def run_sample(): # Instantiate a secret client that will be used to call the service. Notice that the client is using default Azure # credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = SecretClient(vault_url=VAULT_URL, credential=credential) try: # Let's create secrets holding storage and bank accounts credentials. If the secret # already exists in the Key Vault, then a new version of the secret is created. print("\n1. Create Secret") bank_secret = client.set_secret("listOpsBankSecretName", "listOpsSecretValue1") storage_secret = client.set_secret("listOpsStorageSecretName", "listOpsSecretValue2") print("Secret with name '{0}' was created.".format(bank_secret.name)) print("Secret with name '{0}' was created.".format(storage_secret.name)) # You need to check if any of the secrets are sharing same values. # Let's list the secrets and print their values. # List operations don 't return the secrets with value information. # So, for each returned secret we call get_secret to get the secret with its value information. print("\n2. List secrets from the Key Vault") secrets = client.list_secrets() for secret in secrets: retrieved_secret = client.get_secret(secret.name) print( "Secret with name '{0}' and value {1} was found.".format(retrieved_secret.name, retrieved_secret.name) ) # The bank account password got updated, so you want to update the secret in Key Vault to ensure it reflects the # new password. Calling set_secret on an existing secret creates a new version of the secret in the Key Vault # with the new value. updated_secret = client.set_secret(bank_secret.name, "newSecretValue") print( "Secret with name '{0}' was updated with new value '{1}'".format(updated_secret.name, updated_secret.value) ) # You need to check all the different values your bank account password secret had previously. Lets print all # the versions of this secret. print("\n3. List versions of the secret using its name") secret_versions = client.list_secret_versions(bank_secret.name) for secret_version in secret_versions: print("Bank Secret with name '{0}' has version: '{1}'.".format(secret_version.name, secret_version.version)) # The bank account and storage accounts got closed. Let's delete bank and storage accounts secrets. client.delete_secret(bank_secret.name) client.delete_secret(storage_secret.name) # To ensure secret is deleted on the server side. print("Deleting secrets...") time.sleep(30) # You can list all the deleted and non-purged secrets, assuming Key Vault is soft-delete enabled. print("\n3. List deleted secrets from the Key Vault") deleted_secrets = client.list_deleted_secrets() for deleted_secret in deleted_secrets: print( "Secret with name '{0}' has recovery id '{1}'".format(deleted_secret.name, deleted_secret.recovery_id) ) except HttpResponseError as e: if "(NotSupported)" in e.message: print("\n{0} Please enable soft delete on Key Vault to perform this operation.".format(e.message)) else: print("\nrun_sample has caught an error. {0}".format(e.message)) finally: print("\nrun_sample done")
def deleted_secret_recovery(self): """ a sample of enumerating, retrieving, recovering and purging deleted secrets from a key vault """ # create a vault enabling the soft delete feature vault = self.create_vault() # create a secret client credential = DefaultAzureCredential() secret_client = SecretClient(vault_url=vault.properties.vault_uri, credential=credential) # create secrets in the vault secret_to_recover = get_name('secret') secret_to_purge = get_name('secret') secret = secret_client.set_secret(secret_to_recover, "secret to restore") print('created secret {}'.format(secret.name)) secret = secret_client.set_secret(secret_to_purge, "secret to purge") print('created secret {}'.format(secret.name)) # list the name of all of the secrets in the client's vault secret_properties = secret_client.list_properties_of_secrets() print("all of the secrets in the client's vault:") for secret_property in secret_properties: print(secret_property.name) # delete the secrets delete_secret_poller = secret_client.begin_delete_secret( secret_to_recover) deleted_secret = delete_secret_poller.result() delete_secret_poller.wait() print('deleted secret {}'.format(deleted_secret.name)) delete_secret_poller = secret_client.begin_delete_secret( secret_to_purge) deleted_secret = delete_secret_poller.result() delete_secret_poller.wait() print('deleted secret {}'.format(deleted_secret.name)) # list the deleted secrets deleted_secrets = secret_client.list_deleted_secrets() print("all of the deleted secrets in the client's vault:") for deleted_secret in deleted_secrets: print(deleted_secret.name) # recover a deleted secret recover_secret_poller = secret_client.begin_recover_deleted_secret( secret_to_recover) recovered_secret = recover_secret_poller.result() print('recovered secret {}'.format(recovered_secret.name)) # purge a deleted secret secret_client.purge_deleted_secret(secret_to_purge) time.sleep(50) print('purged secret {}'.format(secret_to_purge)) # list the name of all of the secrets in the client's vault secret_properties = secret_client.list_properties_of_secrets() print("all of the secrets in the client's vault:") for secret_property in secret_properties: print(secret_property.name)
# You need to check all the different values your bank account password secret had previously. Lets print all # the versions of this secret. print("\n.. List versions of the secret using its name") secret_versions = client.list_properties_of_secret_versions( bank_secret.name) for secret_version in secret_versions: print("Bank Secret with name '{0}' has version: '{1}'.".format( secret_version.name, secret_version.version)) # The bank account and storage accounts got closed. Let's delete bank and storage accounts secrets. # Calling result() on the method will immediately return the `DeletedSecret`, but calling wait() blocks # until the secret is deleted server-side. print("\n.. Deleting secrets...") client.begin_delete_secret(bank_secret.name).wait() client.begin_delete_secret(storage_secret.name).wait() # You can list all the deleted and non-purged secrets, assuming Key Vault is soft-delete enabled. print("\n.. List deleted secrets from the Key Vault") deleted_secrets = client.list_deleted_secrets() for deleted_secret in deleted_secrets: print("Secret with name '{0}' has recovery id '{1}'".format( deleted_secret.name, deleted_secret.recovery_id)) except HttpResponseError as e: if "(NotSupported)" in e.message: print( "\n{0} Please enable soft-delete on Key Vault to perform this operation." .format(e.message)) else: print("\nThis sample has caught an error. {0}".format(e.message))
if c.name.startswith("livekvtest") ] for certificate in deleted_test_certificates: cert_client.purge_deleted_certificate(certificate.name) test_keys = [ k for k in key_client.list_properties_of_keys() if k.name.startswith("livekvtest") ] for key in test_keys: key_client.begin_delete_key(key.name).wait() deleted_test_keys = [ k for k in key_client.list_deleted_keys() if k.name.startswith("livekvtest") ] for key in deleted_test_keys: key_client.purge_deleted_key(key.name) test_secrets = [ s for s in secret_client.list_properties_of_secrets() if s.name.startswith("livekvtest") ] for secret in test_secrets: secret_client.begin_delete_secret(secret.name).wait() deleted_test_secrets = [ s for s in secret_client.list_deleted_secrets() if s.name.startswith("livekvtest") ] for secret in deleted_test_secrets: secret_client.purge_deleted_secret(secret.name)