class KeyVaultCertificates:
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
credential = DefaultAzureCredential()
self.certificate_client = CertificateClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential)
self.certificate_name = "cert-name-" + uuid.uuid1().hex
def create_certificate(self):
self.certificate_client.begin_create_certificate(
name=self.certificate_name,
policy=CertificatePolicy.get_default()).wait()
print("\tdone")
def get_certificate(self):
print("Getting a certificate...")
certificate = self.certificate_client.get_certificate(
name=self.certificate_name)
print(f"\tdone, certificate: {certificate.name}.")
def delete_certificate(self):
print("Deleting a certificate...")
deleted_certificate = self.certificate_client.delete_certificate(
name=self.certificate_name)
print("\tdone: " + deleted_certificate.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Certificates\nIdentity - Credential")
print("------------------------")
print("1) Create a certificate")
print("2) Get that certificate")
print("3) Delete that certificate (Clean up the resource)")
print("")
try:
self.create_certificate()
self.get_certificate()
finally:
self.delete_certificate()
# A long running poller is returned for the create certificate operation.
create_certificate_poller = client.begin_create_certificate(
name=cert_name, policy=CertificatePolicy.get_default())
# The result call awaits the completion of the create certificate operation and returns the final result.
# It will return a certificate if creation is successful, and will return the CertificateOperation if not.
certificate = create_certificate_poller.result()
print("Certificate with name '{0}' created.".format(cert_name))
# Backups are good to have, if in case certificates gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing certificate")
certificate_backup = client.backup_certificate(name=cert_name)
print("Backup created for certificate with name '{0}'.".format(cert_name))
# The storage account certificate is no longer in use, so you can delete it.
print("\n.. Delete the certificate")
client.delete_certificate(name=cert_name)
print("Deleted certificate '{0}'".format(cert_name))
# In future, if the certificate is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the certificate from the backup")
certificate = client.restore_certificate_backup(certificate_backup)
print("Restored Certificate with name '{0}'".format(certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
print("\n.. Get a Certificate by name")
bank_certificate = client.get_certificate(name=cert_name)
print("Certificate with name '{0}' was found'.".format(bank_certificate.name))
# After one year, the bank account is still active, and we have decided to update the tags.
print("\n.. Update a Certificate by name")
tags = {"a": "b"}
updated_certificate = client.update_certificate_properties(name=bank_certificate.name, tags=tags)
print(
"Certificate with name '{0}' was updated on date '{1}'".format(
bank_certificate.name, updated_certificate.properties.updated_on
)
)
print(
"Certificate with name '{0}' was updated with tags '{1}'".format(
bank_certificate.name, updated_certificate.properties.tags
)
)
# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete Certificate")
deleted_certificate = client.delete_certificate(name=bank_certificate.name)
print("Deleting Certificate..")
print("Certificate with name '{0}' was deleted.".format(deleted_certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
print(
"Certificate with name '{0}' was created again with tags '{1}'".format(
bank_cert_name, tags))
# You need to check all the different tags your bank account certificate had previously. Let's print
# all the versions of this certificate.
print("\n.. List versions of the certificate using its name")
certificate_versions = client.list_certificate_versions(bank_cert_name)
for certificate_version in certificate_versions:
print(
"Bank Certificate with name '{0}' with version '{1}' has tags: '{2}'."
.format(certificate_version.name, certificate_version.version,
certificate_version.tags))
# The bank account and storage accounts got closed. Let's delete bank and storage accounts certificates.
client.delete_certificate(name=bank_cert_name)
client.delete_certificate(name=storage_cert_name)
# You can list all the deleted and non-purged certificates, assuming Key Vault is soft-delete enabled.
print("\n.. List deleted certificates from the Key Vault")
deleted_certificates = client.list_deleted_certificates()
for deleted_certificate in deleted_certificates:
print("Certificate with name '{0}' has recovery id '{1}'".format(
deleted_certificate.name, deleted_certificate.recovery_id))
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print(
"\n{0} Please enable soft delete on Key Vault to perform this operation."
.format(e.message))
else:
