def deleted_key_recovery(self): """ a sample of enumerating, retrieving, recovering and purging deleted keys from a key vault """ # create a vault enabling the soft delete feature vault = self.create_vault() # create a key client credential = DefaultAzureCredential() key_client = KeyClient(vault_url=vault.properties.vault_uri, credential=credential) # create keys in the vault key_to_recover = get_name('key') key_to_purge = get_name('key') key = key_client.create_key(key_to_recover, 'RSA') print('created key {}'.format(key.name)) key = key_client.create_key(key_to_purge, 'RSA') print('created key {}'.format(key.name)) # list the vault keys keys = key_client.list_properties_of_keys() print("keys:") for key in keys: print(key.name) # delete the keys key_client.begin_delete_key(key_to_recover).wait() print('deleted key {}'.format(key_to_recover)) key_client.begin_delete_key(key_to_purge).wait() print('deleted key {}'.format(key_to_purge)) # list the deleted keys deleted_keys = key_client.list_deleted_keys() print("deleted keys:") for deleted_key in deleted_keys: print(deleted_key.name) # recover a deleted key recover_key_poller = key_client.begin_recover_deleted_key( key_to_recover) recovered_key = recover_key_poller.result() print('recovered key {}'.format(recovered_key.name)) # purge a deleted key key_client.purge_deleted_key(key_to_purge) time.sleep(50) print('purged key {}'.format(key_to_purge)) # list the vaults key keys = key_client.list_properties_of_keys() print("all of the keys in the client's vault:") for key in keys: print(key.name)
def run_sample(): # Instantiate a key client that will be used to call the service. # Notice that the client is using default Azure credentials. # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) try: # Let's create keys with RSA and EC type. If the key # already exists in the Key Vault, then a new version of the key is created. print("\n1. Create Key") rsa_key = client.create_rsa_key("rsaKeyName", hsm=False) ec_key = client.create_ec_key("ecKeyName", hsm=False) print("Key with name '{0}' was created of type '{1}'.".format(rsa_key.name, rsa_key.key_material.kty)) print("Key with name '{0}' was created of type '{1}'.".format(ec_key.name, ec_key.key_material.kty)) # The ec key is no longer needed. Need to delete it from the Key Vault. print("\n2. Delete a Key") key = client.delete_key(rsa_key.name) time.sleep(20) print("Key with name '{0}' was deleted on date {1}.".format(key.name, key.deleted_date)) # We accidentally deleted the rsa key. Let's recover it. # A deleted key can only be recovered if the Key Vault is soft-delete enabled. print("\n3. Recover Deleted Key") recovered_key = client.recover_deleted_key(rsa_key.name) print("Recovered Key with name '{0}'.".format(recovered_key.name)) # Let's delete ec key now. # If the keyvault is soft-delete enabled, then for permanent deletion deleted key needs to be purged. client.delete_key(ec_key.name) # To ensure key is deleted on the server side. print("\nDeleting EC Key...") time.sleep(20) # To ensure permanent deletion, we might need to purge the key. print("\n4. Purge Deleted Key") client.purge_deleted_key(ec_key.name) print("EC Key has been permanently deleted.") except HttpResponseError as e: if "(NotSupported)" in e.message: print("\n{0} Please enable soft delete on Key Vault to perform this operation.".format(e.message)) else: print("\nrun_sample has caught an error. {0}".format(e.message)) finally: print("\nrun_sample done")
def test_selective_key_restore(self, container_uri, sas_token): # create a key to selectively restore key_client = KeyClient(self.managed_hsm["url"], self.credential) key_name = self.get_resource_name("selective-restore-test-key") key_client.create_rsa_key(key_name) # backup the vault backup_client = KeyVaultBackupClient(self.managed_hsm["url"], self.credential) backup_poller = backup_client.begin_full_backup( container_uri, sas_token) # check backup status and result job_id = backup_poller.polling_method().resource().id backup_status = backup_client.get_backup_status(job_id) assert_in_progress_operation(backup_status) backup_operation = backup_poller.result() assert_successful_operation(backup_operation) backup_status = backup_client.get_backup_status(job_id) assert_successful_operation(backup_status) # restore the key folder_name = backup_operation.azure_storage_blob_container_uri.split( "/")[-1] restore_poller = backup_client.begin_selective_restore( container_uri, sas_token, folder_name, key_name) # check restore status and result job_id = restore_poller.polling_method().resource().id restore_status = backup_client.get_restore_status(job_id) assert_in_progress_operation(restore_status) restore_operation = restore_poller.result() assert_successful_operation(restore_operation) restore_status = backup_client.get_restore_status(job_id) assert_successful_operation(restore_status) # delete the key delete_function = partial(key_client.begin_delete_key, key_name) delete_poller = self._poll_until_no_exception(delete_function, ResourceExistsError) delete_poller.wait() key_client.purge_deleted_key(key_name)
def test_selective_key_restore(self, container_uri, sas_token): # create a key to selectively restore key_client = KeyClient(self.managed_hsm["url"], self.credential) key_name = self.get_resource_name("selective-restore-test-key") key_client.create_rsa_key(key_name) # backup the vault backup_client = KeyVaultBackupClient(self.managed_hsm["url"], self.credential) backup_poller = backup_client.begin_full_backup(container_uri, sas_token) backup_operation = backup_poller.result() assert_successful_operation(backup_operation) # restore the key folder_name = backup_operation.azure_storage_blob_container_uri.split("/")[-1] restore_poller = backup_client.begin_selective_restore(container_uri, sas_token, folder_name, key_name) restore_operation = restore_poller.result() assert_successful_operation(restore_operation) key_client.begin_delete_key(key_name).wait() key_client.purge_deleted_key(key_name)
def test_selective_key_restore(self, container_uri, sas_token): # create a key to selectively restore key_client = KeyClient(self.managed_hsm["url"], self.credential) key_name = self.get_resource_name("selective-restore-test-key") key_client.create_rsa_key(key_name) # backup the vault backup_client = KeyVaultBackupClient(self.managed_hsm["url"], self.credential) backup_poller = backup_client.begin_backup(container_uri, sas_token) backup_operation = backup_poller.result() # restore the key restore_poller = backup_client.begin_restore( backup_operation.folder_url, sas_token, key_name=key_name) restore_poller.wait() # delete the key delete_function = partial(key_client.begin_delete_key, key_name) delete_poller = self._poll_until_no_exception(delete_function, ResourceExistsError) delete_poller.wait() key_client.purge_deleted_key(key_name)
rsa_key = client.create_rsa_key("rsaKeyName") ec_key = client.create_ec_key("ecKeyName") print("Created key '{0}' of type '{1}'.".format(rsa_key.name, rsa_key.key_type)) print("Created key '{0}' of type '{1}'.".format(ec_key.name, ec_key.key_type)) print("\n.. Delete the keys") for key_name in (ec_key.name, rsa_key.name): deleted_key = client.begin_delete_key(key_name).result() print("Deleted key '{0}'".format(deleted_key.name)) print("\n.. Recover a deleted key") recovered_key = client.begin_recover_deleted_key(rsa_key.name).result() print("Recovered key '{0}'".format(recovered_key.name)) # deleting the recovered key so it doesn't outlast this script client.begin_delete_key(recovered_key.name).wait() print("\n.. Purge keys") for key_name in (ec_key.name, rsa_key.name): client.purge_deleted_key(key_name) print("Purged '{}'".format(key_name)) except HttpResponseError as e: if "(NotSupported)" in e.message: print("\n{0} Please enable soft delete on Key Vault to perform this operation.".format(e.message)) else: print("\nrun_sample has caught an error. {0}".format(e.message)) finally: print("\nrun_sample done")
if c.name.startswith("livekvtest") ] for certificate in deleted_test_certificates: cert_client.purge_deleted_certificate(certificate.name) test_keys = [ k for k in key_client.list_properties_of_keys() if k.name.startswith("livekvtest") ] for key in test_keys: key_client.begin_delete_key(key.name).wait() deleted_test_keys = [ k for k in key_client.list_deleted_keys() if k.name.startswith("livekvtest") ] for key in deleted_test_keys: key_client.purge_deleted_key(key.name) test_secrets = [ s for s in secret_client.list_properties_of_secrets() if s.name.startswith("livekvtest") ] for secret in test_secrets: secret_client.begin_delete_secret(secret.name).wait() deleted_test_secrets = [ s for s in secret_client.list_deleted_secrets() if s.name.startswith("livekvtest") ] for secret in deleted_test_secrets: secret_client.purge_deleted_secret(secret.name)