%global _empty_manifest_terminate_build 0 Name: python-azure-keyvault-keys Version: 4.8.0 Release: 1 Summary: Microsoft Azure Key Vault Keys Client Library for Python License: MIT License URL: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys Source0: https://mirrors.nju.edu.cn/pypi/web/packages/a1/99/55c0362207729f4849cafcb1a6e8dcacf3f9ac877d91177ec934ce291d0e/azure-keyvault-keys-4.8.0.zip BuildArch: noarch Requires: python3-azure-common Requires: python3-azure-core Requires: python3-cryptography Requires: python3-isodate Requires: python3-typing-extensions %description # Azure Key Vault Keys client library for Python Azure Key Vault helps solve the following problems: - Cryptographic key management (this library) - create, store, and control access to the keys used to encrypt your data - Secrets management ([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets - Certificate management ([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) - create, manage, and deploy public and private SSL/TLS certificates - Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options [Source code][library_src] | [Package (PyPI)][pypi_package_keys] | [Package (Conda)](https://anaconda.org/microsoft/azure-keyvault/) | [API reference documentation][reference_docs] | [Product documentation][azure_keyvault] | [Samples][key_samples] ## _Disclaimer_ _Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_. _Python 3.7 or later is required to use this package. For more details, please refer to [Azure SDK for Python version support policy](https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy)._ ## Getting started ### Install the package Install [azure-keyvault-keys][pypi_package_keys] and [azure-identity][azure_identity_pypi] with [pip][pip]: ```Bash pip install azure-keyvault-keys azure-identity ``` [azure-identity][azure_identity] is used for Azure Active Directory authentication as demonstrated below. ### Prerequisites * An [Azure subscription][azure_sub] * Python 3.7 or later * An existing [Azure Key Vault][azure_keyvault]. If you need to create one, you can do so using the Azure CLI by following the steps in [this document][azure_keyvault_cli]. * If using Managed HSM, an existing [Key Vault Managed HSM][managed_hsm]. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in [this document][managed_hsm_cli]. ### Authenticate the client In order to interact with the Azure Key Vault service, you will need an instance of a [KeyClient][key_client_docs], as well as a **vault url** and a credential object. This document demonstrates using a [DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios, including local development and production environments. We recommend using a [managed identity][managed_identity] for authentication in production environments. See [azure-identity][azure_identity] documentation for more information about other methods of authentication and their corresponding credential types. #### Create a client After configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of authentication, you can do the following to create a key client (replacing the value of `VAULT_URL` with your vault's URL): ```python VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) ``` > **NOTE:** For an asynchronous client, import `azure.keyvault.keys.aio`'s `KeyClient` instead. ## Key concepts ### Keys Azure Key Vault can create and store RSA and elliptic curve keys. Both can optionally be protected by hardware security modules (HSMs). Azure Key Vault can also perform cryptographic operations with them. For more information about keys and supported operations and algorithms, see the [Key Vault documentation](https://docs.microsoft.com/azure/key-vault/keys/about-keys). [KeyClient][key_client_docs] can create keys in the vault, get existing keys from the vault, update key metadata, and delete keys, as shown in the [examples](#examples) below. ## Examples This section contains code snippets covering common tasks: * [Create a key](#create-a-key) * [Retrieve a key](#retrieve-a-key) * [Update an existing key](#update-an-existing-key) * [Delete a key](#delete-a-key) * [Configure automatic key rotation](#configure-automatic-key-rotation) * [List keys](#list-keys) * [Perform cryptographic operations](#cryptographic-operations) * [Async API](#async-api) * [Asynchronously create a key](#asynchronously-create-a-key) * [Asynchronously list keys](#asynchronously-list-keys) ### Create a key [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_rsa_key) and [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_ec_key) create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version of that key is created. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Create an RSA key rsa_key = key_client.create_rsa_key("rsa-key-name", size=2048) print(rsa_key.name) print(rsa_key.key_type) # Create an elliptic curve key ec_key = key_client.create_ec_key("ec-key-name", curve="P-256") print(ec_key.name) print(ec_key.key_type) ``` ### Retrieve a key [get_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.get_key) retrieves a key previously stored in the Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) key = key_client.get_key("key-name") print(key.name) ``` ### Update an existing key [update_key_properties](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_properties) updates the properties of a key previously stored in the Key Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # we will now disable the key for further use updated_key = key_client.update_key_properties("key-name", enabled=False) print(updated_key.name) print(updated_key.properties.enabled) ``` ### Delete a key [begin_delete_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.begin_delete_key) requests Key Vault delete a key, returning a poller which allows you to wait for the deletion to finish. Waiting is helpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the key as soon as possible. When [soft-delete][soft_delete] is disabled, `begin_delete_key` itself is permanent. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) deleted_key = key_client.begin_delete_key("key-name").result() print(deleted_key.name) print(deleted_key.deleted_date) ``` ### Configure automatic key rotation [update_key_rotation_policy](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.update_key_rotation_policy) allows you to configure automatic key rotation for a key by specifying a rotation policy. In addition, [rotate_key](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.rotate_key) allows you to rotate a key on-demand by creating a new version of the given key. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Set the key's automated rotation policy to rotate the key 30 days before the key expires actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_before_expiry="P30D")] # You may also specify the duration after which the newly rotated key will expire # In this example, any new key versions will expire after 90 days updated_policy = key_client.update_key_rotation_policy("key-name", expires_in="P90D", lifetime_actions=actions) # You can get the current rotation policy for a key with get_key_rotation_policy current_policy = key_client.get_key_rotation_policy("key-name") # Finally, you can rotate a key on-demand by creating a new version of the key rotated_key = key_client.rotate_key("key-name") ``` ### List keys [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.list_properties_of_keys) lists the properties of all of the keys in the client's vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) keys = key_client.list_properties_of_keys() for key in keys: # the list doesn't include values or versions of the keys print(key.name) ``` ### Cryptographic operations [CryptographyClient](https://aka.ms/azsdk/python/keyvault-keys/crypto/docs#azure.keyvault.keys.crypto.CryptographyClient) enables cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) key = key_client.get_key("key-name") crypto_client = CryptographyClient(key, credential=credential) plaintext = b"plaintext" result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext) ``` See the [package documentation][crypto_client_docs] for more details of the cryptography API. ### Async API This library includes a complete set of async APIs. To use them, you must first install an async transport, such as [aiohttp](https://pypi.org/project/aiohttp/). See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPER.md#transport) for more information. Async clients and credentials should be closed when they're no longer needed. These objects are async context managers and define async `close` methods. For example: ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() # call close when the client and credential are no longer needed client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) ... await client.close() await credential.close() # alternatively, use them as async context managers (contextlib.AsyncExitStack can help) client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) async with client: async with credential: ... ``` ### Asynchronously create a key [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_rsa_key) and [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_ec_key) create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version of the key is created. ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Create an RSA key rsa_key = await key_client.create_rsa_key("rsa-key-name", size=2048) print(rsa_key.name) print(rsa_key.key_type) # Create an elliptic curve key ec_key = await key_client.create_ec_key("ec-key-name", curve="P-256") print(ec_key.name) print(ec_key.key_type) ``` ### Asynchronously list keys [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.list_properties_of_keys) lists the properties of all of the keys in the client's vault. ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) keys = key_client.list_properties_of_keys() async for key in keys: print(key.name) ``` ## Troubleshooting See the `azure-keyvault-keys` [troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/TROUBLESHOOTING.md) for details on how to diagnose various failure scenarios. ### General Key Vault clients raise exceptions defined in [azure-core][azure_core_exceptions]. For example, if you try to get a key that doesn't exist in the vault, [KeyClient][key_client_docs] raises [ResourceNotFoundError](https://aka.ms/azsdk-python-core-exceptions-resource-not-found-error): ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.core.exceptions import ResourceNotFoundError credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) try: key_client.get_key("which-does-not-exist") except ResourceNotFoundError as e: print(e.message) ``` ### Logging This library uses the standard [logging](https://docs.python.org/3/library/logging.html) library for logging. Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFO level. Detailed DEBUG level logging, including request/response bodies and unredacted headers, can be enabled on a client with the `logging_enable` argument: ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient import sys import logging # Create a logger for the 'azure' SDK logger = logging.getLogger('azure') logger.setLevel(logging.DEBUG) # Configure a console output handler = logging.StreamHandler(stream=sys.stdout) logger.addHandler(handler) credential = DefaultAzureCredential() # This client will log detailed information about its HTTP sessions, at DEBUG level client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential, logging_enable=True) ``` Similarly, `logging_enable` can enable detailed logging for a single operation, even when it isn't enabled for the client: ```python client.get_key("my-key", logging_enable=True) ``` ## Next steps Several samples are available in the Azure SDK for Python GitHub repository. These provide example code for additional Key Vault scenarios: | File | Description | |-------------|-------------| | [hello_world.py][hello_world_sample] ([async version][hello_world_async_sample]) | create/get/update/delete keys | | [list_operations.py][list_operations_sample] ([async version][list_operations_async_sample]) | basic list operations for keys | | [backup_restore_operations.py][backup_operations_sample] ([async version][backup_operations_async_sample]) | back up and recover keys | | [recover_purge_operations.py][recover_purge_sample] ([async version][recover_purge_async_sample]) | recover and purge keys | | [send_request.py][send_request_sample] | use the `send_request` client method | ### Additional documentation For more extensive documentation on Azure Key Vault, see the [API reference documentation][reference_docs]. ## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact opencode@microsoft.com with any additional questions or comments. [azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions [azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity [azure_identity_pypi]: https://pypi.org/project/azure-identity/ [azure_keyvault]: https://docs.microsoft.com/azure/key-vault/ [azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/general/quick-create-cli [azure_sub]: https://azure.microsoft.com/free/ [backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py [backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/ [crypto_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/crypto/docs [default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential [hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py [hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py [key_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient [key_samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples [library_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys [list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py [list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py [managed_hsm]: https://docs.microsoft.com/azure/key-vault/managed-hsm/overview [managed_hsm_cli]: https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli [managed_identity]: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview [pip]: https://pypi.org/project/pip/ [pypi_package_keys]: https://pypi.org/project/azure-keyvault-keys/ [recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py [recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py [reference_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs [send_request_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/send_request.py [soft_delete]: https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-python%2Fsdk%2Fkeyvault%2Fazure-keyvault-keys%2FREADME.png) # Release History ## 4.8.0 (2023-03-16) ### Features Added - Added support for service API version `7.4` - Clients each have a `send_request` method that can be used to send custom requests using the client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172)) - (From 4.8.0b1) An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected. - Removed support for octet key pair (OKP) keys and operations ### Other Changes - Key Vault API version `7.4` is now the default - (From 4.8.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later. - (From 4.8.0b1) Updated minimum `azure-core` version to 1.24.0 - (From 4.8.0b1) Updated minimum `msrest` version to 0.7.1 - (From 4.8.0b2) Dropped `msrest` requirement - (From 4.8.0b2) Dropped `six` requirement - (From 4.8.0b2) Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`) - (From 4.8.0b2) Added requirement for `typing-extensions>=4.0.1` ## 4.8.0b2 (2022-11-15) ### Features Added - Added support for service API version `7.4-preview.1` - `KeyClient` has a `create_okp_key` method to create an octet key pair (OKP) on Managed HSM - Added `eddsa` to `SignatureAlgorithm` enum to support signing and verifying using an Edwards-Curve Digital Signature Algorithm (EdDSA) on Managed HSM - Added `okp` and `okp_hsm` to `KeyType` enum for octet key pairs - Added `ed25519` to `KeyCurveName` enum to support use of the Ed25519 Edwards curve ### Other Changes - Key Vault API version `7.4-preview.1` is now the default - Dropped `msrest` requirement - Dropped `six` requirement - Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`) - Added requirement for `typing-extensions>=4.0.1` ## 4.8.0b1 (2022-09-22) ### Features Added - An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Other Changes - Python 3.6 is no longer supported. Please use Python version 3.7 or later. - Updated minimum `azure-core` version to 1.24.0 - Updated minimum `msrest` version to 0.7.1 ## 4.7.0 (2022-09-19) ### Breaking Changes - Clients verify the challenge resource matches the vault domain. This should affect few customers, who can provide `verify_challenge_resource=False` to client constructors to disable. See https://aka.ms/azsdk/blog/vault-uri for more information. ### Other Changes - Changes from version 4.7.0b1 have been reverted and will be included in version 4.8.0b1 ## 4.7.0b1 (2022-08-12) ### Features Added - An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Other Changes - The most recent release was version 4.6.1 instead of the intended version, 4.5.2. The next stable release is planned to be version 4.7.0. - Python 3.6 is no longer supported. Please use Python version 3.7 or later. - Updated minimum `azure-core` version to 1.24.0 ## 4.6.1 (2022-08-11) ### Other Changes - Documentation improvements ([#25039](https://github.com/Azure/azure-sdk-for-python/issues/25039)) ## 4.6.0b1 (2022-06-07) ### Bugs Fixed - If a key's ID contains a port number, this port will now be preserved in the vault URL of a `CryptographyClient` instance created from this key ([#24446](https://github.com/Azure/azure-sdk-for-python/issues/24446)) - Port numbers are now preserved in the `vault_url` property of a `KeyVaultKeyIdentifier` ## 4.5.1 (2022-04-18) ### Bugs Fixed - Fixed error that could occur when fetching a key rotation policy that has no defined `lifetime_actions`. ## 4.5.0 (2022-03-28) ### Features Added - Key Vault API version 7.3 is now the default - Added support for multi-tenant authentication when using `azure-identity` 1.8.0 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) - (From 4.5.0b1) `KeyClient` has a `get_random_bytes` method for getting a requested number of random bytes from a managed HSM - (From 4.5.0b2) Added support for secure key release from a Managed HSM ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588)) - Added `release_key` method to `KeyClient` for releasing the private component of a key - Added `exportable` and `release_policy` keyword-only arguments to key creation and import methods - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used in key release - (From 4.5.0b4) Added `KeyClient.get_cryptography_client`, which provides a simple way to create a `CryptographyClient` for a key, given its name and optionally a version ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621)) - (From 4.5.0b4) Added support for automated and on-demand key rotation in Azure Key Vault ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840)) - Added `KeyClient.rotate_key` to rotate a key on-demand - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy - (From 4.5.0b6) Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable release policies. Once a release policy is marked as immutable, it can no longer be modified. ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.update_key_rotation_policy` accepts a required `policy` argument ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - The optional `version` parameter in `KeyClient.release_key` is now a keyword-only argument ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - Renamed the `name` parameter in `KeyClient.get_key_rotation_policy` and `KeyClient.update_key_rotation_policy` to `key_name` ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - Enum values in `azure-keyvault-keys` are now uniformly lower-cased ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) ### Bugs Fixed - `KeyType` now ignores casing during declaration, which resolves a scenario where Key Vault keys created with non-standard casing could not be fetched with the SDK ([#22797](https://github.com/Azure/azure-sdk-for-python/issues/22797)) ### Other Changes - (From 4.5.0b6) Python 2.7 is no longer supported. Please use Python version 3.6 or later. - (From 4.5.0b6) Updated minimum `azure-core` version to 1.20.0 - (From 4.5.0b3) Updated type hints to fix mypy errors ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158)) - (From 4.5.0b4) `CryptographyClient` no longer requires a key version when providing a key ID to its constructor (though providing a version is still recommended) - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge authentication requests now pass in a `tenant_id` keyword argument ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)). See https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate this parameter if `get_token` is implemented by a custom credential. - (From 4.5.0b6) Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368)) ## 4.5.0b6 (2022-02-08) ### Features Added - Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable release policies. Once a release policy is marked as immutable, it can no longer be modified. ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - Renamed the required argument `data` in `KeyReleasePolicy`'s constructor to `encoded_policy` ### Other Changes - Python 2.7 is no longer supported. Please use Python version 3.6 or later. - Updated minimum `azure-core` version to 1.20.0 - Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368)) - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge authentication requests now pass in a `tenant_id` keyword argument ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) ## 4.5.0b5 (2021-11-11) ### Features Added - Added support for multi-tenant authentication when using `azure-identity` 1.7.1 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.get_random_bytes` now returns bytes instead of RandomBytes. The RandomBytes class has been removed - Renamed the `version` keyword-only argument in `KeyClient.get_cryptography_client` to `key_version` - Renamed `KeyReleasePolicy.data` to `KeyReleasePolicy.encoded_policy` - Renamed the `target` parameter in `KeyClient.release_key` to `target_attestation_token` ### Other Changes - Updated minimum `azure-core` version to 1.15.0 ## 4.5.0b4 (2021-10-07) ### Features Added - Added `KeyClient.get_cryptography_client`, which provides a simple way to create a `CryptographyClient` for a key, given its name and optionally a version ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621)) - Added support for automated and on-demand key rotation in Azure Key Vault ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840)) - Added `KeyClient.rotate_key` to rotate a key on-demand - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy ### Other Changes - `CryptographyClient` no longer requires a key version when providing a key ID to its constructor (though providing a version is still recommended) ## 4.5.0b3 (2021-09-09) ### Other Changes - Updated type hints to fix mypy errors ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158)) ## 4.5.0b2 (2021-08-10) ### Features Added - Added support for secure key release from a Managed HSM ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588)) - Added `release_key` method to `KeyClient` for releasing the private component of a key - Added `exportable` and `release_policy` keyword-only arguments to key creation and import methods - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used in key release ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.get_random_bytes` now returns a `RandomBytes` model with bytes in a `value` property, rather than returning the bytes directly ([#19895](https://github.com/Azure/azure-sdk-for-python/issues/19895)) ## 4.5.0b1 (2021-07-08) Beginning with this release, this library requires Python 2.7 or 3.6+. ### Features Added - Key Vault API version 7.3-preview is now the default - `KeyClient` has a `get_random_bytes` method for getting a requested number of random bytes from a managed HSM ## 4.4.0 (2021-06-22) This is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+. ### Changed - Key Vault API version 7.2 is now the default - (From 4.4.0b1) Updated minimum `msrest` version to 0.6.21 ### Added - `KeyClient` has a `create_oct_key` method for creating symmetric keys - `KeyClient`'s `create_key` and `create_rsa_key` methods now accept a `public_exponent` keyword-only argument ([#18016](https://github.com/Azure/azure-sdk-for-python/issues/18016)) - (From 4.4.0b1) Added support for Key Vault API version 7.2 ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566)) - Added `oct_hsm` to `KeyType` - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption algorithms to `EncryptionAlgorithm` - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm` - `CryptographyClient`'s `encrypt` method accepts `iv` and `additional_authenticated_data` keyword arguments - `CryptographyClient`'s `decrypt` method accepts `iv`, `additional_authenticated_data`, and `authentication_tag` keyword arguments - Added `iv`, `aad`, and `tag` properties to `EncryptResult` - (From 4.4.0b3) `CryptographyClient` will perform all operations locally if initialized with the `.from_jwk` factory method ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565)) - (From 4.4.0b3) Added requirement for `six`>=1.12.0 - (From 4.4.0b4) `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.3.1. > Only code written against a beta version such as 4.4.0b1 may be affected. - `parse_key_vault_key_id` and `KeyVaultResourceId` have been replaced by a `KeyVaultKeyIdentifier` class, which can be initialized with a key ID ## 4.4.0b4 (2021-04-06) ### Added - `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762)) ## 4.4.0b3 (2021-03-11) ### Added - `CryptographyClient` will perform all operations locally if initialized with the `.from_jwk` factory method ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565)) - Added requirement for six>=1.12.0 ## 4.4.0b2 (2021-02-10) ### Fixed - API versions older than 7.2-preview no longer raise `ImportError` when performing async operations ([#16680](https://github.com/Azure/azure-sdk-for-python/pull/16680)) ## 4.4.0b1 (2021-02-10) ### Changed - Key Vault API version 7.2-preview is now the default - Updated msrest requirement to >=0.6.21 ### Added - Support for Key Vault API version 7.2-preview ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566)) - Added `oct_hsm` to `KeyType` - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption algorithms to `EncryptionAlgorithm` - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm` - `CryptographyClient`'s `encrypt` method accepts `iv` and `additional_authenticated_data` keyword arguments - `CryptographyClient`'s `decrypt` method accepts `iv`, `additional_authenticated_data`, and `authentication_tag` keyword arguments - Added `iv`, `aad`, and `tag` properties to `EncryptResult` - Added method `parse_key_vault_key_id` that parses out a full ID returned by Key Vault, so users can easily access the key's `name`, `vault_url`, and `version`. ## 4.3.1 (2020-12-03) ### Fixed - `CryptographyClient` operations no longer raise `AttributeError` when the client was constructed with a key ID ([#15608](https://github.com/Azure/azure-sdk-for-python/issues/15608)) ## 4.3.0 (2020-10-06) ### Changed - `CryptographyClient` can perform decrypt and sign operations locally ([#9754](https://github.com/Azure/azure-sdk-for-python/issues/9754)) ### Fixed - Correct typing for async paging methods ## 4.2.0 (2020-08-11) ### Fixed - Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers are no longer redacted in logging output - `CryptographyClient` will no longer perform encrypt or wrap operations when its key has expired or is not yet valid ### Changed - Key Vault API version 7.1 is now the default - Updated minimum `azure-core` version to 1.7.0 ### Added - At construction, clients accept a `CustomHookPolicy` through the optional keyword argument `custom_hook_policy` - All client requests include a unique ID in the header `x-ms-client-request-id` - Dependency on `azure-common` for multiapi support ## 4.2.0b1 (2020-03-10) - Support for Key Vault API version 7.1-preview ([#10124](https://github.com/Azure/azure-sdk-for-python/pull/10124)) - Added `import_key` to `KeyOperation` - Added `recoverable_days` to `CertificateProperties` - Added `ApiVersion` enum identifying Key Vault versions supported by this package ## 4.1.0 (2020-03-10) - `KeyClient` instances have a `close` method which closes opened sockets. Used as a context manager, a `KeyClient` closes opened sockets on exit. ([#9906](https://github.com/Azure/azure-sdk-for-python/pull/9906)) - Pollers no longer sleep after operation completion ([#9991](https://github.com/Azure/azure-sdk-for-python/pull/9991)) ## 4.0.1 (2020-02-11) - `azure.keyvault.keys` defines `__version__` - Challenge authentication policy preserves request options ([#8999](https://github.com/Azure/azure-sdk-for-python/pull/8999)) - Updated `msrest` requirement to >=0.6.0 - Challenge authentication policy requires TLS ([#9457](https://github.com/Azure/azure-sdk-for-python/pull/9457)) - Methods no longer raise the internal error `KeyVaultErrorException` ([#9690](https://github.com/Azure/azure-sdk-for-python/issues/9690)) - Fix `AttributeError` in async CryptographyClient when verifying signatures remotely ([#9734](https://github.com/Azure/azure-sdk-for-python/pull/9734)) ## 4.0.0 (2019-10-31) ### Breaking changes: - Removed `KeyClient.get_cryptography_client()` and `CryptographyClient.get_key()` - Moved the optional parameters of several methods into kwargs ( [docs](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.0.0/index.html) detail the new keyword arguments): - `create_key` now has positional parameters `name` and `key_type` - `create_ec_key` and `create_rsa_key` now have one positional parameter, `name` - `update_key_properties` now has two positional parameters, `name` and (optional) `version` - `import_key` now has positional parameters `name` and `key` - `CryptographyClient` operations return class instances instead of tuples and renamed the following properties - Renamed the `decrypted_bytes` property of `DecryptResult` to `plaintext` - Renamed the `unwrapped_bytes` property of `UnwrapResult` to `key` - Renamed the `result` property of `VerifyResult` to `is_valid` - Renamed the `UnwrapKeyResult` and `WrapKeyResult` classes to `UnwrapResult` and `WrapResult` - Renamed `list_keys` to `list_properties_of_keys` - Renamed `list_key_versions` to `list_properties_of_key_versions` - Renamed sync method `delete_key` to `begin_delete_key` - The sync method `begin_delete_key` and async `delete_key` now return pollers that return a `DeletedKey` - Renamed `Key` to `KeyVaultKey` - `KeyVaultKey` properties `created`, `expires`, and `updated` renamed to `created_on`, `expires_on`, and `updated_on` - The `vault_endpoint` parameter of `KeyClient` has been renamed to `vault_url` - The property `vault_endpoint` has been renamed to `vault_url` in all models ### New features: - Now all `CryptographyClient` returns include `key_id` and `algorithm` properties ## 4.0.0b4 (2019-10-08) - Enums `JsonWebKeyCurveName`, `JsonWebKeyOperation`, and `JsonWebKeyType` have been renamed to `KeyCurveName`, `KeyOperation`, and `KeyType`, respectively. - `Key` now has attribute `properties`, which holds certain properties of the key, such as `version`. This changes the shape of the returned `Key` type, as certain properties of `Key` (such as `version`) have to be accessed through the `properties` property. - `update_key` has been renamed to `update_key_properties` - The `vault_url` parameter of `KeyClient` has been renamed to `vault_endpoint` - The property `vault_url` has been renamed to `vault_endpoint` in all models ### Fixes and improvements: - The `key` argument to `import_key` should be an instance of `azure.keyvault.keys.JsonWebKey` ([#7590](https://github.com/Azure/azure-sdk-for-python/pull/7590)) ## 4.0.0b3 (2019-09-11) ### Breaking changes: - `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and `unwrap_key`, respectively. ### New features: - `CryptographyClient` performs encrypt, verify and wrap operations locally when its key's public material is available (i.e., when it has keys/get permission). ## 4.0.0b2 (2019-08-06) ### Breaking changes: - Removed `azure.core.Configuration` from the public API in preparation for a revamped configuration API. Static `create_config` methods have been renamed `_create_config`, and will be removed in a future release. - Removed `wrap_key` and `unwrap_key` from `KeyClient`. These are now available through `CryptographyClient`. - This version of the library requires `azure-core` 1.0.0b2 - If you later want to revert to a version requiring azure-core 1.0.0b1, of this or another Azure SDK library, you must explicitly install azure-core 1.0.0b1 as well. For example: `pip install azure-core==1.0.0b1 azure-keyvault-keys==4.0.0b1` ### New features: - Added `CryptographyClient`, a client for performing cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) with a key. - Distributed tracing framework OpenCensus is now supported - Added support for HTTP challenge based authentication, allowing clients to interact with vaults in sovereign clouds. ### Other changes: - Async clients use [aiohttp](https://pypi.org/project/aiohttp/) for transport by default. See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md/#transport) for more information about using other transports. ## 4.0.0b1 (2019-06-28) Version 4.0.0b1 is the first preview of our efforts to create a user-friendly and Pythonic client library for Azure Key Vault. For more information about preview releases of other Azure SDK libraries, please visit https://aka.ms/azure-sdk-preview1-python. This library is not a direct replacement for `azure-keyvault`. Applications using that library would require code changes to use `azure-keyvault-keys`. This package's [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md) and [samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples) demonstrate the new API. ### Major changes from `azure-keyvault` - Packages scoped by functionality - `azure-keyvault-keys` contains a client for key operations, `azure-keyvault-secrets` contains a client for secret operations - Client instances are scoped to vaults (an instance interacts with one vault only) - Asynchronous API supported on Python 3.5.3+ - the `azure.keyvault.keys.aio` namespace contains an async equivalent of the synchronous client in `azure.keyvault.keys` - Authentication using `azure-identity` credentials - see this package's [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md) , and the [Azure Identity documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md) for more information ### `azure-keyvault` features not implemented in this release - Certificate management APIs - Cryptographic operations, e.g. sign, un/wrap_key, verify, en- and decrypt - National cloud support. This release supports public global cloud vaults, e.g. https://{vault-name}.vault.azure.net %package -n python3-azure-keyvault-keys Summary: Microsoft Azure Key Vault Keys Client Library for Python Provides: python-azure-keyvault-keys BuildRequires: python3-devel BuildRequires: python3-setuptools BuildRequires: python3-pip %description -n python3-azure-keyvault-keys # Azure Key Vault Keys client library for Python Azure Key Vault helps solve the following problems: - Cryptographic key management (this library) - create, store, and control access to the keys used to encrypt your data - Secrets management ([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets - Certificate management ([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) - create, manage, and deploy public and private SSL/TLS certificates - Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options [Source code][library_src] | [Package (PyPI)][pypi_package_keys] | [Package (Conda)](https://anaconda.org/microsoft/azure-keyvault/) | [API reference documentation][reference_docs] | [Product documentation][azure_keyvault] | [Samples][key_samples] ## _Disclaimer_ _Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_. _Python 3.7 or later is required to use this package. For more details, please refer to [Azure SDK for Python version support policy](https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy)._ ## Getting started ### Install the package Install [azure-keyvault-keys][pypi_package_keys] and [azure-identity][azure_identity_pypi] with [pip][pip]: ```Bash pip install azure-keyvault-keys azure-identity ``` [azure-identity][azure_identity] is used for Azure Active Directory authentication as demonstrated below. ### Prerequisites * An [Azure subscription][azure_sub] * Python 3.7 or later * An existing [Azure Key Vault][azure_keyvault]. If you need to create one, you can do so using the Azure CLI by following the steps in [this document][azure_keyvault_cli]. * If using Managed HSM, an existing [Key Vault Managed HSM][managed_hsm]. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in [this document][managed_hsm_cli]. ### Authenticate the client In order to interact with the Azure Key Vault service, you will need an instance of a [KeyClient][key_client_docs], as well as a **vault url** and a credential object. This document demonstrates using a [DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios, including local development and production environments. We recommend using a [managed identity][managed_identity] for authentication in production environments. See [azure-identity][azure_identity] documentation for more information about other methods of authentication and their corresponding credential types. #### Create a client After configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of authentication, you can do the following to create a key client (replacing the value of `VAULT_URL` with your vault's URL): ```python VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) ``` > **NOTE:** For an asynchronous client, import `azure.keyvault.keys.aio`'s `KeyClient` instead. ## Key concepts ### Keys Azure Key Vault can create and store RSA and elliptic curve keys. Both can optionally be protected by hardware security modules (HSMs). Azure Key Vault can also perform cryptographic operations with them. For more information about keys and supported operations and algorithms, see the [Key Vault documentation](https://docs.microsoft.com/azure/key-vault/keys/about-keys). [KeyClient][key_client_docs] can create keys in the vault, get existing keys from the vault, update key metadata, and delete keys, as shown in the [examples](#examples) below. ## Examples This section contains code snippets covering common tasks: * [Create a key](#create-a-key) * [Retrieve a key](#retrieve-a-key) * [Update an existing key](#update-an-existing-key) * [Delete a key](#delete-a-key) * [Configure automatic key rotation](#configure-automatic-key-rotation) * [List keys](#list-keys) * [Perform cryptographic operations](#cryptographic-operations) * [Async API](#async-api) * [Asynchronously create a key](#asynchronously-create-a-key) * [Asynchronously list keys](#asynchronously-list-keys) ### Create a key [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_rsa_key) and [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_ec_key) create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version of that key is created. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Create an RSA key rsa_key = key_client.create_rsa_key("rsa-key-name", size=2048) print(rsa_key.name) print(rsa_key.key_type) # Create an elliptic curve key ec_key = key_client.create_ec_key("ec-key-name", curve="P-256") print(ec_key.name) print(ec_key.key_type) ``` ### Retrieve a key [get_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.get_key) retrieves a key previously stored in the Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) key = key_client.get_key("key-name") print(key.name) ``` ### Update an existing key [update_key_properties](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_properties) updates the properties of a key previously stored in the Key Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # we will now disable the key for further use updated_key = key_client.update_key_properties("key-name", enabled=False) print(updated_key.name) print(updated_key.properties.enabled) ``` ### Delete a key [begin_delete_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.begin_delete_key) requests Key Vault delete a key, returning a poller which allows you to wait for the deletion to finish. Waiting is helpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the key as soon as possible. When [soft-delete][soft_delete] is disabled, `begin_delete_key` itself is permanent. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) deleted_key = key_client.begin_delete_key("key-name").result() print(deleted_key.name) print(deleted_key.deleted_date) ``` ### Configure automatic key rotation [update_key_rotation_policy](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.update_key_rotation_policy) allows you to configure automatic key rotation for a key by specifying a rotation policy. In addition, [rotate_key](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.rotate_key) allows you to rotate a key on-demand by creating a new version of the given key. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Set the key's automated rotation policy to rotate the key 30 days before the key expires actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_before_expiry="P30D")] # You may also specify the duration after which the newly rotated key will expire # In this example, any new key versions will expire after 90 days updated_policy = key_client.update_key_rotation_policy("key-name", expires_in="P90D", lifetime_actions=actions) # You can get the current rotation policy for a key with get_key_rotation_policy current_policy = key_client.get_key_rotation_policy("key-name") # Finally, you can rotate a key on-demand by creating a new version of the key rotated_key = key_client.rotate_key("key-name") ``` ### List keys [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.list_properties_of_keys) lists the properties of all of the keys in the client's vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) keys = key_client.list_properties_of_keys() for key in keys: # the list doesn't include values or versions of the keys print(key.name) ``` ### Cryptographic operations [CryptographyClient](https://aka.ms/azsdk/python/keyvault-keys/crypto/docs#azure.keyvault.keys.crypto.CryptographyClient) enables cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) key = key_client.get_key("key-name") crypto_client = CryptographyClient(key, credential=credential) plaintext = b"plaintext" result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext) ``` See the [package documentation][crypto_client_docs] for more details of the cryptography API. ### Async API This library includes a complete set of async APIs. To use them, you must first install an async transport, such as [aiohttp](https://pypi.org/project/aiohttp/). See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPER.md#transport) for more information. Async clients and credentials should be closed when they're no longer needed. These objects are async context managers and define async `close` methods. For example: ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() # call close when the client and credential are no longer needed client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) ... await client.close() await credential.close() # alternatively, use them as async context managers (contextlib.AsyncExitStack can help) client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) async with client: async with credential: ... ``` ### Asynchronously create a key [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_rsa_key) and [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_ec_key) create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version of the key is created. ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Create an RSA key rsa_key = await key_client.create_rsa_key("rsa-key-name", size=2048) print(rsa_key.name) print(rsa_key.key_type) # Create an elliptic curve key ec_key = await key_client.create_ec_key("ec-key-name", curve="P-256") print(ec_key.name) print(ec_key.key_type) ``` ### Asynchronously list keys [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.list_properties_of_keys) lists the properties of all of the keys in the client's vault. ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) keys = key_client.list_properties_of_keys() async for key in keys: print(key.name) ``` ## Troubleshooting See the `azure-keyvault-keys` [troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/TROUBLESHOOTING.md) for details on how to diagnose various failure scenarios. ### General Key Vault clients raise exceptions defined in [azure-core][azure_core_exceptions]. For example, if you try to get a key that doesn't exist in the vault, [KeyClient][key_client_docs] raises [ResourceNotFoundError](https://aka.ms/azsdk-python-core-exceptions-resource-not-found-error): ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.core.exceptions import ResourceNotFoundError credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) try: key_client.get_key("which-does-not-exist") except ResourceNotFoundError as e: print(e.message) ``` ### Logging This library uses the standard [logging](https://docs.python.org/3/library/logging.html) library for logging. Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFO level. Detailed DEBUG level logging, including request/response bodies and unredacted headers, can be enabled on a client with the `logging_enable` argument: ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient import sys import logging # Create a logger for the 'azure' SDK logger = logging.getLogger('azure') logger.setLevel(logging.DEBUG) # Configure a console output handler = logging.StreamHandler(stream=sys.stdout) logger.addHandler(handler) credential = DefaultAzureCredential() # This client will log detailed information about its HTTP sessions, at DEBUG level client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential, logging_enable=True) ``` Similarly, `logging_enable` can enable detailed logging for a single operation, even when it isn't enabled for the client: ```python client.get_key("my-key", logging_enable=True) ``` ## Next steps Several samples are available in the Azure SDK for Python GitHub repository. These provide example code for additional Key Vault scenarios: | File | Description | |-------------|-------------| | [hello_world.py][hello_world_sample] ([async version][hello_world_async_sample]) | create/get/update/delete keys | | [list_operations.py][list_operations_sample] ([async version][list_operations_async_sample]) | basic list operations for keys | | [backup_restore_operations.py][backup_operations_sample] ([async version][backup_operations_async_sample]) | back up and recover keys | | [recover_purge_operations.py][recover_purge_sample] ([async version][recover_purge_async_sample]) | recover and purge keys | | [send_request.py][send_request_sample] | use the `send_request` client method | ### Additional documentation For more extensive documentation on Azure Key Vault, see the [API reference documentation][reference_docs]. ## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact opencode@microsoft.com with any additional questions or comments. [azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions [azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity [azure_identity_pypi]: https://pypi.org/project/azure-identity/ [azure_keyvault]: https://docs.microsoft.com/azure/key-vault/ [azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/general/quick-create-cli [azure_sub]: https://azure.microsoft.com/free/ [backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py [backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/ [crypto_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/crypto/docs [default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential [hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py [hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py [key_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient [key_samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples [library_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys [list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py [list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py [managed_hsm]: https://docs.microsoft.com/azure/key-vault/managed-hsm/overview [managed_hsm_cli]: https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli [managed_identity]: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview [pip]: https://pypi.org/project/pip/ [pypi_package_keys]: https://pypi.org/project/azure-keyvault-keys/ [recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py [recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py [reference_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs [send_request_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/send_request.py [soft_delete]: https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-python%2Fsdk%2Fkeyvault%2Fazure-keyvault-keys%2FREADME.png) # Release History ## 4.8.0 (2023-03-16) ### Features Added - Added support for service API version `7.4` - Clients each have a `send_request` method that can be used to send custom requests using the client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172)) - (From 4.8.0b1) An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected. - Removed support for octet key pair (OKP) keys and operations ### Other Changes - Key Vault API version `7.4` is now the default - (From 4.8.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later. - (From 4.8.0b1) Updated minimum `azure-core` version to 1.24.0 - (From 4.8.0b1) Updated minimum `msrest` version to 0.7.1 - (From 4.8.0b2) Dropped `msrest` requirement - (From 4.8.0b2) Dropped `six` requirement - (From 4.8.0b2) Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`) - (From 4.8.0b2) Added requirement for `typing-extensions>=4.0.1` ## 4.8.0b2 (2022-11-15) ### Features Added - Added support for service API version `7.4-preview.1` - `KeyClient` has a `create_okp_key` method to create an octet key pair (OKP) on Managed HSM - Added `eddsa` to `SignatureAlgorithm` enum to support signing and verifying using an Edwards-Curve Digital Signature Algorithm (EdDSA) on Managed HSM - Added `okp` and `okp_hsm` to `KeyType` enum for octet key pairs - Added `ed25519` to `KeyCurveName` enum to support use of the Ed25519 Edwards curve ### Other Changes - Key Vault API version `7.4-preview.1` is now the default - Dropped `msrest` requirement - Dropped `six` requirement - Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`) - Added requirement for `typing-extensions>=4.0.1` ## 4.8.0b1 (2022-09-22) ### Features Added - An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Other Changes - Python 3.6 is no longer supported. Please use Python version 3.7 or later. - Updated minimum `azure-core` version to 1.24.0 - Updated minimum `msrest` version to 0.7.1 ## 4.7.0 (2022-09-19) ### Breaking Changes - Clients verify the challenge resource matches the vault domain. This should affect few customers, who can provide `verify_challenge_resource=False` to client constructors to disable. See https://aka.ms/azsdk/blog/vault-uri for more information. ### Other Changes - Changes from version 4.7.0b1 have been reverted and will be included in version 4.8.0b1 ## 4.7.0b1 (2022-08-12) ### Features Added - An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Other Changes - The most recent release was version 4.6.1 instead of the intended version, 4.5.2. The next stable release is planned to be version 4.7.0. - Python 3.6 is no longer supported. Please use Python version 3.7 or later. - Updated minimum `azure-core` version to 1.24.0 ## 4.6.1 (2022-08-11) ### Other Changes - Documentation improvements ([#25039](https://github.com/Azure/azure-sdk-for-python/issues/25039)) ## 4.6.0b1 (2022-06-07) ### Bugs Fixed - If a key's ID contains a port number, this port will now be preserved in the vault URL of a `CryptographyClient` instance created from this key ([#24446](https://github.com/Azure/azure-sdk-for-python/issues/24446)) - Port numbers are now preserved in the `vault_url` property of a `KeyVaultKeyIdentifier` ## 4.5.1 (2022-04-18) ### Bugs Fixed - Fixed error that could occur when fetching a key rotation policy that has no defined `lifetime_actions`. ## 4.5.0 (2022-03-28) ### Features Added - Key Vault API version 7.3 is now the default - Added support for multi-tenant authentication when using `azure-identity` 1.8.0 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) - (From 4.5.0b1) `KeyClient` has a `get_random_bytes` method for getting a requested number of random bytes from a managed HSM - (From 4.5.0b2) Added support for secure key release from a Managed HSM ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588)) - Added `release_key` method to `KeyClient` for releasing the private component of a key - Added `exportable` and `release_policy` keyword-only arguments to key creation and import methods - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used in key release - (From 4.5.0b4) Added `KeyClient.get_cryptography_client`, which provides a simple way to create a `CryptographyClient` for a key, given its name and optionally a version ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621)) - (From 4.5.0b4) Added support for automated and on-demand key rotation in Azure Key Vault ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840)) - Added `KeyClient.rotate_key` to rotate a key on-demand - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy - (From 4.5.0b6) Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable release policies. Once a release policy is marked as immutable, it can no longer be modified. ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.update_key_rotation_policy` accepts a required `policy` argument ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - The optional `version` parameter in `KeyClient.release_key` is now a keyword-only argument ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - Renamed the `name` parameter in `KeyClient.get_key_rotation_policy` and `KeyClient.update_key_rotation_policy` to `key_name` ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - Enum values in `azure-keyvault-keys` are now uniformly lower-cased ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) ### Bugs Fixed - `KeyType` now ignores casing during declaration, which resolves a scenario where Key Vault keys created with non-standard casing could not be fetched with the SDK ([#22797](https://github.com/Azure/azure-sdk-for-python/issues/22797)) ### Other Changes - (From 4.5.0b6) Python 2.7 is no longer supported. Please use Python version 3.6 or later. - (From 4.5.0b6) Updated minimum `azure-core` version to 1.20.0 - (From 4.5.0b3) Updated type hints to fix mypy errors ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158)) - (From 4.5.0b4) `CryptographyClient` no longer requires a key version when providing a key ID to its constructor (though providing a version is still recommended) - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge authentication requests now pass in a `tenant_id` keyword argument ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)). See https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate this parameter if `get_token` is implemented by a custom credential. - (From 4.5.0b6) Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368)) ## 4.5.0b6 (2022-02-08) ### Features Added - Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable release policies. Once a release policy is marked as immutable, it can no longer be modified. ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - Renamed the required argument `data` in `KeyReleasePolicy`'s constructor to `encoded_policy` ### Other Changes - Python 2.7 is no longer supported. Please use Python version 3.6 or later. - Updated minimum `azure-core` version to 1.20.0 - Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368)) - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge authentication requests now pass in a `tenant_id` keyword argument ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) ## 4.5.0b5 (2021-11-11) ### Features Added - Added support for multi-tenant authentication when using `azure-identity` 1.7.1 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.get_random_bytes` now returns bytes instead of RandomBytes. The RandomBytes class has been removed - Renamed the `version` keyword-only argument in `KeyClient.get_cryptography_client` to `key_version` - Renamed `KeyReleasePolicy.data` to `KeyReleasePolicy.encoded_policy` - Renamed the `target` parameter in `KeyClient.release_key` to `target_attestation_token` ### Other Changes - Updated minimum `azure-core` version to 1.15.0 ## 4.5.0b4 (2021-10-07) ### Features Added - Added `KeyClient.get_cryptography_client`, which provides a simple way to create a `CryptographyClient` for a key, given its name and optionally a version ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621)) - Added support for automated and on-demand key rotation in Azure Key Vault ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840)) - Added `KeyClient.rotate_key` to rotate a key on-demand - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy ### Other Changes - `CryptographyClient` no longer requires a key version when providing a key ID to its constructor (though providing a version is still recommended) ## 4.5.0b3 (2021-09-09) ### Other Changes - Updated type hints to fix mypy errors ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158)) ## 4.5.0b2 (2021-08-10) ### Features Added - Added support for secure key release from a Managed HSM ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588)) - Added `release_key` method to `KeyClient` for releasing the private component of a key - Added `exportable` and `release_policy` keyword-only arguments to key creation and import methods - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used in key release ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.get_random_bytes` now returns a `RandomBytes` model with bytes in a `value` property, rather than returning the bytes directly ([#19895](https://github.com/Azure/azure-sdk-for-python/issues/19895)) ## 4.5.0b1 (2021-07-08) Beginning with this release, this library requires Python 2.7 or 3.6+. ### Features Added - Key Vault API version 7.3-preview is now the default - `KeyClient` has a `get_random_bytes` method for getting a requested number of random bytes from a managed HSM ## 4.4.0 (2021-06-22) This is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+. ### Changed - Key Vault API version 7.2 is now the default - (From 4.4.0b1) Updated minimum `msrest` version to 0.6.21 ### Added - `KeyClient` has a `create_oct_key` method for creating symmetric keys - `KeyClient`'s `create_key` and `create_rsa_key` methods now accept a `public_exponent` keyword-only argument ([#18016](https://github.com/Azure/azure-sdk-for-python/issues/18016)) - (From 4.4.0b1) Added support for Key Vault API version 7.2 ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566)) - Added `oct_hsm` to `KeyType` - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption algorithms to `EncryptionAlgorithm` - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm` - `CryptographyClient`'s `encrypt` method accepts `iv` and `additional_authenticated_data` keyword arguments - `CryptographyClient`'s `decrypt` method accepts `iv`, `additional_authenticated_data`, and `authentication_tag` keyword arguments - Added `iv`, `aad`, and `tag` properties to `EncryptResult` - (From 4.4.0b3) `CryptographyClient` will perform all operations locally if initialized with the `.from_jwk` factory method ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565)) - (From 4.4.0b3) Added requirement for `six`>=1.12.0 - (From 4.4.0b4) `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.3.1. > Only code written against a beta version such as 4.4.0b1 may be affected. - `parse_key_vault_key_id` and `KeyVaultResourceId` have been replaced by a `KeyVaultKeyIdentifier` class, which can be initialized with a key ID ## 4.4.0b4 (2021-04-06) ### Added - `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762)) ## 4.4.0b3 (2021-03-11) ### Added - `CryptographyClient` will perform all operations locally if initialized with the `.from_jwk` factory method ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565)) - Added requirement for six>=1.12.0 ## 4.4.0b2 (2021-02-10) ### Fixed - API versions older than 7.2-preview no longer raise `ImportError` when performing async operations ([#16680](https://github.com/Azure/azure-sdk-for-python/pull/16680)) ## 4.4.0b1 (2021-02-10) ### Changed - Key Vault API version 7.2-preview is now the default - Updated msrest requirement to >=0.6.21 ### Added - Support for Key Vault API version 7.2-preview ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566)) - Added `oct_hsm` to `KeyType` - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption algorithms to `EncryptionAlgorithm` - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm` - `CryptographyClient`'s `encrypt` method accepts `iv` and `additional_authenticated_data` keyword arguments - `CryptographyClient`'s `decrypt` method accepts `iv`, `additional_authenticated_data`, and `authentication_tag` keyword arguments - Added `iv`, `aad`, and `tag` properties to `EncryptResult` - Added method `parse_key_vault_key_id` that parses out a full ID returned by Key Vault, so users can easily access the key's `name`, `vault_url`, and `version`. ## 4.3.1 (2020-12-03) ### Fixed - `CryptographyClient` operations no longer raise `AttributeError` when the client was constructed with a key ID ([#15608](https://github.com/Azure/azure-sdk-for-python/issues/15608)) ## 4.3.0 (2020-10-06) ### Changed - `CryptographyClient` can perform decrypt and sign operations locally ([#9754](https://github.com/Azure/azure-sdk-for-python/issues/9754)) ### Fixed - Correct typing for async paging methods ## 4.2.0 (2020-08-11) ### Fixed - Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers are no longer redacted in logging output - `CryptographyClient` will no longer perform encrypt or wrap operations when its key has expired or is not yet valid ### Changed - Key Vault API version 7.1 is now the default - Updated minimum `azure-core` version to 1.7.0 ### Added - At construction, clients accept a `CustomHookPolicy` through the optional keyword argument `custom_hook_policy` - All client requests include a unique ID in the header `x-ms-client-request-id` - Dependency on `azure-common` for multiapi support ## 4.2.0b1 (2020-03-10) - Support for Key Vault API version 7.1-preview ([#10124](https://github.com/Azure/azure-sdk-for-python/pull/10124)) - Added `import_key` to `KeyOperation` - Added `recoverable_days` to `CertificateProperties` - Added `ApiVersion` enum identifying Key Vault versions supported by this package ## 4.1.0 (2020-03-10) - `KeyClient` instances have a `close` method which closes opened sockets. Used as a context manager, a `KeyClient` closes opened sockets on exit. ([#9906](https://github.com/Azure/azure-sdk-for-python/pull/9906)) - Pollers no longer sleep after operation completion ([#9991](https://github.com/Azure/azure-sdk-for-python/pull/9991)) ## 4.0.1 (2020-02-11) - `azure.keyvault.keys` defines `__version__` - Challenge authentication policy preserves request options ([#8999](https://github.com/Azure/azure-sdk-for-python/pull/8999)) - Updated `msrest` requirement to >=0.6.0 - Challenge authentication policy requires TLS ([#9457](https://github.com/Azure/azure-sdk-for-python/pull/9457)) - Methods no longer raise the internal error `KeyVaultErrorException` ([#9690](https://github.com/Azure/azure-sdk-for-python/issues/9690)) - Fix `AttributeError` in async CryptographyClient when verifying signatures remotely ([#9734](https://github.com/Azure/azure-sdk-for-python/pull/9734)) ## 4.0.0 (2019-10-31) ### Breaking changes: - Removed `KeyClient.get_cryptography_client()` and `CryptographyClient.get_key()` - Moved the optional parameters of several methods into kwargs ( [docs](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.0.0/index.html) detail the new keyword arguments): - `create_key` now has positional parameters `name` and `key_type` - `create_ec_key` and `create_rsa_key` now have one positional parameter, `name` - `update_key_properties` now has two positional parameters, `name` and (optional) `version` - `import_key` now has positional parameters `name` and `key` - `CryptographyClient` operations return class instances instead of tuples and renamed the following properties - Renamed the `decrypted_bytes` property of `DecryptResult` to `plaintext` - Renamed the `unwrapped_bytes` property of `UnwrapResult` to `key` - Renamed the `result` property of `VerifyResult` to `is_valid` - Renamed the `UnwrapKeyResult` and `WrapKeyResult` classes to `UnwrapResult` and `WrapResult` - Renamed `list_keys` to `list_properties_of_keys` - Renamed `list_key_versions` to `list_properties_of_key_versions` - Renamed sync method `delete_key` to `begin_delete_key` - The sync method `begin_delete_key` and async `delete_key` now return pollers that return a `DeletedKey` - Renamed `Key` to `KeyVaultKey` - `KeyVaultKey` properties `created`, `expires`, and `updated` renamed to `created_on`, `expires_on`, and `updated_on` - The `vault_endpoint` parameter of `KeyClient` has been renamed to `vault_url` - The property `vault_endpoint` has been renamed to `vault_url` in all models ### New features: - Now all `CryptographyClient` returns include `key_id` and `algorithm` properties ## 4.0.0b4 (2019-10-08) - Enums `JsonWebKeyCurveName`, `JsonWebKeyOperation`, and `JsonWebKeyType` have been renamed to `KeyCurveName`, `KeyOperation`, and `KeyType`, respectively. - `Key` now has attribute `properties`, which holds certain properties of the key, such as `version`. This changes the shape of the returned `Key` type, as certain properties of `Key` (such as `version`) have to be accessed through the `properties` property. - `update_key` has been renamed to `update_key_properties` - The `vault_url` parameter of `KeyClient` has been renamed to `vault_endpoint` - The property `vault_url` has been renamed to `vault_endpoint` in all models ### Fixes and improvements: - The `key` argument to `import_key` should be an instance of `azure.keyvault.keys.JsonWebKey` ([#7590](https://github.com/Azure/azure-sdk-for-python/pull/7590)) ## 4.0.0b3 (2019-09-11) ### Breaking changes: - `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and `unwrap_key`, respectively. ### New features: - `CryptographyClient` performs encrypt, verify and wrap operations locally when its key's public material is available (i.e., when it has keys/get permission). ## 4.0.0b2 (2019-08-06) ### Breaking changes: - Removed `azure.core.Configuration` from the public API in preparation for a revamped configuration API. Static `create_config` methods have been renamed `_create_config`, and will be removed in a future release. - Removed `wrap_key` and `unwrap_key` from `KeyClient`. These are now available through `CryptographyClient`. - This version of the library requires `azure-core` 1.0.0b2 - If you later want to revert to a version requiring azure-core 1.0.0b1, of this or another Azure SDK library, you must explicitly install azure-core 1.0.0b1 as well. For example: `pip install azure-core==1.0.0b1 azure-keyvault-keys==4.0.0b1` ### New features: - Added `CryptographyClient`, a client for performing cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) with a key. - Distributed tracing framework OpenCensus is now supported - Added support for HTTP challenge based authentication, allowing clients to interact with vaults in sovereign clouds. ### Other changes: - Async clients use [aiohttp](https://pypi.org/project/aiohttp/) for transport by default. See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md/#transport) for more information about using other transports. ## 4.0.0b1 (2019-06-28) Version 4.0.0b1 is the first preview of our efforts to create a user-friendly and Pythonic client library for Azure Key Vault. For more information about preview releases of other Azure SDK libraries, please visit https://aka.ms/azure-sdk-preview1-python. This library is not a direct replacement for `azure-keyvault`. Applications using that library would require code changes to use `azure-keyvault-keys`. This package's [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md) and [samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples) demonstrate the new API. ### Major changes from `azure-keyvault` - Packages scoped by functionality - `azure-keyvault-keys` contains a client for key operations, `azure-keyvault-secrets` contains a client for secret operations - Client instances are scoped to vaults (an instance interacts with one vault only) - Asynchronous API supported on Python 3.5.3+ - the `azure.keyvault.keys.aio` namespace contains an async equivalent of the synchronous client in `azure.keyvault.keys` - Authentication using `azure-identity` credentials - see this package's [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md) , and the [Azure Identity documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md) for more information ### `azure-keyvault` features not implemented in this release - Certificate management APIs - Cryptographic operations, e.g. sign, un/wrap_key, verify, en- and decrypt - National cloud support. This release supports public global cloud vaults, e.g. https://{vault-name}.vault.azure.net %package help Summary: Development documents and examples for azure-keyvault-keys Provides: python3-azure-keyvault-keys-doc %description help # Azure Key Vault Keys client library for Python Azure Key Vault helps solve the following problems: - Cryptographic key management (this library) - create, store, and control access to the keys used to encrypt your data - Secrets management ([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets - Certificate management ([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) - create, manage, and deploy public and private SSL/TLS certificates - Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options [Source code][library_src] | [Package (PyPI)][pypi_package_keys] | [Package (Conda)](https://anaconda.org/microsoft/azure-keyvault/) | [API reference documentation][reference_docs] | [Product documentation][azure_keyvault] | [Samples][key_samples] ## _Disclaimer_ _Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_. _Python 3.7 or later is required to use this package. For more details, please refer to [Azure SDK for Python version support policy](https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy)._ ## Getting started ### Install the package Install [azure-keyvault-keys][pypi_package_keys] and [azure-identity][azure_identity_pypi] with [pip][pip]: ```Bash pip install azure-keyvault-keys azure-identity ``` [azure-identity][azure_identity] is used for Azure Active Directory authentication as demonstrated below. ### Prerequisites * An [Azure subscription][azure_sub] * Python 3.7 or later * An existing [Azure Key Vault][azure_keyvault]. If you need to create one, you can do so using the Azure CLI by following the steps in [this document][azure_keyvault_cli]. * If using Managed HSM, an existing [Key Vault Managed HSM][managed_hsm]. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in [this document][managed_hsm_cli]. ### Authenticate the client In order to interact with the Azure Key Vault service, you will need an instance of a [KeyClient][key_client_docs], as well as a **vault url** and a credential object. This document demonstrates using a [DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios, including local development and production environments. We recommend using a [managed identity][managed_identity] for authentication in production environments. See [azure-identity][azure_identity] documentation for more information about other methods of authentication and their corresponding credential types. #### Create a client After configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of authentication, you can do the following to create a key client (replacing the value of `VAULT_URL` with your vault's URL): ```python VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) ``` > **NOTE:** For an asynchronous client, import `azure.keyvault.keys.aio`'s `KeyClient` instead. ## Key concepts ### Keys Azure Key Vault can create and store RSA and elliptic curve keys. Both can optionally be protected by hardware security modules (HSMs). Azure Key Vault can also perform cryptographic operations with them. For more information about keys and supported operations and algorithms, see the [Key Vault documentation](https://docs.microsoft.com/azure/key-vault/keys/about-keys). [KeyClient][key_client_docs] can create keys in the vault, get existing keys from the vault, update key metadata, and delete keys, as shown in the [examples](#examples) below. ## Examples This section contains code snippets covering common tasks: * [Create a key](#create-a-key) * [Retrieve a key](#retrieve-a-key) * [Update an existing key](#update-an-existing-key) * [Delete a key](#delete-a-key) * [Configure automatic key rotation](#configure-automatic-key-rotation) * [List keys](#list-keys) * [Perform cryptographic operations](#cryptographic-operations) * [Async API](#async-api) * [Asynchronously create a key](#asynchronously-create-a-key) * [Asynchronously list keys](#asynchronously-list-keys) ### Create a key [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_rsa_key) and [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_ec_key) create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version of that key is created. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Create an RSA key rsa_key = key_client.create_rsa_key("rsa-key-name", size=2048) print(rsa_key.name) print(rsa_key.key_type) # Create an elliptic curve key ec_key = key_client.create_ec_key("ec-key-name", curve="P-256") print(ec_key.name) print(ec_key.key_type) ``` ### Retrieve a key [get_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.get_key) retrieves a key previously stored in the Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) key = key_client.get_key("key-name") print(key.name) ``` ### Update an existing key [update_key_properties](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_properties) updates the properties of a key previously stored in the Key Vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # we will now disable the key for further use updated_key = key_client.update_key_properties("key-name", enabled=False) print(updated_key.name) print(updated_key.properties.enabled) ``` ### Delete a key [begin_delete_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.begin_delete_key) requests Key Vault delete a key, returning a poller which allows you to wait for the deletion to finish. Waiting is helpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the key as soon as possible. When [soft-delete][soft_delete] is disabled, `begin_delete_key` itself is permanent. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) deleted_key = key_client.begin_delete_key("key-name").result() print(deleted_key.name) print(deleted_key.deleted_date) ``` ### Configure automatic key rotation [update_key_rotation_policy](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.update_key_rotation_policy) allows you to configure automatic key rotation for a key by specifying a rotation policy. In addition, [rotate_key](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.5.0b5/azure.keyvault.keys.html#azure.keyvault.keys.KeyClient.rotate_key) allows you to rotate a key on-demand by creating a new version of the given key. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient, KeyRotationLifetimeAction, KeyRotationPolicyAction credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Set the key's automated rotation policy to rotate the key 30 days before the key expires actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_before_expiry="P30D")] # You may also specify the duration after which the newly rotated key will expire # In this example, any new key versions will expire after 90 days updated_policy = key_client.update_key_rotation_policy("key-name", expires_in="P90D", lifetime_actions=actions) # You can get the current rotation policy for a key with get_key_rotation_policy current_policy = key_client.get_key_rotation_policy("key-name") # Finally, you can rotate a key on-demand by creating a new version of the key rotated_key = key_client.rotate_key("key-name") ``` ### List keys [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.list_properties_of_keys) lists the properties of all of the keys in the client's vault. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) keys = key_client.list_properties_of_keys() for key in keys: # the list doesn't include values or versions of the keys print(key.name) ``` ### Cryptographic operations [CryptographyClient](https://aka.ms/azsdk/python/keyvault-keys/crypto/docs#azure.keyvault.keys.crypto.CryptographyClient) enables cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key. ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) key = key_client.get_key("key-name") crypto_client = CryptographyClient(key, credential=credential) plaintext = b"plaintext" result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext) ``` See the [package documentation][crypto_client_docs] for more details of the cryptography API. ### Async API This library includes a complete set of async APIs. To use them, you must first install an async transport, such as [aiohttp](https://pypi.org/project/aiohttp/). See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPER.md#transport) for more information. Async clients and credentials should be closed when they're no longer needed. These objects are async context managers and define async `close` methods. For example: ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() # call close when the client and credential are no longer needed client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) ... await client.close() await credential.close() # alternatively, use them as async context managers (contextlib.AsyncExitStack can help) client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) async with client: async with credential: ... ``` ### Asynchronously create a key [create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_rsa_key) and [create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_ec_key) create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version of the key is created. ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) # Create an RSA key rsa_key = await key_client.create_rsa_key("rsa-key-name", size=2048) print(rsa_key.name) print(rsa_key.key_type) # Create an elliptic curve key ec_key = await key_client.create_ec_key("ec-key-name", curve="P-256") print(ec_key.name) print(ec_key.key_type) ``` ### Asynchronously list keys [list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.list_properties_of_keys) lists the properties of all of the keys in the client's vault. ```python from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) keys = key_client.list_properties_of_keys() async for key in keys: print(key.name) ``` ## Troubleshooting See the `azure-keyvault-keys` [troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/TROUBLESHOOTING.md) for details on how to diagnose various failure scenarios. ### General Key Vault clients raise exceptions defined in [azure-core][azure_core_exceptions]. For example, if you try to get a key that doesn't exist in the vault, [KeyClient][key_client_docs] raises [ResourceNotFoundError](https://aka.ms/azsdk-python-core-exceptions-resource-not-found-error): ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient from azure.core.exceptions import ResourceNotFoundError credential = DefaultAzureCredential() key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) try: key_client.get_key("which-does-not-exist") except ResourceNotFoundError as e: print(e.message) ``` ### Logging This library uses the standard [logging](https://docs.python.org/3/library/logging.html) library for logging. Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFO level. Detailed DEBUG level logging, including request/response bodies and unredacted headers, can be enabled on a client with the `logging_enable` argument: ```python from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient import sys import logging # Create a logger for the 'azure' SDK logger = logging.getLogger('azure') logger.setLevel(logging.DEBUG) # Configure a console output handler = logging.StreamHandler(stream=sys.stdout) logger.addHandler(handler) credential = DefaultAzureCredential() # This client will log detailed information about its HTTP sessions, at DEBUG level client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential, logging_enable=True) ``` Similarly, `logging_enable` can enable detailed logging for a single operation, even when it isn't enabled for the client: ```python client.get_key("my-key", logging_enable=True) ``` ## Next steps Several samples are available in the Azure SDK for Python GitHub repository. These provide example code for additional Key Vault scenarios: | File | Description | |-------------|-------------| | [hello_world.py][hello_world_sample] ([async version][hello_world_async_sample]) | create/get/update/delete keys | | [list_operations.py][list_operations_sample] ([async version][list_operations_async_sample]) | basic list operations for keys | | [backup_restore_operations.py][backup_operations_sample] ([async version][backup_operations_async_sample]) | back up and recover keys | | [recover_purge_operations.py][recover_purge_sample] ([async version][recover_purge_async_sample]) | recover and purge keys | | [send_request.py][send_request_sample] | use the `send_request` client method | ### Additional documentation For more extensive documentation on Azure Key Vault, see the [API reference documentation][reference_docs]. ## Contributing This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact opencode@microsoft.com with any additional questions or comments. [azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions [azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity [azure_identity_pypi]: https://pypi.org/project/azure-identity/ [azure_keyvault]: https://docs.microsoft.com/azure/key-vault/ [azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/general/quick-create-cli [azure_sub]: https://azure.microsoft.com/free/ [backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py [backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/ [crypto_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/crypto/docs [default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential [hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py [hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py [key_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient [key_samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples [library_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys [list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py [list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py [managed_hsm]: https://docs.microsoft.com/azure/key-vault/managed-hsm/overview [managed_hsm_cli]: https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli [managed_identity]: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview [pip]: https://pypi.org/project/pip/ [pypi_package_keys]: https://pypi.org/project/azure-keyvault-keys/ [recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py [recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py [reference_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs [send_request_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/send_request.py [soft_delete]: https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview ![Impressions](https://azure-sdk-impressions.azurewebsites.net/api/impressions/azure-sdk-for-python%2Fsdk%2Fkeyvault%2Fazure-keyvault-keys%2FREADME.png) # Release History ## 4.8.0 (2023-03-16) ### Features Added - Added support for service API version `7.4` - Clients each have a `send_request` method that can be used to send custom requests using the client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172)) - (From 4.8.0b1) An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected. - Removed support for octet key pair (OKP) keys and operations ### Other Changes - Key Vault API version `7.4` is now the default - (From 4.8.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later. - (From 4.8.0b1) Updated minimum `azure-core` version to 1.24.0 - (From 4.8.0b1) Updated minimum `msrest` version to 0.7.1 - (From 4.8.0b2) Dropped `msrest` requirement - (From 4.8.0b2) Dropped `six` requirement - (From 4.8.0b2) Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`) - (From 4.8.0b2) Added requirement for `typing-extensions>=4.0.1` ## 4.8.0b2 (2022-11-15) ### Features Added - Added support for service API version `7.4-preview.1` - `KeyClient` has a `create_okp_key` method to create an octet key pair (OKP) on Managed HSM - Added `eddsa` to `SignatureAlgorithm` enum to support signing and verifying using an Edwards-Curve Digital Signature Algorithm (EdDSA) on Managed HSM - Added `okp` and `okp_hsm` to `KeyType` enum for octet key pairs - Added `ed25519` to `KeyCurveName` enum to support use of the Ed25519 Edwards curve ### Other Changes - Key Vault API version `7.4-preview.1` is now the default - Dropped `msrest` requirement - Dropped `six` requirement - Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`) - Added requirement for `typing-extensions>=4.0.1` ## 4.8.0b1 (2022-09-22) ### Features Added - An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Other Changes - Python 3.6 is no longer supported. Please use Python version 3.7 or later. - Updated minimum `azure-core` version to 1.24.0 - Updated minimum `msrest` version to 0.7.1 ## 4.7.0 (2022-09-19) ### Breaking Changes - Clients verify the challenge resource matches the vault domain. This should affect few customers, who can provide `verify_challenge_resource=False` to client constructors to disable. See https://aka.ms/azsdk/blog/vault-uri for more information. ### Other Changes - Changes from version 4.7.0b1 have been reverted and will be included in version 4.8.0b1 ## 4.7.0b1 (2022-08-12) ### Features Added - An attempt will be made to generate an IV if one isn't provided for local encryption ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380)) ### Other Changes - The most recent release was version 4.6.1 instead of the intended version, 4.5.2. The next stable release is planned to be version 4.7.0. - Python 3.6 is no longer supported. Please use Python version 3.7 or later. - Updated minimum `azure-core` version to 1.24.0 ## 4.6.1 (2022-08-11) ### Other Changes - Documentation improvements ([#25039](https://github.com/Azure/azure-sdk-for-python/issues/25039)) ## 4.6.0b1 (2022-06-07) ### Bugs Fixed - If a key's ID contains a port number, this port will now be preserved in the vault URL of a `CryptographyClient` instance created from this key ([#24446](https://github.com/Azure/azure-sdk-for-python/issues/24446)) - Port numbers are now preserved in the `vault_url` property of a `KeyVaultKeyIdentifier` ## 4.5.1 (2022-04-18) ### Bugs Fixed - Fixed error that could occur when fetching a key rotation policy that has no defined `lifetime_actions`. ## 4.5.0 (2022-03-28) ### Features Added - Key Vault API version 7.3 is now the default - Added support for multi-tenant authentication when using `azure-identity` 1.8.0 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) - (From 4.5.0b1) `KeyClient` has a `get_random_bytes` method for getting a requested number of random bytes from a managed HSM - (From 4.5.0b2) Added support for secure key release from a Managed HSM ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588)) - Added `release_key` method to `KeyClient` for releasing the private component of a key - Added `exportable` and `release_policy` keyword-only arguments to key creation and import methods - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used in key release - (From 4.5.0b4) Added `KeyClient.get_cryptography_client`, which provides a simple way to create a `CryptographyClient` for a key, given its name and optionally a version ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621)) - (From 4.5.0b4) Added support for automated and on-demand key rotation in Azure Key Vault ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840)) - Added `KeyClient.rotate_key` to rotate a key on-demand - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy - (From 4.5.0b6) Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable release policies. Once a release policy is marked as immutable, it can no longer be modified. ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.update_key_rotation_policy` accepts a required `policy` argument ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - The optional `version` parameter in `KeyClient.release_key` is now a keyword-only argument ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - Renamed the `name` parameter in `KeyClient.get_key_rotation_policy` and `KeyClient.update_key_rotation_policy` to `key_name` ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) - Enum values in `azure-keyvault-keys` are now uniformly lower-cased ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981)) ### Bugs Fixed - `KeyType` now ignores casing during declaration, which resolves a scenario where Key Vault keys created with non-standard casing could not be fetched with the SDK ([#22797](https://github.com/Azure/azure-sdk-for-python/issues/22797)) ### Other Changes - (From 4.5.0b6) Python 2.7 is no longer supported. Please use Python version 3.6 or later. - (From 4.5.0b6) Updated minimum `azure-core` version to 1.20.0 - (From 4.5.0b3) Updated type hints to fix mypy errors ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158)) - (From 4.5.0b4) `CryptographyClient` no longer requires a key version when providing a key ID to its constructor (though providing a version is still recommended) - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge authentication requests now pass in a `tenant_id` keyword argument ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)). See https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate this parameter if `get_token` is implemented by a custom credential. - (From 4.5.0b6) Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368)) ## 4.5.0b6 (2022-02-08) ### Features Added - Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable release policies. Once a release policy is marked as immutable, it can no longer be modified. ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - Renamed the required argument `data` in `KeyReleasePolicy`'s constructor to `encoded_policy` ### Other Changes - Python 2.7 is no longer supported. Please use Python version 3.6 or later. - Updated minimum `azure-core` version to 1.20.0 - Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368)) - (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge authentication requests now pass in a `tenant_id` keyword argument ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) ## 4.5.0b5 (2021-11-11) ### Features Added - Added support for multi-tenant authentication when using `azure-identity` 1.7.1 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.get_random_bytes` now returns bytes instead of RandomBytes. The RandomBytes class has been removed - Renamed the `version` keyword-only argument in `KeyClient.get_cryptography_client` to `key_version` - Renamed `KeyReleasePolicy.data` to `KeyReleasePolicy.encoded_policy` - Renamed the `target` parameter in `KeyClient.release_key` to `target_attestation_token` ### Other Changes - Updated minimum `azure-core` version to 1.15.0 ## 4.5.0b4 (2021-10-07) ### Features Added - Added `KeyClient.get_cryptography_client`, which provides a simple way to create a `CryptographyClient` for a key, given its name and optionally a version ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621)) - Added support for automated and on-demand key rotation in Azure Key Vault ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840)) - Added `KeyClient.rotate_key` to rotate a key on-demand - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy ### Other Changes - `CryptographyClient` no longer requires a key version when providing a key ID to its constructor (though providing a version is still recommended) ## 4.5.0b3 (2021-09-09) ### Other Changes - Updated type hints to fix mypy errors ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158)) ## 4.5.0b2 (2021-08-10) ### Features Added - Added support for secure key release from a Managed HSM ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588)) - Added `release_key` method to `KeyClient` for releasing the private component of a key - Added `exportable` and `release_policy` keyword-only arguments to key creation and import methods - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used in key release ### Breaking Changes > These changes do not impact the API of stable versions such as 4.4.0. > Only code written against a beta version such as 4.5.0b1 may be affected. - `KeyClient.get_random_bytes` now returns a `RandomBytes` model with bytes in a `value` property, rather than returning the bytes directly ([#19895](https://github.com/Azure/azure-sdk-for-python/issues/19895)) ## 4.5.0b1 (2021-07-08) Beginning with this release, this library requires Python 2.7 or 3.6+. ### Features Added - Key Vault API version 7.3-preview is now the default - `KeyClient` has a `get_random_bytes` method for getting a requested number of random bytes from a managed HSM ## 4.4.0 (2021-06-22) This is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+. ### Changed - Key Vault API version 7.2 is now the default - (From 4.4.0b1) Updated minimum `msrest` version to 0.6.21 ### Added - `KeyClient` has a `create_oct_key` method for creating symmetric keys - `KeyClient`'s `create_key` and `create_rsa_key` methods now accept a `public_exponent` keyword-only argument ([#18016](https://github.com/Azure/azure-sdk-for-python/issues/18016)) - (From 4.4.0b1) Added support for Key Vault API version 7.2 ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566)) - Added `oct_hsm` to `KeyType` - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption algorithms to `EncryptionAlgorithm` - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm` - `CryptographyClient`'s `encrypt` method accepts `iv` and `additional_authenticated_data` keyword arguments - `CryptographyClient`'s `decrypt` method accepts `iv`, `additional_authenticated_data`, and `authentication_tag` keyword arguments - Added `iv`, `aad`, and `tag` properties to `EncryptResult` - (From 4.4.0b3) `CryptographyClient` will perform all operations locally if initialized with the `.from_jwk` factory method ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565)) - (From 4.4.0b3) Added requirement for `six`>=1.12.0 - (From 4.4.0b4) `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762)) ### Breaking Changes > These changes do not impact the API of stable versions such as 4.3.1. > Only code written against a beta version such as 4.4.0b1 may be affected. - `parse_key_vault_key_id` and `KeyVaultResourceId` have been replaced by a `KeyVaultKeyIdentifier` class, which can be initialized with a key ID ## 4.4.0b4 (2021-04-06) ### Added - `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762)) ## 4.4.0b3 (2021-03-11) ### Added - `CryptographyClient` will perform all operations locally if initialized with the `.from_jwk` factory method ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565)) - Added requirement for six>=1.12.0 ## 4.4.0b2 (2021-02-10) ### Fixed - API versions older than 7.2-preview no longer raise `ImportError` when performing async operations ([#16680](https://github.com/Azure/azure-sdk-for-python/pull/16680)) ## 4.4.0b1 (2021-02-10) ### Changed - Key Vault API version 7.2-preview is now the default - Updated msrest requirement to >=0.6.21 ### Added - Support for Key Vault API version 7.2-preview ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566)) - Added `oct_hsm` to `KeyType` - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption algorithms to `EncryptionAlgorithm` - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm` - `CryptographyClient`'s `encrypt` method accepts `iv` and `additional_authenticated_data` keyword arguments - `CryptographyClient`'s `decrypt` method accepts `iv`, `additional_authenticated_data`, and `authentication_tag` keyword arguments - Added `iv`, `aad`, and `tag` properties to `EncryptResult` - Added method `parse_key_vault_key_id` that parses out a full ID returned by Key Vault, so users can easily access the key's `name`, `vault_url`, and `version`. ## 4.3.1 (2020-12-03) ### Fixed - `CryptographyClient` operations no longer raise `AttributeError` when the client was constructed with a key ID ([#15608](https://github.com/Azure/azure-sdk-for-python/issues/15608)) ## 4.3.0 (2020-10-06) ### Changed - `CryptographyClient` can perform decrypt and sign operations locally ([#9754](https://github.com/Azure/azure-sdk-for-python/issues/9754)) ### Fixed - Correct typing for async paging methods ## 4.2.0 (2020-08-11) ### Fixed - Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers are no longer redacted in logging output - `CryptographyClient` will no longer perform encrypt or wrap operations when its key has expired or is not yet valid ### Changed - Key Vault API version 7.1 is now the default - Updated minimum `azure-core` version to 1.7.0 ### Added - At construction, clients accept a `CustomHookPolicy` through the optional keyword argument `custom_hook_policy` - All client requests include a unique ID in the header `x-ms-client-request-id` - Dependency on `azure-common` for multiapi support ## 4.2.0b1 (2020-03-10) - Support for Key Vault API version 7.1-preview ([#10124](https://github.com/Azure/azure-sdk-for-python/pull/10124)) - Added `import_key` to `KeyOperation` - Added `recoverable_days` to `CertificateProperties` - Added `ApiVersion` enum identifying Key Vault versions supported by this package ## 4.1.0 (2020-03-10) - `KeyClient` instances have a `close` method which closes opened sockets. Used as a context manager, a `KeyClient` closes opened sockets on exit. ([#9906](https://github.com/Azure/azure-sdk-for-python/pull/9906)) - Pollers no longer sleep after operation completion ([#9991](https://github.com/Azure/azure-sdk-for-python/pull/9991)) ## 4.0.1 (2020-02-11) - `azure.keyvault.keys` defines `__version__` - Challenge authentication policy preserves request options ([#8999](https://github.com/Azure/azure-sdk-for-python/pull/8999)) - Updated `msrest` requirement to >=0.6.0 - Challenge authentication policy requires TLS ([#9457](https://github.com/Azure/azure-sdk-for-python/pull/9457)) - Methods no longer raise the internal error `KeyVaultErrorException` ([#9690](https://github.com/Azure/azure-sdk-for-python/issues/9690)) - Fix `AttributeError` in async CryptographyClient when verifying signatures remotely ([#9734](https://github.com/Azure/azure-sdk-for-python/pull/9734)) ## 4.0.0 (2019-10-31) ### Breaking changes: - Removed `KeyClient.get_cryptography_client()` and `CryptographyClient.get_key()` - Moved the optional parameters of several methods into kwargs ( [docs](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.0.0/index.html) detail the new keyword arguments): - `create_key` now has positional parameters `name` and `key_type` - `create_ec_key` and `create_rsa_key` now have one positional parameter, `name` - `update_key_properties` now has two positional parameters, `name` and (optional) `version` - `import_key` now has positional parameters `name` and `key` - `CryptographyClient` operations return class instances instead of tuples and renamed the following properties - Renamed the `decrypted_bytes` property of `DecryptResult` to `plaintext` - Renamed the `unwrapped_bytes` property of `UnwrapResult` to `key` - Renamed the `result` property of `VerifyResult` to `is_valid` - Renamed the `UnwrapKeyResult` and `WrapKeyResult` classes to `UnwrapResult` and `WrapResult` - Renamed `list_keys` to `list_properties_of_keys` - Renamed `list_key_versions` to `list_properties_of_key_versions` - Renamed sync method `delete_key` to `begin_delete_key` - The sync method `begin_delete_key` and async `delete_key` now return pollers that return a `DeletedKey` - Renamed `Key` to `KeyVaultKey` - `KeyVaultKey` properties `created`, `expires`, and `updated` renamed to `created_on`, `expires_on`, and `updated_on` - The `vault_endpoint` parameter of `KeyClient` has been renamed to `vault_url` - The property `vault_endpoint` has been renamed to `vault_url` in all models ### New features: - Now all `CryptographyClient` returns include `key_id` and `algorithm` properties ## 4.0.0b4 (2019-10-08) - Enums `JsonWebKeyCurveName`, `JsonWebKeyOperation`, and `JsonWebKeyType` have been renamed to `KeyCurveName`, `KeyOperation`, and `KeyType`, respectively. - `Key` now has attribute `properties`, which holds certain properties of the key, such as `version`. This changes the shape of the returned `Key` type, as certain properties of `Key` (such as `version`) have to be accessed through the `properties` property. - `update_key` has been renamed to `update_key_properties` - The `vault_url` parameter of `KeyClient` has been renamed to `vault_endpoint` - The property `vault_url` has been renamed to `vault_endpoint` in all models ### Fixes and improvements: - The `key` argument to `import_key` should be an instance of `azure.keyvault.keys.JsonWebKey` ([#7590](https://github.com/Azure/azure-sdk-for-python/pull/7590)) ## 4.0.0b3 (2019-09-11) ### Breaking changes: - `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and `unwrap_key`, respectively. ### New features: - `CryptographyClient` performs encrypt, verify and wrap operations locally when its key's public material is available (i.e., when it has keys/get permission). ## 4.0.0b2 (2019-08-06) ### Breaking changes: - Removed `azure.core.Configuration` from the public API in preparation for a revamped configuration API. Static `create_config` methods have been renamed `_create_config`, and will be removed in a future release. - Removed `wrap_key` and `unwrap_key` from `KeyClient`. These are now available through `CryptographyClient`. - This version of the library requires `azure-core` 1.0.0b2 - If you later want to revert to a version requiring azure-core 1.0.0b1, of this or another Azure SDK library, you must explicitly install azure-core 1.0.0b1 as well. For example: `pip install azure-core==1.0.0b1 azure-keyvault-keys==4.0.0b1` ### New features: - Added `CryptographyClient`, a client for performing cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) with a key. - Distributed tracing framework OpenCensus is now supported - Added support for HTTP challenge based authentication, allowing clients to interact with vaults in sovereign clouds. ### Other changes: - Async clients use [aiohttp](https://pypi.org/project/aiohttp/) for transport by default. See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md/#transport) for more information about using other transports. ## 4.0.0b1 (2019-06-28) Version 4.0.0b1 is the first preview of our efforts to create a user-friendly and Pythonic client library for Azure Key Vault. For more information about preview releases of other Azure SDK libraries, please visit https://aka.ms/azure-sdk-preview1-python. This library is not a direct replacement for `azure-keyvault`. Applications using that library would require code changes to use `azure-keyvault-keys`. This package's [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md) and [samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples) demonstrate the new API. ### Major changes from `azure-keyvault` - Packages scoped by functionality - `azure-keyvault-keys` contains a client for key operations, `azure-keyvault-secrets` contains a client for secret operations - Client instances are scoped to vaults (an instance interacts with one vault only) - Asynchronous API supported on Python 3.5.3+ - the `azure.keyvault.keys.aio` namespace contains an async equivalent of the synchronous client in `azure.keyvault.keys` - Authentication using `azure-identity` credentials - see this package's [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md) , and the [Azure Identity documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md) for more information ### `azure-keyvault` features not implemented in this release - Certificate management APIs - Cryptographic operations, e.g. sign, un/wrap_key, verify, en- and decrypt - National cloud support. This release supports public global cloud vaults, e.g. https://{vault-name}.vault.azure.net %prep %autosetup -n azure-keyvault-keys-4.8.0 %build %py3_build %install %py3_install install -d -m755 %{buildroot}/%{_pkgdocdir} if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi pushd %{buildroot} if [ -d usr/lib ]; then find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst fi if [ -d usr/lib64 ]; then find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst fi if [ -d usr/bin ]; then find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst fi if [ -d usr/sbin ]; then find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst fi touch doclist.lst if [ -d usr/share/man ]; then find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst fi popd mv %{buildroot}/filelist.lst . mv %{buildroot}/doclist.lst . %files -n python3-azure-keyvault-keys -f filelist.lst %dir %{python3_sitelib}/* %files help -f doclist.lst %{_docdir}/* %changelog * Mon Apr 10 2023 Python_Bot - 4.8.0-1 - Package Spec generated