def run_sample():
# Instantiate a secret client that will be used to call the service. Notice that the client is using default Azure
# credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n1. Create Secret")
bank_secret = client.set_secret("listOpsBankSecretName", "listOpsSecretValue1")
storage_secret = client.set_secret("listOpsStorageSecretName", "listOpsSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(storage_secret.name))
# You need to check if any of the secrets are sharing same values.
# Let's list the secrets and print their values.
# List operations don 't return the secrets with value information.
# So, for each returned secret we call get_secret to get the secret with its value information.
print("\n2. List secrets from the Key Vault")
secrets = client.list_secrets()
for secret in secrets:
retrieved_secret = client.get_secret(secret.name)
print(
"Secret with name '{0}' and value {1} was found.".format(retrieved_secret.name, retrieved_secret.name)
)
# The bank account password got updated, so you want to update the secret in Key Vault to ensure it reflects the
# new password. Calling set_secret on an existing secret creates a new version of the secret in the Key Vault
# with the new value.
updated_secret = client.set_secret(bank_secret.name, "newSecretValue")
print(
"Secret with name '{0}' was updated with new value '{1}'".format(updated_secret.name, updated_secret.value)
)
# You need to check all the different values your bank account password secret had previously. Lets print all
# the versions of this secret.
print("\n3. List versions of the secret using its name")
secret_versions = client.list_secret_versions(bank_secret.name)
for secret_version in secret_versions:
print("Bank Secret with name '{0}' has version: '{1}'.".format(secret_version.name, secret_version.version))
# The bank account and storage accounts got closed. Let's delete bank and storage accounts secrets.
client.delete_secret(bank_secret.name)
client.delete_secret(storage_secret.name)
# To ensure secret is deleted on the server side.
print("Deleting secrets...")
time.sleep(30)
# You can list all the deleted and non-purged secrets, assuming Key Vault is soft-delete enabled.
print("\n3. List deleted secrets from the Key Vault")
deleted_secrets = client.list_deleted_secrets()
for deleted_secret in deleted_secrets:
print(
"Secret with name '{0}' has recovery id '{1}'".format(deleted_secret.name, deleted_secret.recovery_id)
)
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print("\n{0} Please enable soft delete on Key Vault to perform this operation.".format(e.message))
else:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
def deleted_secret_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted secrets from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a secret client
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url=vault.properties.vault_uri,
credential=credential)
# create secrets in the vault
secret_to_recover = get_name('secret')
secret_to_purge = get_name('secret')
secret = secret_client.set_secret(secret_to_recover,
"secret to restore")
print('created secret {}'.format(secret.name))
secret = secret_client.set_secret(secret_to_purge, "secret to purge")
print('created secret {}'.format(secret.name))
# list the name of all of the secrets in the client's vault
secret_properties = secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
# delete the secrets
delete_secret_poller = secret_client.begin_delete_secret(
secret_to_recover)
deleted_secret = delete_secret_poller.result()
delete_secret_poller.wait()
print('deleted secret {}'.format(deleted_secret.name))
delete_secret_poller = secret_client.begin_delete_secret(
secret_to_purge)
deleted_secret = delete_secret_poller.result()
delete_secret_poller.wait()
print('deleted secret {}'.format(deleted_secret.name))
# list the deleted secrets
deleted_secrets = secret_client.list_deleted_secrets()
print("all of the deleted secrets in the client's vault:")
for deleted_secret in deleted_secrets:
print(deleted_secret.name)
# recover a deleted secret
recover_secret_poller = secret_client.begin_recover_deleted_secret(
secret_to_recover)
recovered_secret = recover_secret_poller.result()
print('recovered secret {}'.format(recovered_secret.name))
# purge a deleted secret
secret_client.purge_deleted_secret(secret_to_purge)
time.sleep(50)
print('purged secret {}'.format(secret_to_purge))
# list the name of all of the secrets in the client's vault
secret_properties = secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
# You need to check all the different values your bank account password secret had previously. Lets print all
# the versions of this secret.
print("\n.. List versions of the secret using its name")
secret_versions = client.list_properties_of_secret_versions(
bank_secret.name)
for secret_version in secret_versions:
print("Bank Secret with name '{0}' has version: '{1}'.".format(
secret_version.name, secret_version.version))
# The bank account and storage accounts got closed. Let's delete bank and storage accounts secrets.
# Calling result() on the method will immediately return the `DeletedSecret`, but calling wait() blocks
# until the secret is deleted server-side.
print("\n.. Deleting secrets...")
client.begin_delete_secret(bank_secret.name).wait()
client.begin_delete_secret(storage_secret.name).wait()
# You can list all the deleted and non-purged secrets, assuming Key Vault is soft-delete enabled.
print("\n.. List deleted secrets from the Key Vault")
deleted_secrets = client.list_deleted_secrets()
for deleted_secret in deleted_secrets:
print("Secret with name '{0}' has recovery id '{1}'".format(
deleted_secret.name, deleted_secret.recovery_id))
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print(
"\n{0} Please enable soft-delete on Key Vault to perform this operation."
.format(e.message))
else:
print("\nThis sample has caught an error. {0}".format(e.message))
if c.name.startswith("livekvtest")
]
for certificate in deleted_test_certificates:
cert_client.purge_deleted_certificate(certificate.name)
test_keys = [
k for k in key_client.list_properties_of_keys()
if k.name.startswith("livekvtest")
]
for key in test_keys:
key_client.begin_delete_key(key.name).wait()
deleted_test_keys = [
k for k in key_client.list_deleted_keys()
if k.name.startswith("livekvtest")
]
for key in deleted_test_keys:
key_client.purge_deleted_key(key.name)
test_secrets = [
s for s in secret_client.list_properties_of_secrets()
if s.name.startswith("livekvtest")
]
for secret in test_secrets:
secret_client.begin_delete_secret(secret.name).wait()
deleted_test_secrets = [
s for s in secret_client.list_deleted_secrets()
if s.name.startswith("livekvtest")
]
for secret in deleted_test_secrets:
secret_client.purge_deleted_secret(secret.name)
