def deleted_key_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted keys from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a key client
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault.properties.vault_uri,
credential=credential)
# create keys in the vault
key_to_recover = get_name('key')
key_to_purge = get_name('key')
key = key_client.create_key(key_to_recover, 'RSA')
print('created key {}'.format(key.name))
key = key_client.create_key(key_to_purge, 'RSA')
print('created key {}'.format(key.name))
# list the vault keys
keys = key_client.list_properties_of_keys()
print("keys:")
for key in keys:
print(key.name)
# delete the keys
key_client.begin_delete_key(key_to_recover).wait()
print('deleted key {}'.format(key_to_recover))
key_client.begin_delete_key(key_to_purge).wait()
print('deleted key {}'.format(key_to_purge))
# list the deleted keys
deleted_keys = key_client.list_deleted_keys()
print("deleted keys:")
for deleted_key in deleted_keys:
print(deleted_key.name)
# recover a deleted key
recover_key_poller = key_client.begin_recover_deleted_key(
key_to_recover)
recovered_key = recover_key_poller.result()
print('recovered key {}'.format(recovered_key.name))
# purge a deleted key
key_client.purge_deleted_key(key_to_purge)
time.sleep(50)
print('purged key {}'.format(key_to_purge))
# list the vaults key
keys = key_client.list_properties_of_keys()
print("all of the keys in the client's vault:")
for key in keys:
print(key.name)
def run_sample():
# Instantiate a key client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = KeyClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create keys with RSA and EC type. If the key
# already exists in the Key Vault, then a new version of the key is created.
print("\n1. Create Key")
rsa_key = client.create_rsa_key("rsaKeyName", hsm=False)
ec_key = client.create_ec_key("ecKeyName", hsm=False)
print("Key with name '{0}' was created of type '{1}'.".format(rsa_key.name, rsa_key.key_material.kty))
print("Key with name '{0}' was created of type '{1}'.".format(ec_key.name, ec_key.key_material.kty))
# The ec key is no longer needed. Need to delete it from the Key Vault.
print("\n2. Delete a Key")
key = client.delete_key(rsa_key.name)
time.sleep(20)
print("Key with name '{0}' was deleted on date {1}.".format(key.name, key.deleted_date))
# We accidentally deleted the rsa key. Let's recover it.
# A deleted key can only be recovered if the Key Vault is soft-delete enabled.
print("\n3. Recover Deleted Key")
recovered_key = client.recover_deleted_key(rsa_key.name)
print("Recovered Key with name '{0}'.".format(recovered_key.name))
# Let's delete ec key now.
# If the keyvault is soft-delete enabled, then for permanent deletion deleted key needs to be purged.
client.delete_key(ec_key.name)
# To ensure key is deleted on the server side.
print("\nDeleting EC Key...")
time.sleep(20)
# To ensure permanent deletion, we might need to purge the key.
print("\n4. Purge Deleted Key")
client.purge_deleted_key(ec_key.name)
print("EC Key has been permanently deleted.")
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print("\n{0} Please enable soft delete on Key Vault to perform this operation.".format(e.message))
else:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
def test_selective_key_restore(self, container_uri, sas_token):
# create a key to selectively restore
key_client = KeyClient(self.managed_hsm["url"], self.credential)
key_name = self.get_resource_name("selective-restore-test-key")
key_client.create_rsa_key(key_name)
# backup the vault
backup_client = KeyVaultBackupClient(self.managed_hsm["url"],
self.credential)
backup_poller = backup_client.begin_full_backup(
container_uri, sas_token)
# check backup status and result
job_id = backup_poller.polling_method().resource().id
backup_status = backup_client.get_backup_status(job_id)
assert_in_progress_operation(backup_status)
backup_operation = backup_poller.result()
assert_successful_operation(backup_operation)
backup_status = backup_client.get_backup_status(job_id)
assert_successful_operation(backup_status)
# restore the key
folder_name = backup_operation.azure_storage_blob_container_uri.split(
"/")[-1]
restore_poller = backup_client.begin_selective_restore(
container_uri, sas_token, folder_name, key_name)
# check restore status and result
job_id = restore_poller.polling_method().resource().id
restore_status = backup_client.get_restore_status(job_id)
assert_in_progress_operation(restore_status)
restore_operation = restore_poller.result()
assert_successful_operation(restore_operation)
restore_status = backup_client.get_restore_status(job_id)
assert_successful_operation(restore_status)
# delete the key
delete_function = partial(key_client.begin_delete_key, key_name)
delete_poller = self._poll_until_no_exception(delete_function,
ResourceExistsError)
delete_poller.wait()
key_client.purge_deleted_key(key_name)
def test_selective_key_restore(self, container_uri, sas_token):
# create a key to selectively restore
key_client = KeyClient(self.managed_hsm["url"], self.credential)
key_name = self.get_resource_name("selective-restore-test-key")
key_client.create_rsa_key(key_name)
# backup the vault
backup_client = KeyVaultBackupClient(self.managed_hsm["url"], self.credential)
backup_poller = backup_client.begin_full_backup(container_uri, sas_token)
backup_operation = backup_poller.result()
assert_successful_operation(backup_operation)
# restore the key
folder_name = backup_operation.azure_storage_blob_container_uri.split("/")[-1]
restore_poller = backup_client.begin_selective_restore(container_uri, sas_token, folder_name, key_name)
restore_operation = restore_poller.result()
assert_successful_operation(restore_operation)
key_client.begin_delete_key(key_name).wait()
key_client.purge_deleted_key(key_name)
def test_selective_key_restore(self, container_uri, sas_token):
# create a key to selectively restore
key_client = KeyClient(self.managed_hsm["url"], self.credential)
key_name = self.get_resource_name("selective-restore-test-key")
key_client.create_rsa_key(key_name)
# backup the vault
backup_client = KeyVaultBackupClient(self.managed_hsm["url"],
self.credential)
backup_poller = backup_client.begin_backup(container_uri, sas_token)
backup_operation = backup_poller.result()
# restore the key
restore_poller = backup_client.begin_restore(
backup_operation.folder_url, sas_token, key_name=key_name)
restore_poller.wait()
# delete the key
delete_function = partial(key_client.begin_delete_key, key_name)
delete_poller = self._poll_until_no_exception(delete_function,
ResourceExistsError)
delete_poller.wait()
key_client.purge_deleted_key(key_name)
rsa_key = client.create_rsa_key("rsaKeyName")
ec_key = client.create_ec_key("ecKeyName")
print("Created key '{0}' of type '{1}'.".format(rsa_key.name, rsa_key.key_type))
print("Created key '{0}' of type '{1}'.".format(ec_key.name, ec_key.key_type))
print("\n.. Delete the keys")
for key_name in (ec_key.name, rsa_key.name):
deleted_key = client.begin_delete_key(key_name).result()
print("Deleted key '{0}'".format(deleted_key.name))
print("\n.. Recover a deleted key")
recovered_key = client.begin_recover_deleted_key(rsa_key.name).result()
print("Recovered key '{0}'".format(recovered_key.name))
# deleting the recovered key so it doesn't outlast this script
client.begin_delete_key(recovered_key.name).wait()
print("\n.. Purge keys")
for key_name in (ec_key.name, rsa_key.name):
client.purge_deleted_key(key_name)
print("Purged '{}'".format(key_name))
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print("\n{0} Please enable soft delete on Key Vault to perform this operation.".format(e.message))
else:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
if c.name.startswith("livekvtest")
]
for certificate in deleted_test_certificates:
cert_client.purge_deleted_certificate(certificate.name)
test_keys = [
k for k in key_client.list_properties_of_keys()
if k.name.startswith("livekvtest")
]
for key in test_keys:
key_client.begin_delete_key(key.name).wait()
deleted_test_keys = [
k for k in key_client.list_deleted_keys()
if k.name.startswith("livekvtest")
]
for key in deleted_test_keys:
key_client.purge_deleted_key(key.name)
test_secrets = [
s for s in secret_client.list_properties_of_secrets()
if s.name.startswith("livekvtest")
]
for secret in test_secrets:
secret_client.begin_delete_secret(secret.name).wait()
deleted_test_secrets = [
s for s in secret_client.list_deleted_secrets()
if s.name.startswith("livekvtest")
]
for secret in deleted_test_secrets:
secret_client.purge_deleted_secret(secret.name)
