azure.keyvault.keys package¶

class azure.keyvault.keys.ApiVersion(value)[source]¶

Key Vault API versions supported by this package

V2016_10_01 = '2016-10-01'¶

V7_0 = '7.0'¶

V7_1 = '7.1'¶

V7_2 = '7.2'¶

V7_3_PREVIEW = '7.3-preview'¶: this is the default version

class azure.keyvault.keys.DeletedKey(properties: KeyProperties, deleted_date: Optional[datetime] = None, recovery_id: Optional[str] = None, scheduled_purge_date: Optional[datetime] = None, **kwargs: Any)[source]¶

A deleted key’s properties, cryptographic material and its deletion information. If soft-delete is enabled, returns information about its recovery as well.

property deleted_date¶

When the key was deleted, in UTC

Return type: datetime or None

property id¶

The key’s id

Return type: str

property key¶

The JSON web key

Return type: JsonWebKey

property key_operations¶

Permitted operations. See KeyOperation for possible values.

Return type: list[KeyOperation or str]

property key_type¶

The key’s type. See KeyType for possible values.

Return type: KeyType or str

property name¶

The key’s name

Return type: str

property properties¶

The key’s properties

Return type: KeyProperties

property recovery_id¶

An identifier used to recover the deleted key. Returns None if soft-delete is disabled.

Return type: str or None

property scheduled_purge_date¶

When the key is scheduled to be purged, in UTC. Returns None if soft-delete is disabled.

Return type: datetime or None

class azure.keyvault.keys.JsonWebKey(**kwargs: Any)[source]¶

As defined in http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18. All parameters are optional.

Parameters

kid (str) – Key identifier.
kty (KeyType or str) – Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
key_ops (list[str or KeyOperation]) – Allowed operations for the key
n (bytes) – RSA modulus.
e (bytes) – RSA public exponent.
d (bytes) – RSA private exponent, or the D component of an EC private key.
dp (bytes) – RSA private key parameter.
dq (bytes) – RSA private key parameter.
qi (bytes) – RSA private key parameter.
p (bytes) – RSA secret prime.
q (bytes) – RSA secret prime, with p < q.
k (bytes) – Symmetric key.
t (bytes) – HSM Token, used with ‘Bring Your Own Key’.
crv (KeyCurveName or str) – Elliptic curve name.
x (bytes) – X component of an EC public key.
y (bytes) – Y component of an EC public key.

class azure.keyvault.keys.KeyClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶

A high-level interface for managing a vault’s keys.

Parameters

vault_url (str) – URL of the vault the client will access. This is also called the vault’s “DNS Name”.
credential – An object which can provide an access token for the vault, such as a credential from azure.identity

Keyword Arguments

api_version (ApiVersion) – version of the Key Vault API to use. Defaults to the most recent.
transport (HttpTransport) – transport to use. Defaults to RequestsTransport.

Example

Create a new KeyClient¶

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

# Create a KeyClient using default Azure credentials
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url, credential)

backup_key(name: str, **kwargs: Any) → bytes [source]¶

Back up a key in a protected form useable only by Azure Key Vault.

Requires keys/backup permission.

This is intended to allow copying a key from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region.

Parameters: name (str) – The name of the key to back up
Return type: bytes
Raises: ResourceNotFoundError if the key doesn’t exist, HttpResponseError for other errors

Example

Get a key backup¶

# backup key
key_backup = key_client.backup_key(key_name)

# returns the raw bytes of the backed up key
print(key_backup)

begin_delete_key(name: str, **kwargs: Any) → LROPoller[source]¶

Delete all versions of a key and its cryptographic material.

Requires keys/delete permission. When this method returns Key Vault has begun deleting the key. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.

Parameters: name (str) – The name of the key to delete.
Returns: A poller for the delete key operation. The poller’s result method returns the DeletedKey without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the key with purge_deleted_key(), call the poller’s wait method first. It will block until the deletion is complete. The wait method requires keys/get permission.
Return type: LROPoller[DeletedKey]
Raises: ResourceNotFoundError if the key doesn’t exist, HttpResponseError for other errors

Example

Delete a key¶

# delete a key
deleted_key_poller = key_client.begin_delete_key(key_name)
deleted_key = deleted_key_poller.result()

print(deleted_key.name)

# if the vault has soft-delete enabled, the key's deleted_date,
# scheduled purge date and recovery id are set
print(deleted_key.deleted_date)
print(deleted_key.scheduled_purge_date)
print(deleted_key.recovery_id)

# if you want to block until deletion is complete, call wait() on the poller
deleted_key_poller.wait()

begin_recover_deleted_key(name: str, **kwargs: Any) → LROPoller[source]¶

Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled.

Requires keys/recover permission.

When this method returns Key Vault has begun recovering the key. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered key in another operation immediately.

Parameters: name (str) – The name of the deleted key to recover
Returns: A poller for the recovery operation. The poller’s result method returns the recovered KeyVaultKey without waiting for recovery to complete. If you want to use the recovered key immediately, call the poller’s wait method, which blocks until the key is ready to use. The wait method requires keys/get permission.
Return type: LROPoller[KeyVaultKey]
Raises: HttpResponseError

Example

Recover a deleted key¶

# recover a deleted key to its latest version (requires soft-delete enabled for the vault)
recover_key_poller = key_client.begin_recover_deleted_key(key_name)
recovered_key = recover_key_poller.result()
print(recovered_key.id)
print(recovered_key.name)

# if you want to block until key is recovered server-side, call wait() on the poller
recover_key_poller.wait()

close() → None ¶

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

create_ec_key(name: str, **kwargs: Any) → KeyVaultKey [source]¶

Create a new elliptic curve key or, if name is already in use, create a new version of the key.

Requires the keys/create permission.

Parameters

name (str) – The name for the new key.

Keyword Arguments

curve (KeyCurveName or str) – Elliptic curve name. Defaults to the NIST P-256 elliptic curve.
key_operations (list[KeyOperation or str]) – Allowed key operations
hardware_protected (bool) – Whether the key should be created in a hardware security module. Defaults to False.
enabled (bool) – Whether the key is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
not_before (datetime) – Not before date of the key in UTC
expires_on (datetime) – Expiry date of the key in UTC
exportable (bool) – Whether the private key can be exported.
release_policy (KeyReleasePolicy) – The policy rules under which the key can be exported.

Returns

The created key

Return type

KeyVaultKey

Raises

HttpResponseError

Example

Create an elliptic curve key¶

key_curve = "P-256"

# create an EC (Elliptic curve) key with curve specification
# EC key can be created with default curve of 'P-256'
ec_key = key_client.create_ec_key(key_name, curve=key_curve)

print(ec_key.id)
print(ec_key.properties.version)
print(ec_key.key_type)
print(ec_key.key.crv)

create_key(name: str, key_type: Union[str, KeyType], **kwargs: Any) → KeyVaultKey [source]¶

Create a key or, if name is already in use, create a new version of the key.

Requires keys/create permission.

Parameters

name (str) – The name of the new key.
key_type (KeyType or str) – The type of key to create

Keyword Arguments

size (int) – Key size in bits. Applies only to RSA and symmetric keys. Consider using create_rsa_key() or create_oct_key() instead.
curve (KeyCurveName or str) – Elliptic curve name. Applies only to elliptic curve keys. Defaults to the NIST P-256 elliptic curve. To create an elliptic curve key, consider using create_ec_key() instead.
public_exponent (int) – The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM.
key_operations (list[KeyOperation or str]) – Allowed key operations
enabled (bool) – Whether the key is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
not_before (datetime) – Not before date of the key in UTC
expires_on (datetime) – Expiry date of the key in UTC
exportable (bool) – Whether the private key can be exported.
release_policy (KeyReleasePolicy) – The policy rules under which the key can be exported.

Returns

The created key

Return type

KeyVaultKey

Raises

HttpResponseError

Example

Create a key¶

from dateutil import parser as date_parse

expires_on = date_parse.parse("2050-02-02T08:00:00.000Z")

# create a key with optional arguments
key = key_client.create_key(key_name, KeyType.rsa_hsm, expires_on=expires_on)

print(key.name)
print(key.id)
print(key.key_type)
print(key.properties.expires_on)

create_oct_key(name: str, **kwargs: Any) → KeyVaultKey [source]¶

Create a new octet sequence (symmetric) key or, if name is in use, create a new version of the key.

Requires the keys/create permission.

Parameters

name (str) – The name for the new key.

Keyword Arguments

size (int) – Key size in bits, for example 128, 192, or 256.
key_operations (list[KeyOperation or str]) – Allowed key operations.
hardware_protected (bool) – Whether the key should be created in a hardware security module. Defaults to False.
enabled (bool) – Whether the key is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
not_before (datetime) – Not before date of the key in UTC
expires_on (datetime) – Expiry date of the key in UTC
exportable (bool) – Whether the key can be exported.
release_policy (KeyReleasePolicy) – The policy rules under which the key can be exported.

Returns

The created key

Return type

KeyVaultKey

Raises

HttpResponseError

Example

Create an octet sequence (symmetric) key¶

key = key_client.create_oct_key(key_name, size=256, hardware_protected=True)

print(key.id)
print(key.name)
print(key.key_type)

create_rsa_key(name: str, **kwargs: Any) → KeyVaultKey [source]¶

Create a new RSA key or, if name is already in use, create a new version of the key

Requires the keys/create permission.

Parameters

name (str) – The name for the new key.

Keyword Arguments

size (int) – Key size in bits, for example 2048, 3072, or 4096.
public_exponent (int) – The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM.
hardware_protected (bool) – Whether the key should be created in a hardware security module. Defaults to False.
key_operations (list[KeyOperation or str]) – Allowed key operations
enabled (bool) – Whether the key is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
not_before (datetime) – Not before date of the key in UTC
expires_on (datetime) – Expiry date of the key in UTC
exportable (bool) – Whether the private key can be exported.
release_policy (KeyReleasePolicy) – The policy rules under which the key can be exported.

Returns

The created key

Return type

KeyVaultKey

Raises

HttpResponseError

Example

Create RSA key¶

key_size = 2048
key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]

# create an rsa key with size specification
# RSA key can be created with default size of '2048'
key = key_client.create_rsa_key(key_name, hardware_protected=True, size=key_size, key_operations=key_ops)

print(key.id)
print(key.name)
print(key.key_type)
print(key.key_operations)

get_cryptography_client(key_name: str, **kwargs: Any) → CryptographyClient[source]¶

Gets a CryptographyClient for the given key.

Parameters: key_name (str) – The name of the key used to perform cryptographic operations.
Keyword Arguments: key_version (str) – Optional version of the key used to perform cryptographic operations.
Returns: A CryptographyClient using the same options, credentials, and HTTP client as this KeyClient.
Return type: CryptographyClient

get_deleted_key(name: str, **kwargs: Any) → DeletedKey [source]¶

Get a deleted key. Possible only in a vault with soft-delete enabled.

Requires keys/get permission.

Parameters: name (str) – The name of the key
Returns: The deleted key
Return type: DeletedKey
Raises: ResourceNotFoundError if the key doesn’t exist, HttpResponseError for other errors

Example

Get a deleted key¶

# get a deleted key (requires soft-delete enabled for the vault)
deleted_key = key_client.get_deleted_key(key_name)
print(deleted_key.name)

# if the vault has soft-delete enabled, the key's deleted_date
# scheduled purge date and recovery id are set
print(deleted_key.deleted_date)
print(deleted_key.scheduled_purge_date)
print(deleted_key.recovery_id)

get_key(name: str, version: Optional[str] = None, **kwargs: Any) → KeyVaultKey [source]¶

Get a key’s attributes and, if it’s an asymmetric key, its public material.

Requires keys/get permission.

Parameters

name (str) – The name of the key to get.
version (str) – (optional) A specific version of the key to get. If not specified, gets the latest version of the key.

Return type

KeyVaultKey

Raises

ResourceNotFoundError if the key doesn’t exist, HttpResponseError for other errors

Example

Get a key¶

# get the latest version of a key
key = key_client.get_key(key_name)

# alternatively, specify a version
key_version = key.properties.version
key = key_client.get_key(key_name, key_version)

print(key.id)
print(key.name)
print(key.properties.version)
print(key.key_type)
print(key.properties.vault_url)

get_key_rotation_policy(name: str, **kwargs: Any) → KeyRotationPolicy [source]¶

Get the rotation policy of a Key Vault key.

Parameters

name (str) – The name of the key.

Returns

The key rotation policy.

Return type

KeyRotationPolicy

Raises

class: ~azure.core.exceptions.HttpResponseError

get_random_bytes(count: int, **kwargs: Any) → bytes [source]¶

Get the requested number of random bytes from a managed HSM.

Parameters: count (int) – The requested number of random bytes.
Returns: The random bytes.
Return type: bytes
Raises: ValueError if less than one random byte is requested, HttpResponseError for other errors

Example

Get random bytes¶

# get eight random bytes from a managed HSM
random_bytes = client.get_random_bytes(count=8)

import_key(name: str, key: JsonWebKey, **kwargs: Any) → KeyVaultKey [source]¶

Import a key created externally.

Requires keys/import permission. If name is already in use, the key will be imported as a new version.

Parameters

name (str) – Name for the imported key
key (JsonWebKey) – The JSON web key to import

Keyword Arguments

hardware_protected (bool) – Whether the key should be backed by a hardware security module
enabled (bool) – Whether the key is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
not_before (datetime) – Not before date of the key in UTC
expires_on (datetime) – Expiry date of the key in UTC
exportable (bool) – Whether the private key can be exported.
release_policy (KeyReleasePolicy) – The policy rules under which the key can be exported.

Returns

The imported key

Return type

KeyVaultKey

Raises

HttpResponseError

list_deleted_keys(**kwargs: Any) → ItemPaged[DeletedKey][source]¶

List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled.

Requires keys/list permission.

Returns: An iterator of deleted keys
Return type: ItemPaged[DeletedKey]

Example

List all the deleted keys¶

# get an iterator of deleted keys (requires soft-delete enabled for the vault)
deleted_keys = key_client.list_deleted_keys()

for key in deleted_keys:
    print(key.id)
    print(key.name)
    print(key.scheduled_purge_date)
    print(key.recovery_id)
    print(key.deleted_date)

list_properties_of_key_versions(name: str, **kwargs: Any) → ItemPaged[KeyProperties][source]¶

List the identifiers and properties of a key’s versions.

Requires keys/list permission.

Parameters: name (str) – The name of the key
Returns: An iterator of keys without their cryptographic material
Return type: ItemPaged[KeyProperties]

Example

List all versions of a key¶

# get an iterator of a key's versions
key_versions = key_client.list_properties_of_key_versions("key-name")

for key in key_versions:
    print(key.id)
    print(key.name)

list_properties_of_keys(**kwargs: Any) → ItemPaged[KeyProperties][source]¶

List identifiers and properties of all keys in the vault.

Requires keys/list permission.

Returns: An iterator of keys without their cryptographic material or version information
Return type: ItemPaged[KeyProperties]

Example

List all keys¶

# get an iterator of keys
keys = key_client.list_properties_of_keys()

for key in keys:
    print(key.id)
    print(key.name)

purge_deleted_key(name: str, **kwargs: Any) → None [source]¶

Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled.

Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not available if the recovery_level does not specify ‘Purgeable’. This method is only necessary for purging a key before its scheduled_purge_date.

Requires keys/purge permission.

Parameters: name (str) – The name of the deleted key to purge
Returns: None
Raises: HttpResponseError

Example

# if the vault has soft-delete enabled, purge permanently deletes a deleted key
# (with soft-delete disabled, begin_delete_key is permanent)
key_client.purge_deleted_key("key-name")

release_key(name: str, target_attestation_token: str, version: Optional[str] = None, **kwargs: Any) → ReleaseKeyResult [source]¶

Releases a key.

The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission.

Parameters

name (str) – The name of the key to get.
target_attestation_token (str) – The attestation assertion for the target of the key release.
version (str) – (optional) A specific version of the key to release. If unspecified, the latest version is released.

Keyword Arguments

algorithm (KeyExportEncryptionAlgorithm) – The encryption algorithm to use to protect the released key material.
nonce (str) – A client-provided nonce for freshness.

Returns

The result of the key release.

Return type

ReleaseKeyResult

Raises

HttpResponseError

restore_key_backup(backup: bytes, **kwargs: Any) → KeyVaultKey [source]¶

Restore a key backup to the vault.

Requires keys/restore permission.

This imports all versions of the key, with its name, attributes, and access control policies. If the key’s name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.

Parameters: backup (bytes) – A key backup as returned by backup_key()
Returns: The restored key
Return type: KeyVaultKey
Raises: ResourceExistsError if the backed up key’s name is already in use, HttpResponseError for other errors

Example

Restore a key backup¶

# restore a key backup
restored_key = key_client.restore_key_backup(key_backup)
print(restored_key.id)
print(restored_key.properties.version)

rotate_key(name: str, **kwargs: Any) → KeyVaultKey [source]¶

Rotate the key based on the key policy by generating a new version of the key.

This operation requires the keys/rotate permission.

Parameters: name (str) – The name of the key to rotate.
Returns: The new version of the rotated key.
Return type: KeyVaultKey
Raises: HttpResponseError

update_key_properties(name: str, version: Optional[str] = None, **kwargs: Any) → KeyVaultKey [source]¶

Change a key’s properties (not its cryptographic material).

Requires keys/update permission.

Parameters

name (str) – The name of key to update
version (str) – (optional) The version of the key to update. If unspecified, the latest version is updated.

Keyword Arguments

key_operations (list[KeyOperation or str]) – Allowed key operations
enabled (bool) – Whether the key is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
not_before (datetime) – Not before date of the key in UTC
expires_on (datetime) – Expiry date of the key in UTC
release_policy (KeyReleasePolicy) – The policy rules under which the key can be exported.

Returns

The updated key

Return type

KeyVaultKey

Raises

ResourceNotFoundError if the key doesn’t exist, HttpResponseError for other errors

Example

Update a key’s attributes¶

# update attributes of an existing key
expires_on = date_parse.parse("2050-01-02T08:00:00.000Z")
tags = {"foo": "updated tag"}
updated_key = key_client.update_key_properties(key.name, expires_on=expires_on, tags=tags)

print(updated_key.properties.version)
print(updated_key.properties.updated_on)
print(updated_key.properties.expires_on)
print(updated_key.properties.tags)
print(key.key_type)

update_key_rotation_policy(name: str, **kwargs: Any) → KeyRotationPolicy [source]¶

Updates the rotation policy of a Key Vault key.

This operation requires the keys/update permission.

Parameters

name (str) – The name of the key in the given vault.

Keyword Arguments

lifetime_actions (Iterable[KeyRotationLifetimeAction]) – Actions that will be performed by Key Vault over the lifetime of a key.
expires_in (str) – The expiry time of the policy that will be applied on new key versions, defined as an ISO 8601 duration. For example: 90 days is “P90D”, 3 months is “P3M”, and 48 hours is “PT48H”.

Returns

The updated rotation policy.

Return type

KeyRotationPolicy

Raises

HttpResponseError

property vault_url¶

class azure.keyvault.keys.KeyCurveName(value)[source]¶

Supported elliptic curves

p_256 = 'P-256'¶: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.

p_256_k = 'P-256K'¶: The SECG SECP256K1 elliptic curve.

p_384 = 'P-384'¶: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.

p_521 = 'P-521'¶: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.

class azure.keyvault.keys.KeyExportEncryptionAlgorithm(value)[source]¶

Supported algorithms for protecting exported key material

CKM_RSA_AES_KEY_WRAP = 'CKM_RSA_AES_KEY_WRAP'¶

RSA_AES_KEY_WRAP_256 = 'RSA_AES_KEY_WRAP_256'¶

RSA_AES_KEY_WRAP_384 = 'RSA_AES_KEY_WRAP_384'¶

class azure.keyvault.keys.KeyOperation(value)[source]¶

Supported key operations

decrypt = 'decrypt'¶

encrypt = 'encrypt'¶

export = 'export'¶

import_key = 'import'¶

sign = 'sign'¶

unwrap_key = 'unwrapKey'¶

verify = 'verify'¶

wrap_key = 'wrapKey'¶

class azure.keyvault.keys.KeyProperties(key_id: str, attributes: Optional[_models.KeyAttributes] = None, **kwargs: Any)[source]¶

A key’s id and attributes.

property created_on¶

When the key was created, in UTC

Return type: datetime or None

property enabled¶

Whether the key is enabled for use

Return type: bool or None

property expires_on¶

When the key will expire, in UTC

Return type: datetime or None

property exportable¶

Whether the private key can be exported

Return type: bool

property id¶

The key’s id

Return type: str

property managed¶

Returns whether the key’s lifetime is managed by key vault

Return type: bool

property name¶

The key’s name

Return type: str

property not_before¶

The time before which the key can not be used, in UTC

Return type: datetime or None

property recoverable_days¶

The number of days the key is retained before being deleted from a soft-delete enabled Key Vault.

Return type: int or None

property recovery_level¶

The vault’s deletion recovery level for keys

Return type: str or None

property release_policy¶

The KeyReleasePolicy specifying the rules under which the key can be exported.

Return type: KeyReleasePolicy

property tags¶

Application specific metadata in the form of key-value pairs

Return type: dict[str, str]

property updated_on¶

When the key was last updated, in UTC

Return type: datetime or None

property vault_url¶

URL of the vault containing the key

Return type: str

property version¶

The key’s version

Return type: str or None

class azure.keyvault.keys.KeyReleasePolicy(data: bytes, **kwargs: Any)[source]¶

The policy rules under which a key can be exported.

Parameters: data (bytes) – Blob encoding the policy rules under which the key can be released.
Keyword Arguments: content_type (str) – Content type and version of the release policy. Defaults to “application/json; charset=utf-8” if omitted.

class azure.keyvault.keys.KeyRotationLifetimeAction(action: KeyRotationPolicyAction, **kwargs: Any)[source]¶

An action and its corresponding trigger that will be performed by Key Vault over the lifetime of a key.

Parameters

action (KeyRotationPolicyAction or str) – The action that will be executed.

Keyword Arguments

time_after_create (str) – Time after creation to attempt the specified action, as an ISO 8601 duration. For example, 90 days is “P90D”.
time_before_expiry (str) – Time before expiry to attempt the specified action, as an ISO 8601 duration. For example, 90 days is “P90D”.

class azure.keyvault.keys.KeyRotationPolicy(policy_id: str, **kwargs: Any)[source]¶

The key rotation policy that belongs to a key.

Variables

id (str) – The identifier of the key rotation policy.
lifetime_actions – Actions that will be performed by Key Vault over the lifetime of a key.
expires_in (str) – The expiry time of the policy that will be applied on new key versions, defined as an ISO 8601 duration. For example, 90 days is “P90D”.
created_on – When the policy was created, in UTC
updated_on – When the policy was last updated, in UTC

class azure.keyvault.keys.KeyRotationPolicyAction(value)[source]¶

The action that will be executed in a key rotation policy

NOTIFY = 'Notify'¶: Trigger Event Grid events.

ROTATE = 'Rotate'¶: Rotate the key based on the key policy.

class azure.keyvault.keys.KeyType(value)[source]¶

Supported key types

ec = 'EC'¶: Elliptic Curve

ec_hsm = 'EC-HSM'¶: Elliptic Curve with a private key which is not exportable from the HSM

oct = 'oct'¶: Octet sequence (used to represent symmetric keys)

oct_hsm = 'oct-HSM'¶: Octet sequence with a private key which is not exportable from the HSM

rsa = 'RSA'¶

rsa_hsm = 'RSA-HSM'¶: RSA with a private key which is not exportable from the HSM

class azure.keyvault.keys.KeyVaultKey(key_id: str, jwk: Optional[dict] = None, **kwargs: Any)[source]¶

A key’s attributes and cryptographic material.

Parameters

key_id (str) – Key Vault’s identifier for the key. Typically a URI, e.g. https://myvault.vault.azure.net/keys/my-key/version
jwk – The key’s cryptographic material as a JSON Web Key (https://tools.ietf.org/html/rfc7517). This may be provided as a dictionary or keyword arguments. See JsonWebKey for field names.

Providing cryptographic material as keyword arguments:

from azure.keyvault.keys.models import KeyVaultKey

key_id = 'https://myvault.vault.azure.net/keys/my-key/my-key-version'
key_bytes = os.urandom(32)
key = KeyVaultKey(key_id, k=key_bytes, kty='oct', key_ops=['unwrapKey', 'wrapKey'])

Providing cryptographic material as a dictionary:

from azure.keyvault.keys.models import KeyVaultKey

key_id = 'https://myvault.vault.azure.net/keys/my-key/my-key-version'
key_bytes = os.urandom(32)
jwk = {'k': key_bytes, 'kty': 'oct', 'key_ops': ['unwrapKey', 'wrapKey']}
key = KeyVaultKey(key_id, jwk=jwk)

property id¶

The key’s id

Return type: str

property key¶

The JSON web key

Return type: JsonWebKey

property key_operations¶

Permitted operations. See KeyOperation for possible values.

Return type: list[KeyOperation or str]

property key_type¶

The key’s type. See KeyType for possible values.

Return type: KeyType or str

property name¶

The key’s name

Return type: str

property properties¶

The key’s properties

Return type: KeyProperties

class azure.keyvault.keys.KeyVaultKeyIdentifier(source_id: str)[source]¶

Information about a KeyVaultKey parsed from a key ID.

Parameters: source_id (str) – the full original identifier of a key
Raises: ValueError – if the key ID is improperly formatted

Example

Parse a key’s ID¶

key = client.get_key(key_name)
parsed_key_id = KeyVaultKeyIdentifier(key.id)

print(parsed_key_id.name)
print(parsed_key_id.vault_url)
print(parsed_key_id.version)
print(parsed_key_id.source_id)

property name¶

property source_id¶

property vault_url¶

property version¶

class azure.keyvault.keys.ReleaseKeyResult(value: str)[source]¶

The result of a key release operation.

Variables: value (str) – A signed token containing the released key.

azure.keyvault.keys package¶

Subpackages¶