async def test_key_rotation_policy(self, client, **kwargs):
if (not is_public_cloud() and self.is_live):
pytest.skip("This test not supprot in usgov/china region. Follow up with service team.")
key_name = self.get_resource_name("rotation-key")
await self._create_rsa_key(client, key_name)
actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE, time_after_create="P2M")]
updated_policy = await client.update_key_rotation_policy(key_name, lifetime_actions=actions)
fetched_policy = await client.get_key_rotation_policy(key_name)
assert updated_policy.expires_in is None
_assert_rotation_policies_equal(updated_policy, fetched_policy)
updated_policy_actions = updated_policy.lifetime_actions[0]
fetched_policy_actions = fetched_policy.lifetime_actions[0]
assert updated_policy_actions.action == KeyRotationPolicyAction.ROTATE
assert updated_policy_actions.time_after_create == "P2M"
assert updated_policy_actions.time_before_expiry is None
_assert_lifetime_actions_equal(updated_policy_actions, fetched_policy_actions)
new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY, time_before_expiry="P30D")]
new_policy = await client.update_key_rotation_policy(key_name, expires_in="P90D", lifetime_actions=new_actions)
new_fetched_policy = await client.get_key_rotation_policy(key_name)
assert new_policy.expires_in == "P90D"
_assert_rotation_policies_equal(new_policy, new_fetched_policy)
new_policy_actions = new_policy.lifetime_actions[0]
new_fetched_policy_actions = new_fetched_policy.lifetime_actions[0]
assert new_policy_actions.action == KeyRotationPolicyAction.NOTIFY
assert new_policy_actions.time_after_create is None
assert new_policy_actions.time_before_expiry == "P30D"
_assert_lifetime_actions_equal(new_policy_actions, new_fetched_policy_actions)
async def test_key_rotation_policy(self, client, **kwargs):
key_name = self.get_resource_name("rotation-key")
await self._create_rsa_key(client, key_name)
actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE,
time_after_create="P2M")
]
updated_policy = await client.update_key_rotation_policy(
key_name, lifetime_actions=actions)
fetched_policy = await client.get_key_rotation_policy(key_name)
assert updated_policy.expires_in is None
_assert_rotation_policies_equal(updated_policy, fetched_policy)
updated_policy_actions = updated_policy.lifetime_actions[0]
fetched_policy_actions = fetched_policy.lifetime_actions[0]
assert updated_policy_actions.action == KeyRotationPolicyAction.ROTATE
assert updated_policy_actions.time_after_create == "P2M"
assert updated_policy_actions.time_before_expiry is None
_assert_lifetime_actions_equal(updated_policy_actions,
fetched_policy_actions)
new_actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY,
time_before_expiry="P30D")
]
new_policy = await client.update_key_rotation_policy(
key_name, expires_in="P90D", lifetime_actions=new_actions)
new_fetched_policy = await client.get_key_rotation_policy(key_name)
assert new_policy.expires_in == "P90D"
_assert_rotation_policies_equal(new_policy, new_fetched_policy)
new_policy_actions = new_policy.lifetime_actions[0]
new_fetched_policy_actions = new_fetched_policy.lifetime_actions[0]
assert new_policy_actions.action == KeyRotationPolicyAction.NOTIFY
assert new_policy_actions.time_after_create is None
assert new_policy_actions.time_before_expiry == "P30D"
_assert_lifetime_actions_equal(new_policy_actions,
new_fetched_policy_actions)
# ----------------------------------------------------------------------------------------------------------
# Instantiate a key client that will be used to call the service.
# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = KeyClient(vault_url=VAULT_URL, credential=credential)
# First, create a key
key_name = "rotation-sample-key"
key = client.create_rsa_key(key_name)
print("\nCreated a key; new version is {}".format(key.properties.version))
# Set the key's automated rotation policy to rotate the key two months after the key was created
actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE,
time_after_create="P2M")
]
updated_policy = client.update_key_rotation_policy(key_name,
lifetime_actions=actions)
# The created policy should only have one action
assert len(updated_policy.lifetime_actions
) == 1, "There should be exactly one rotation policy action"
policy_action = updated_policy.lifetime_actions[0]
print("\nCreated a new key rotation policy: {} after {}".format(
policy_action.action, policy_action.time_after_create))
# Get the key's current rotation policy
current_policy = client.get_key_rotation_policy(key_name)
policy_action = current_policy.lifetime_actions[0]
print("\nCurrent rotation policy: {} after {}".format(
async def run_sample():
# Instantiate a key client that will be used to call the service.
# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = KeyClient(vault_url=VAULT_URL, credential=credential)
# First, create a key
key_name = "rotation-sample-key"
key = await client.create_rsa_key(key_name)
print("\nCreated a key; new version is {}".format(key.properties.version))
# Set the key's automated rotation policy to rotate the key two months after the key was created
actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.ROTATE,
time_after_create="P2M")
]
updated_policy = await client.update_key_rotation_policy(
key_name, lifetime_actions=actions)
# The created policy should only have one action
assert len(updated_policy.lifetime_actions
) == 1, "There should be exactly one rotation policy action"
policy_action = updated_policy.lifetime_actions[0]
print("\nCreated a new key rotation policy: {} after {}".format(
policy_action.action, policy_action.time_after_create))
# Get the key's current rotation policy
current_policy = await client.get_key_rotation_policy(key_name)
policy_action = current_policy.lifetime_actions[0]
print("\nCurrent rotation policy: {} after {}".format(
policy_action.action, policy_action.time_after_create))
# Update the key's automated rotation policy to notify 30 days before the key expires
new_actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY,
time_before_expiry="P30D")
]
# You may also specify the duration after which the newly rotated key will expire
# In this example, any new key versions will expire after 90 days
new_policy = await client.update_key_rotation_policy(
key_name, expires_in="P90D", lifetime_actions=new_actions)
# The updated policy should only have one action
assert len(new_policy.lifetime_actions
) == 1, "There should be exactly one rotation policy action"
policy_action = new_policy.lifetime_actions[0]
print("\nUpdated rotation policy: {} {} before expiry".format(
policy_action.action, policy_action.time_before_expiry))
# Finally, you can rotate a key on-demand by creating a new version of the key
rotated_key = await client.rotate_key(key_name)
print("\nRotated the key on-demand; new version is {}".format(
rotated_key.properties.version))
# To clean up, delete the key
await client.delete_key(key_name)
print("\nDeleted the key")
await credential.close()
await client.close()
def test_key_rotation_policy(self, client, **kwargs):
if (not is_public_cloud() and self.is_live):
pytest.skip(
"This test not supprot in usgov/china region. Follow up with service team."
)
key_name = self.get_resource_name("rotation-key")
self._create_rsa_key(client, key_name)
# ensure passing an empty policy with no kwargs doesn't raise an error
client.update_key_rotation_policy(key_name, KeyRotationPolicy())
# updating a rotation policy with an empty policy and override
actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate,
time_after_create="P2M")
]
updated_policy = client.update_key_rotation_policy(
key_name, KeyRotationPolicy(), lifetime_actions=actions)
fetched_policy = client.get_key_rotation_policy(key_name)
assert updated_policy.expires_in is None
_assert_rotation_policies_equal(updated_policy, fetched_policy)
updated_policy_actions = None
for i in range(len(updated_policy.lifetime_actions)):
if updated_policy.lifetime_actions[
i].action == KeyRotationPolicyAction.rotate:
updated_policy_actions = updated_policy.lifetime_actions[i]
assert updated_policy_actions, "Specified rotation policy action not found in updated policy"
assert updated_policy_actions.action == KeyRotationPolicyAction.rotate
assert updated_policy_actions.time_after_create == "P2M"
assert updated_policy_actions.time_before_expiry is None
fetched_policy_actions = None
for i in range(len(fetched_policy.lifetime_actions)):
if fetched_policy.lifetime_actions[
i].action == KeyRotationPolicyAction.rotate:
fetched_policy_actions = fetched_policy.lifetime_actions[i]
assert fetched_policy_actions, "Specified rotation policy action not found in fetched policy"
_assert_lifetime_actions_equal(updated_policy_actions,
fetched_policy_actions)
# updating with a round-tripped policy and overriding expires_in
new_policy = client.update_key_rotation_policy(key_name,
policy=updated_policy,
expires_in="P90D")
assert new_policy.expires_in == "P90D"
new_policy_actions = None
for i in range(len(new_policy.lifetime_actions)):
if new_policy.lifetime_actions[
i].action == KeyRotationPolicyAction.rotate:
new_policy_actions = new_policy.lifetime_actions[i]
_assert_lifetime_actions_equal(updated_policy_actions,
new_policy_actions)
# updating with a round-tripped policy and overriding lifetime_actions
newest_actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.notify,
time_before_expiry="P60D")
]
newest_policy = client.update_key_rotation_policy(
key_name, policy=new_policy, lifetime_actions=newest_actions)
newest_fetched_policy = client.get_key_rotation_policy(key_name)
assert newest_policy.expires_in == "P90D"
_assert_rotation_policies_equal(newest_policy, newest_fetched_policy)
newest_policy_actions = None
for i in range(len(newest_policy.lifetime_actions)):
if newest_policy.lifetime_actions[
i].action == KeyRotationPolicyAction.notify:
newest_policy_actions = newest_policy.lifetime_actions[i]
assert newest_policy_actions.action == KeyRotationPolicyAction.notify
assert newest_policy_actions.time_after_create is None
assert newest_policy_actions.time_before_expiry == "P60D"
newest_fetched_policy_actions = None
for i in range(len(newest_fetched_policy.lifetime_actions)):
if newest_fetched_policy.lifetime_actions[
i].action == KeyRotationPolicyAction.notify:
newest_fetched_policy_actions = newest_fetched_policy.lifetime_actions[
i]
_assert_lifetime_actions_equal(newest_policy_actions,
newest_fetched_policy_actions)
async def run_sample():
# Instantiate a key client that will be used to call the service.
# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = KeyClient(vault_url=VAULT_URL, credential=credential)
# First, create a key
key_name = "rotation-sample-key"
key = await client.create_rsa_key(key_name)
print("\nCreated a key; new version is {}".format(key.properties.version))
# Set the key's automated rotation policy to rotate the key two months after the key was created.
# If you pass an empty KeyRotationPolicy() as the `policy` parameter, the rotation policy will be set to the
# default policy. Any keyword arguments will update specified properties of the policy.
actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate, time_after_create="P2M")]
updated_policy = await client.update_key_rotation_policy(
key_name, KeyRotationPolicy(), expires_in="P90D", lifetime_actions=actions
)
assert updated_policy.expires_in == "P90D"
# The updated policy should have the specified lifetime action
policy_action = None
for i in range(len(updated_policy.lifetime_actions)):
if updated_policy.lifetime_actions[i].action == KeyRotationPolicyAction.rotate:
policy_action = updated_policy.lifetime_actions[i]
assert policy_action, "The specified action should exist in the key rotation policy"
assert policy_action.time_after_create == "P2M", "The action should have the specified time_after_create"
assert policy_action.time_before_expiry is None, "The action shouldn't have a time_before_expiry"
print(
"\nCreated a new key rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create)
)
# Get the key's current rotation policy
current_policy = await client.get_key_rotation_policy(key_name)
policy_action = None
for i in range(len(current_policy.lifetime_actions)):
if current_policy.lifetime_actions[i].action == KeyRotationPolicyAction.rotate:
policy_action = current_policy.lifetime_actions[i]
print("\nCurrent rotation policy: {} after {}".format(policy_action.action, policy_action.time_after_create))
# Update the key's automated rotation policy to notify 10 days before the key expires
new_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.notify, time_before_expiry="P10D")]
# To preserve an existing rotation policy, pass in the existing policy as the `policy` parameter.
# Any property specified as a keyword argument will be overridden completely by the provided value.
# In this case, the rotate action we created earlier will be removed from the policy.
new_policy = await client.update_key_rotation_policy(key_name, current_policy, lifetime_actions=new_actions)
assert new_policy.expires_in == "P90D", "The key's expiry time should have been preserved"
# The updated policy should include the new notify action
notify_action = None
for i in range(len(new_policy.lifetime_actions)):
if new_policy.lifetime_actions[i].action == KeyRotationPolicyAction.notify:
notify_action = new_policy.lifetime_actions[i]
assert notify_action, "The specified action should exist in the key rotation policy"
assert notify_action.time_after_create is None, "The action shouldn't have a time_after_create"
assert notify_action.time_before_expiry == "P10D", "The action should have the specified time_before_expiry"
print("\nNew policy action: {} {} before expiry".format(notify_action.action, notify_action.time_before_expiry))
# Finally, you can rotate a key on-demand by creating a new version of the key
rotated_key = await client.rotate_key(key_name)
print("\nRotated the key on-demand; new version is {}".format(rotated_key.properties.version))
# To clean up, delete the key
await client.delete_key(key_name)
print("\nDeleted the key")
await credential.close()
await client.close()
# Instantiate a key client that will be used to call the service.
# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = KeyClient(vault_url=VAULT_URL, credential=credential)
# First, create a key
key_name = "rotation-sample-key"
key = client.create_rsa_key(key_name)
print("\nCreated a key; new version is {}".format(key.properties.version))
# Set the key's automated rotation policy to rotate the key two months after the key was created.
# If you pass an empty KeyRotationPolicy() as the `policy` parameter, the rotation policy will be set to the
# default policy. Any keyword arguments will update specified properties of the policy.
actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate,
time_after_create="P2M")
]
updated_policy = client.update_key_rotation_policy(key_name,
KeyRotationPolicy(),
expires_in="P90D",
lifetime_actions=actions)
assert updated_policy.expires_in == "P90D"
# The updated policy should have the specified lifetime action
policy_action = None
for i in range(len(updated_policy.lifetime_actions)):
if updated_policy.lifetime_actions[
i].action == KeyRotationPolicyAction.rotate:
policy_action = updated_policy.lifetime_actions[i]
assert policy_action, "The specified action should exist in the key rotation policy"
assert policy_action.time_after_create == "P2M", "The action should have the specified time_after_create"