azure.keyvault.secrets package¶
-
class
azure.keyvault.secrets.
SecretClient
(vault_url, credential, **kwargs)[source]¶ A high-level interface for managing a vault’s secrets.
- Parameters
vault_url (str) – URL of the vault the client will access. This is also called the vault’s “DNS Name”.
credential – An object which can provide an access token for the vault, such as a credential from
azure.identity
- Keyword Arguments
api_version (str) – version of the Key Vault API to use. Defaults to the most recent.
transport (HttpTransport) – transport to use. Defaults to
RequestsTransport
.
Example
from azure.identity import DefaultAzureCredential from azure.keyvault.secrets import SecretClient # Create a SecretClient using default Azure credentials credentials = DefaultAzureCredential() secret_client = SecretClient(vault_url, credentials)
-
backup_secret
(name, **kwargs)[source]¶ Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission.
- Parameters
name (str) – Name of the secret to back up
- Return type
- Raises
ResourceNotFoundError
if the secret doesn’t exist,HttpResponseError
for other errors
Example
# backup secret # returns the raw bytes of the backed up secret secret_backup = secret_client.backup_secret("secret-name") print(secret_backup)
-
begin_delete_secret
(name, **kwargs)[source]¶ Delete all versions of a secret. Requires secrets/delete permission.
When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
- Parameters
name (str) – Name of the secret to delete.
- Returns
A poller for the delete operation. The poller’s result method returns the
DeletedSecret
without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the secret withpurge_deleted_secret()
, call the poller’s wait method first. It will block until the deletion is complete. The wait method requires secrets/get permission.- Return type
- Raises
ResourceNotFoundError
if the secret doesn’t exist,HttpResponseError
for other errors
Example
# delete a secret deleted_secret_poller = secret_client.begin_delete_secret("secret-name") deleted_secret = deleted_secret_poller.result() print(deleted_secret.name) # if the vault has soft-delete enabled, the secret's, deleted_date # scheduled purge date and recovery id are set print(deleted_secret.deleted_date) print(deleted_secret.scheduled_purge_date) print(deleted_secret.recovery_id) # if you want to block until secret is deleted server-side, call wait() on the poller deleted_secret_poller.wait()
-
begin_recover_deleted_secret
(name, **kwargs)[source]¶ Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled.
If the vault does not have soft-delete enabled,
begin_delete_secret()
is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error.When this method returns Key Vault has begun recovering the secret. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered secret in another operation immediately.
Requires the secrets/recover permission.
- Parameters
name (str) – Name of the deleted secret to recover
- Returns
A poller for the recovery operation. The poller’s result method returns the recovered
Secret
without waiting for recovery to complete. If you want to use the recovered secret immediately, call the poller’s wait method, which blocks until the secret is ready to use. The wait method requires secrets/get permission.- Return type
- Raises
Example
# recover deleted secret to the latest version recover_secret_poller = secret_client.begin_recover_deleted_secret("secret-name") recovered_secret = recover_secret_poller.result() print(recovered_secret.id) print(recovered_secret.name) # if you want to block until secret is recovered server-side, call wait() on the poller recover_secret_poller.wait()
-
get_deleted_secret
(name, **kwargs)[source]¶ Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission.
- Parameters
name (str) – Name of the deleted secret
- Return type
- Raises
ResourceNotFoundError
if the deleted secret doesn’t exist,HttpResponseError
for other errors
Example
# gets a deleted secret (requires soft-delete enabled for the vault) deleted_secret = secret_client.get_deleted_secret("secret-name") print(deleted_secret.name)
-
get_secret
(name, version=None, **kwargs)[source]¶ Get a secret. Requires the secrets/get permission.
- Parameters
- Return type
- Raises
ResourceNotFoundError
if the secret doesn’t exist,HttpResponseError
for other errors
Example
# get the latest version of a secret secret = secret_client.get_secret("secret-name") # alternatively, specify a version secret = secret_client.get_secret("secret-name", secret.properties.version) print(secret.id) print(secret.name) print(secret.properties.version) print(secret.properties.vault_url)
-
list_deleted_secrets
(**kwargs)[source]¶ Lists all deleted secrets. Possible only in vaults with soft-delete enabled.
Requires secrets/list permission.
- Returns
An iterator of deleted secrets, excluding their values
- Return type
Example
# gets an iterator of deleted secrets (requires soft-delete enabled for the vault) deleted_secrets = secret_client.list_deleted_secrets() for secret in deleted_secrets: # the list doesn't include values or versions of the deleted secrets print(secret.id) print(secret.name) print(secret.scheduled_purge_date) print(secret.recovery_id) print(secret.deleted_date)
-
list_properties_of_secret_versions
(name, **kwargs)[source]¶ List properties of all versions of a secret, excluding their values. Requires secrets/list permission.
List items don’t include secret values. Use
get_secret()
to get a secret’s value.- Parameters
name (str) – Name of the secret
- Returns
An iterator of secrets, excluding their values
- Return type
Example
secret_versions = secret_client.list_properties_of_secret_versions("secret-name") for secret in secrets: # the list doesn't include the values at each version print(secret.id) print(secret.enabled) print(secret.updated_on)
-
list_properties_of_secrets
(**kwargs)[source]¶ List identifiers and attributes of all secrets in the vault. Requires secrets/list permission.
List items don’t include secret values. Use
get_secret()
to get a secret’s value.- Returns
An iterator of secrets, excluding their values
- Return type
Example
# list secrets secrets = secret_client.list_properties_of_secrets() for secret in secrets: # the list doesn't include values or versions of the secrets print(secret.id) print(secret.name) print(secret.enabled)
-
purge_deleted_secret
(name, **kwargs)[source]¶ Permanently delete a secret. Possible only in vaults with soft-delete enabled.
If the vault doesn’t have soft-delete enabled,
begin_delete_secret()
permanently deletes the secret, and this method will return an error.Requires secrets/purge permission.
- Parameters
name (str) – Name of the secret to purge
- Returns
None
- Raises
Example
# if the vault has soft-delete enabled, purge permanently deletes the secret # (with soft-delete disabled, begin_delete_secret is permanent) secret_client.purge_deleted_secret("secret-name")
-
restore_secret_backup
(backup, **kwargs)[source]¶ Restore a backed up secret. Requires the secrets/restore permission.
- Parameters
backup (bytes) – A secret backup as returned by
backup_secret()
- Returns
The restored secret
- Return type
- Raises
ResourceExistsError
if the secret’s name is already in use,HttpResponseError
for other errors
Example
# restores a backed up secret restored_secret = secret_client.restore_secret_backup(secret_backup) print(restored_secret.id) print(restored_secret.version)
-
set_secret
(name, value, **kwargs)[source]¶ Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret.
Requires secrets/set permission.
- Parameters
- Keyword Arguments
enabled (bool) – Whether the secret is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
content_type (str) – An arbitrary string indicating the type of the secret, e.g. ‘password’
not_before (datetime) – Not before date of the secret in UTC
expires_on (datetime) – Expiry date of the secret in UTC
- Return type
- Raises
Example
from dateutil import parser as date_parse expires_on = date_parse.parse("2050-02-02T08:00:00.000Z") # create a secret, setting optional arguments secret = secret_client.set_secret("secret-name", "secret-value", expires_on=expires_on) print(secret.name) print(secret.properties.version) print(secret.properties.expires_on)
-
update_secret_properties
(name, version=None, **kwargs)[source]¶ Update properties of a secret other than its value. Requires secrets/set permission.
This method updates properties of the secret, such as whether it’s enabled, but can’t change the secret’s value. Use
set_secret()
to change the secret’s value.- Parameters
- Keyword Arguments
enabled (bool) – Whether the secret is enabled for use.
tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.
content_type (str) – An arbitrary string indicating the type of the secret, e.g. ‘password’
not_before (datetime) – Not before date of the secret in UTC
expires_on (datetime) – Expiry date of the secret in UTC
- Return type
- Raises
ResourceNotFoundError
if the secret doesn’t exist,HttpResponseError
for other errors
Example
# update attributes of an existing secret content_type = "text/plain" tags = {"foo": "updated tag"} updated_secret_properties = secret_client.update_secret_properties( "secret-name", content_type=content_type, tags=tags ) print(updated_secret_properties.version) print(updated_secret_properties.updated_on) print(updated_secret_properties.content_type) print(updated_secret_properties.tags)
-
property
vault_url
¶
-
class
azure.keyvault.secrets.
KeyVaultSecret
(properties, value)[source]¶ All of a secret’s properties, and its value.
-
property
properties
¶ The secret’s properties
- Return type
-
property
-
class
azure.keyvault.secrets.
SecretProperties
(attributes, vault_id, **kwargs)[source]¶ A secret’s id and attributes.
-
property
key_id
¶ If this secret backs a certificate, this property is the identifier of the corresponding key.
- Return type
Application specific metadata in the form of key-value pairs
- Return type
-
property
-
class
azure.keyvault.secrets.
DeletedSecret
(properties, deleted_date=None, recovery_id=None, scheduled_purge_date=None)[source]¶ A deleted secret’s properties and information about its deletion. If soft-delete is enabled, returns information about its recovery as well.
-
property
properties
¶ The properties of the deleted secret
- Return type
-
property
recovery_id
¶ An identifier used to recover the deleted secret. Returns
None
if soft-delete is disabled.- Return type
-
property