azure.keyvault.secrets package — Azure SDK for Python 2.0.0 documentation

class azure.keyvault.secrets.ApiVersion(value)[source]¶

Key Vault API versions supported by this package

V2016_10_01 = '2016-10-01'¶

V7_0 = '7.0'¶

V7_1 = '7.1'¶

V7_2 = '7.2'¶

this is the default version

class azure.keyvault.secrets.DeletedSecret(properties: SecretProperties, deleted_date: Optional[datetime] = None, recovery_id: Optional[str] = None, scheduled_purge_date: Optional[datetime] = None)[source]¶

A deleted secret’s properties and information about its deletion. If soft-delete is enabled, returns information about its recovery as well.

property deleted_date¶

When the secret was deleted, in UTC

Return type

datetime

property id¶

The secret’s id

Return type

str

property name¶

The secret’s name

Return type

str

property properties¶

The properties of the deleted secret

Return type

SecretProperties

property recovery_id¶

An identifier used to recover the deleted secret. Returns None if soft-delete is disabled.

Return type

str

property scheduled_purge_date¶

When the secret is scheduled to be purged, in UTC. Returns None if soft-delete is disabled.

Return type

datetime

class azure.keyvault.secrets.KeyVaultSecret(properties: azure.keyvault.secrets._models.SecretProperties, value: str)[source]¶

All of a secret’s properties, and its value.

property id¶

The secret’s id

Return type

str

property name¶

The secret’s name

Return type

str

property properties¶

The secret’s properties

Return type

SecretProperties

property value¶

The secret’s value

Return type

str

class azure.keyvault.secrets.KeyVaultSecretIdentifier(source_id: str)[source]¶

Information about a KeyVaultSecret parsed from a secret ID.

Parameters

source_id (str) – the full original identifier of a secret

Raises

ValueError – if the secret ID is improperly formatted

Example

Parse a secret’s ID¶

secret = client.get_secret(secret_name)parsed_secret_id = KeyVaultSecretIdentifier(secret.id)print(parsed_secret_id.name)print(parsed_secret_id.vault_url)print(parsed_secret_id.version)print(parsed_secret_id.source_id)

property name¶

property source_id¶

property vault_url¶

property version¶

class azure.keyvault.secrets.SecretClient(vault_url: str, credential: TokenCredential, **kwargs: Any)[source]¶

A high-level interface for managing a vault’s secrets.

Parameters

• vault_url (str) – URL of the vault the client will access. This is also called the vault’s “DNS Name”.

• credential – An object which can provide an access token for the vault, such as a credential fromazure.identity

Keyword Arguments

Example

Create a new SecretClient¶

from azure.identity import DefaultAzureCredentialfrom azure.keyvault.secrets import SecretClient# Create a SecretClient using default Azure credentialscredential = DefaultAzureCredential()secret_client = SecretClient(vault_url, credential)

backup_secret(name: str, **kwargs: Any) → bytes[source]¶

Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission.

Parameters

name (str) – Name of the secret to back up

Return type

bytes

Raises

ResourceNotFoundError if the secret doesn’t exist,HttpResponseError for other errors

Example

Back up a secret¶

# backup secret# returns the raw bytes of the backed up secretsecret_backup = secret_client.backup_secret(secret_name)print(secret_backup)

begin_delete_secret(name: str, **kwargs: Any) → DeletedSecret[source]¶

Delete all versions of a secret. Requires secrets/delete permission.

When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.

Parameters

name (str) – Name of the secret to delete.

Returns

A poller for the delete operation. The poller’s result method returns theDeletedSecret without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the secret with purge_deleted_secret(), call the poller’s wait method first. It will block until the deletion is complete. The wait method requires secrets/get permission.

Return type

LROPoller[DeletedSecret]

Raises

ResourceNotFoundError if the secret doesn’t exist,HttpResponseError for other errors

Example

Delete a secret¶

# delete a secretdeleted_secret_poller = secret_client.begin_delete_secret(secret_name)deleted_secret = deleted_secret_poller.result()print(deleted_secret.name)# if the vault has soft-delete enabled, the secret's, deleted_date# scheduled purge date and recovery id are setprint(deleted_secret.deleted_date)print(deleted_secret.scheduled_purge_date)print(deleted_secret.recovery_id)# if you want to block until secret is deleted server-side, call wait() on the pollerdeleted_secret_poller.wait()

begin_recover_deleted_secret(name: str, **kwargs: Any) → SecretProperties[source]¶

Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled.

If the vault does not have soft-delete enabled, begin_delete_secret() is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error.

When this method returns Key Vault has begun recovering the secret. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered secret in another operation immediately.

Requires the secrets/recover permission.

Parameters

name (str) – Name of the deleted secret to recover

Returns

A poller for the recovery operation. The poller’s result method returns the recoveredSecret without waiting for recovery to complete. If you want to use the recovered secret immediately, call the poller’s wait method, which blocks until the secret is ready to use. The wait method requires secrets/get permission.

Return type

LROPoller[SecretProperties]

Raises

HttpResponseError

Example

Recover a deleted secret¶

# recover deleted secret to the latest versionrecover_secret_poller = secret_client.begin_recover_deleted_secret(secret_name)recovered_secret = recover_secret_poller.result()print(recovered_secret.id)print(recovered_secret.name)# if you want to block until secret is recovered server-side, call wait() on the pollerrecover_secret_poller.wait()

close() → None¶

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

get_deleted_secret(name: str, **kwargs: Any) → DeletedSecret[source]¶

Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission.

Parameters

name (str) – Name of the deleted secret

Return type

DeletedSecret

Raises

ResourceNotFoundError if the deleted secret doesn’t exist,HttpResponseError for other errors

Example

Get a deleted secret¶

# gets a deleted secret (requires soft-delete enabled for the vault)deleted_secret = secret_client.get_deleted_secret(secret_name)print(deleted_secret.name)

get_secret(name: str, version: str = None, **kwargs: Any) → KeyVaultSecret[source]¶

Get a secret. Requires the secrets/get permission.

Parameters

• name (str) – The name of the secret

• version (str) – (optional) Version of the secret to get. If unspecified, gets the latest version.

Return type

KeyVaultSecret

Raises

ResourceNotFoundError if the secret doesn’t exist,HttpResponseError for other errors

Example

Get a secret¶

# get the latest version of a secretsecret = secret_client.get_secret(secret_name)# alternatively, specify a versionsecret = secret_client.get_secret(secret_name, secret.properties.version)print(secret.id)print(secret.name)print(secret.properties.version)print(secret.properties.vault_url)

list_deleted_secrets(**kwargs: Any) → ItemPaged[DeletedSecret][source]¶

Lists all deleted secrets. Possible only in vaults with soft-delete enabled.

Requires secrets/list permission.

Returns

An iterator of deleted secrets, excluding their values

Return type

ItemPaged[DeletedSecret]

Example

List deleted secrets¶

# gets an iterator of deleted secrets (requires soft-delete enabled for the vault)deleted_secrets = secret_client.list_deleted_secrets()for secret in deleted_secrets: # the list doesn't include values or versions of the deleted secrets print(secret.id) print(secret.name) print(secret.scheduled_purge_date) print(secret.recovery_id) print(secret.deleted_date)

list_properties_of_secret_versions(name: str, **kwargs: Any) → ItemPaged[SecretProperties][source]¶

List properties of all versions of a secret, excluding their values. Requires secrets/list permission.

List items don’t include secret values. Use get_secret() to get a secret’s value.

Parameters

name (str) – Name of the secret

Returns

An iterator of secrets, excluding their values

Return type

ItemPaged[SecretProperties]

Example

List all versions of a secret¶

secret_versions = secret_client.list_properties_of_secret_versions("secret-name")for secret in secret_versions: # the list doesn't include the values at each version print(secret.id) print(secret.enabled) print(secret.updated_on)

list_properties_of_secrets(**kwargs: Any) → ItemPaged[SecretProperties][source]¶

List identifiers and attributes of all secrets in the vault. Requires secrets/list permission.

List items don’t include secret values. Use get_secret() to get a secret’s value.

Returns

An iterator of secrets, excluding their values

Return type

ItemPaged[SecretProperties]

Example

List all secrets¶

# list secretssecrets = secret_client.list_properties_of_secrets()for secret in secrets: # the list doesn't include values or versions of the secrets print(secret.id) print(secret.name) print(secret.enabled)

purge_deleted_secret(name: str, **kwargs: Any) → None[source]¶

Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled.

Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if therecovery_level does not specify ‘Purgeable’. This method is only necessary for purging a secret before itsscheduled_purge_date.

Requires secrets/purge permission.

Parameters

name (str) – Name of the secret to purge

Returns

None

Raises

HttpResponseError

Example

# if the vault has soft-delete enabled, purge permanently deletes the secret# (with soft-delete disabled, begin_delete_secret is permanent)secret_client.purge_deleted_secret("secret-name")

restore_secret_backup(backup: bytes, **kwargs: Any) → SecretProperties[source]¶

Restore a backed up secret. Requires the secrets/restore permission.

Parameters

backup (bytes) – A secret backup as returned by backup_secret()

Returns

The restored secret

Return type

SecretProperties

Raises

ResourceExistsError if the secret’s name is already in use,HttpResponseError for other errors

Example

Restore a backed up secret¶

# restores a backed up secretrestored_secret = secret_client.restore_secret_backup(secret_backup)print(restored_secret.id)print(restored_secret.version)

set_secret(name: str, value: str, **kwargs: Any) → KeyVaultSecret[source]¶

Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret.

Requires secrets/set permission.

Parameters

• name (str) – The name of the secret

• value (str) – The value of the secret

Keyword Arguments

• enabled (bool) – Whether the secret is enabled for use.

• tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.

• content_type (str) – An arbitrary string indicating the type of the secret, e.g. ‘password’

• not_before (datetime) – Not before date of the secret in UTC

• expires_on (datetime) – Expiry date of the secret in UTC

Return type

KeyVaultSecret

Raises

HttpResponseError

Example

Set a secret’s value¶

from dateutil import parser as date_parseexpires_on = date_parse.parse("2050-02-02T08:00:00.000Z")# create a secret, setting optional argumentssecret = secret_client.set_secret(secret_name, "secret-value", expires_on=expires_on)print(secret.name)print(secret.properties.version)print(secret.properties.expires_on)

update_secret_properties(name: str, version: Optional[str] = None, **kwargs: Any) → SecretProperties[source]¶

Update properties of a secret other than its value. Requires secrets/set permission.

This method updates properties of the secret, such as whether it’s enabled, but can’t change the secret’s value. Use set_secret() to change the secret’s value.

Parameters

• name (str) – Name of the secret

• version (str) – (optional) Version of the secret to update. If unspecified, the latest version is updated.

Keyword Arguments

• enabled (bool) – Whether the secret is enabled for use.

• tags (dict[str, str]) – Application specific metadata in the form of key-value pairs.

• content_type (str) – An arbitrary string indicating the type of the secret, e.g. ‘password’

• not_before (datetime) – Not before date of the secret in UTC

• expires_on (datetime) – Expiry date of the secret in UTC

Return type

SecretProperties

Raises

ResourceNotFoundError if the secret doesn’t exist,HttpResponseError for other errors

Example

Update a secret’s attributes¶

# update attributes of an existing secretcontent_type = "text/plain"tags = {"foo": "updated tag"}updated_secret_properties = secret_client.update_secret_properties( secret_name, content_type=content_type, tags=tags)print(updated_secret_properties.version)print(updated_secret_properties.updated_on)print(updated_secret_properties.content_type)print(updated_secret_properties.tags)

property vault_url¶

class azure.keyvault.secrets.SecretProperties(attributes: _models.SecretAttributes, vault_id: str, **kwargs: Any)[source]¶

A secret’s id and attributes.

property content_type¶

An arbitrary string indicating the type of the secret

Return type

str

property created_on¶

When the secret was created, in UTC

Return type

datetime

property enabled¶

Whether the secret is enabled for use

Return type

bool

property expires_on¶

When the secret expires, in UTC

Return type

datetime

property id¶

The secret’s id

Return type

str

property key_id¶

If this secret backs a certificate, this property is the identifier of the corresponding key.

Return type

str

property name¶

The secret’s name

Return type

str

property not_before¶

The time before which the secret can not be used, in UTC

Return type

datetime

property recoverable_days¶

The number of days the key is retained before being deleted from a soft-delete enabled Key Vault.

Return type

int

property recovery_level¶

The vault’s deletion recovery level for secrets

Return type

str

property tags¶

Application specific metadata in the form of key-value pairs

Return type

dict

property updated_on¶

When the secret was last updated, in UTC

Return type

datetime

property vault_url¶

URL of the vault containing the secret

Return type

str

property version¶

The secret’s version

Return type

str

Subpackages¶