a full vault restore restore_poller = await backup_client.begin_restore(folder_url, sas_token) # check if the restore completed done = restore_poller.done() # wait for the restore to complete await restore_poller.wait()
# begin a restore of a single key from a backed up vault restore_poller = await backup_client.begin_restore(folder_url, sas_token, key_name=key_name) # check if the restore completed done = restore_poller.done() # wait for the restore to complete await restore_poller.wait()
-
async
close
() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
property
vault_url
¶
-
class
azure.keyvault.administration.aio.
KeyVaultSettingsClient
(vault_url: str, credential: AsyncTokenCredential, **kwargs: Any)[source]¶ Provides methods to update, get, and list settings for an Azure Key Vault.
- Parameters
vault_url (str) – URL of the vault on which the client will operate. This is also called the vault’s “DNS Name”. You should validate that this URL references a valid Key Vault or Managed HSM resource. See https://aka.ms/azsdk/blog/vault-uri for details.
credential (
AsyncTokenCredential
) – An object which can provide an access token for the vault, such as a credential fromazure.identity.aio
- Keyword Arguments
api_version (ApiVersion) – Version of the service API to use. Defaults to the most recent.
verify_challenge_resource (bool) – Whether to verify the authentication challenge resource matches the Key Vault or Managed HSM domain. Defaults to True.
-
async
close
() → None¶ Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
-
async
get_setting
(name: str, **kwargs) → azure.keyvault.administration._models.KeyVaultSetting[source]¶ Gets the setting with the specified name.
- Parameters
name (str) – The name of the account setting.
- Returns
The account setting, as a
KeyVaultSetting
.- Return type
- Raises
-
async
list_settings
(**kwargs) → azure.core.async_paging.AsyncItemPaged[azure.keyvault.administration._models.KeyVaultSetting][source]¶ Lists all account settings.
- Returns
A
GetSettingsResult
object containing the account’s settings.- Return type
- Raises
-
async
update_setting
(name: str, value: str, **kwargs) → azure.keyvault.administration._models.KeyVaultSetting[source]¶ Updates a given account setting with the provided value.
- Parameters
- Returns
The updated account setting, as a
KeyVaultSetting
.- Return type
- Raises
-
property
vault_url
¶