def deleted_key_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted keys from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a key client
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault.properties.vault_uri,
credential=credential)
# create keys in the vault
key_to_recover = get_name('key')
key_to_purge = get_name('key')
key = key_client.create_key(key_to_recover, 'RSA')
print('created key {}'.format(key.name))
key = key_client.create_key(key_to_purge, 'RSA')
print('created key {}'.format(key.name))
# list the vault keys
keys = key_client.list_properties_of_keys()
print("keys:")
for key in keys:
print(key.name)
# delete the keys
key_client.begin_delete_key(key_to_recover).wait()
print('deleted key {}'.format(key_to_recover))
key_client.begin_delete_key(key_to_purge).wait()
print('deleted key {}'.format(key_to_purge))
# list the deleted keys
deleted_keys = key_client.list_deleted_keys()
print("deleted keys:")
for deleted_key in deleted_keys:
print(deleted_key.name)
# recover a deleted key
recover_key_poller = key_client.begin_recover_deleted_key(
key_to_recover)
recovered_key = recover_key_poller.result()
print('recovered key {}'.format(recovered_key.name))
# purge a deleted key
key_client.purge_deleted_key(key_to_purge)
time.sleep(50)
print('purged key {}'.format(key_to_purge))
# list the vaults key
keys = key_client.list_properties_of_keys()
print("all of the keys in the client's vault:")
for key in keys:
print(key.name)
def test_selective_key_restore(self, container_uri, sas_token):
# create a key to selectively restore
key_client = KeyClient(self.managed_hsm["url"], self.credential)
key_name = self.get_resource_name("selective-restore-test-key")
key_client.create_rsa_key(key_name)
# backup the vault
backup_client = KeyVaultBackupClient(self.managed_hsm["url"], self.credential)
backup_poller = backup_client.begin_full_backup(container_uri, sas_token)
backup_operation = backup_poller.result()
assert_successful_operation(backup_operation)
# restore the key
folder_name = backup_operation.azure_storage_blob_container_uri.split("/")[-1]
restore_poller = backup_client.begin_selective_restore(container_uri, sas_token, folder_name, key_name)
restore_operation = restore_poller.result()
assert_successful_operation(restore_operation)
key_client.begin_delete_key(key_name).wait()
key_client.purge_deleted_key(key_name)
class KeyVaultKeys:
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
authority_host = os.environ.get(
'AZURE_AUTHORITY_HOST') or KnownAuthorities.AZURE_PUBLIC_CLOUD
credential = DefaultAzureCredential(authority=authority_host)
self.key_client = KeyClient(vault_url=os.environ["AZURE_PROJECT_URL"],
credential=credential)
self.key_name = "key-name-" + uuid.uuid1().hex
def create_rsa_key(self):
print("Creating an RSA key...")
self.key_client.create_rsa_key(name=self.key_name, size=2048)
print("\tdone")
def get_key(self):
print("Getting a key...")
key = self.key_client.get_key(name=self.key_name)
print("\tdone, key: {}.".format(key.name))
def delete_key(self):
print("Deleting a key...")
deleted_key = self.key_client.begin_delete_key(
name=self.key_name).result()
print("\tdone: " + deleted_key.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Keys\nIdentity - Credential")
print("------------------------")
print("1) Create a key")
print("2) Get that key")
print("3) Delete that key (Clean up the resource)")
print("")
try:
self.create_rsa_key()
self.get_key()
finally:
self.delete_key()
class KeyVaultKeys(KeyVaultBase):
def __init__(self):
credential = self.get_default_credential()
self.key_client = KeyClient(vault_url=os.environ["AZURE_PROJECT_URL"],
credential=credential)
self.key_name = "key-name-" + uuid.uuid1().hex
def create_rsa_key(self):
print("Creating an RSA key...")
self.key_client.create_rsa_key(name=self.key_name, size=2048)
print("\tdone")
def get_key(self):
print("Getting a key...")
key = self.key_client.get_key(name=self.key_name)
print("\tdone, key: {}.".format(key.name))
def delete_key(self):
print("Deleting a key...")
deleted_key = self.key_client.begin_delete_key(
name=self.key_name).result()
print("\tdone: " + deleted_key.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Keys\nIdentity - Credential")
print("------------------------")
print("1) Create a key")
print("2) Get that key")
print("3) Delete that key (Clean up the resource)")
print("")
try:
self.create_rsa_key()
self.get_key()
finally:
self.delete_key()
policy_action = current_policy.lifetime_actions[0]
print("\nCurrent rotation policy: {} after {}".format(
policy_action.action, policy_action.time_after_create))
# Update the key's automated rotation policy to notify 30 days before the key expires
new_actions = [
KeyRotationLifetimeAction(KeyRotationPolicyAction.NOTIFY,
time_before_expiry="P30D")
]
# You may also specify the duration after which the newly rotated key will expire
# In this example, any new key versions will expire after 90 days
new_policy = client.update_key_rotation_policy(key_name,
expires_in="P90D",
lifetime_actions=new_actions)
# The updated policy should only have one action
assert len(new_policy.lifetime_actions
) == 1, "There should be exactly one rotation policy action"
policy_action = new_policy.lifetime_actions[0]
print("\nUpdated rotation policy: {} {} before expiry".format(
policy_action.action, policy_action.time_before_expiry))
# Finally, you can rotate a key on-demand by creating a new version of the key
rotated_key = client.rotate_key(key_name)
print("\nRotated the key on-demand; new version is {}".format(
rotated_key.properties.version))
# To clean up, delete the key
client.begin_delete_key(key_name)
print("\nDeleted the key")
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = KeyClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
print("\n.. Create keys")
rsa_key = client.create_rsa_key("rsaKeyName")
ec_key = client.create_ec_key("ecKeyName")
print("Created key '{0}' of type '{1}'.".format(rsa_key.name, rsa_key.key_type))
print("Created key '{0}' of type '{1}'.".format(ec_key.name, ec_key.key_type))
print("\n.. Delete the keys")
for key_name in (ec_key.name, rsa_key.name):
deleted_key = client.begin_delete_key(key_name).result()
print("Deleted key '{0}'".format(deleted_key.name))
print("\n.. Recover a deleted key")
recovered_key = client.begin_recover_deleted_key(rsa_key.name).result()
print("Recovered key '{0}'".format(recovered_key.name))
# deleting the recovered key so it doesn't outlast this script
client.begin_delete_key(recovered_key.name).wait()
print("\n.. Purge keys")
for key_name in (ec_key.name, rsa_key.name):
client.purge_deleted_key(key_name)
print("Purged '{}'".format(key_name))
except HttpResponseError as e:
ec_key.name, ec_key.key_type))
# Let's get the rsa key details using its name
print("\n.. Get a Key by its name")
rsa_key = client.get_key(rsa_key.name)
print("Key with name '{0}' was found.".format(rsa_key.name))
# Let's say we want to update the expiration time for the EC key and disable the key to be usable
# for cryptographic operations. The update method allows the user to modify the metadata (key attributes)
# associated with a key previously stored within Key Vault.
print("\n.. Update a Key by name")
expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
updated_ec_key = client.update_key_properties(ec_key.name,
ec_key.properties.version,
expires_on=expires,
enabled=False)
print("Key with name '{0}' was updated on date '{1}'".format(
updated_ec_key.name, updated_ec_key.properties.updated_on))
print("Key with name '{0}' was updated to expire on '{1}'".format(
updated_ec_key.name, updated_ec_key.properties.expires_on))
# The RSA key is no longer used, need to delete it from the Key Vault.
print("\n.. Delete Keys")
client.begin_delete_key(ec_key.name)
client.begin_delete_key(rsa_key.name)
print("Deleted key '{0}'".format(ec_key.name))
print("Deleted key '{0}'".format(rsa_key.name))
except HttpResponseError as e:
print("\nThis sample has caught an error. {0}".format(e.message))
print("\n.. List keys from the Key Vault")
keys = client.list_properties_of_keys()
for key in keys:
retrieved_key = client.get_key(key.name)
print(
"Key with name '{0}' with type '{1}' was found.".format(retrieved_key.name, retrieved_key.key_type)
)
# The rsa key size now should now be 3072, default - 2048. So you want to update the key in Key Vault to ensure
# it reflects the new key size. Calling create_rsa_key on an existing key creates a new version of the key in
# the Key Vault with the new key size.
new_key = client.create_rsa_key(rsa_key.name, size=3072)
print("New version was created for Key with name '{0}' with the updated size.".format(new_key.name))
# You should have more than one version of the rsa key at this time. Lets print all the versions of this key.
print("\n.. List versions of a key using its name")
key_versions = client.list_properties_of_key_versions(rsa_key.name)
for key in key_versions:
print("Key '{0}' has version: '{1}'".format(key.name, key.version))
# Both the rsa key and ec key are not needed anymore. Let's delete those keys.
print("\n.. Delete the created keys...")
for key_name in (ec_key.name, rsa_key.name):
client.begin_delete_key(key_name).wait()
# You can list all the deleted and non-purged keys, assuming Key Vault is soft-delete enabled.
print("\n.. List deleted keys from the Key Vault (requires soft-delete)")
deleted_keys = client.list_deleted_keys()
for deleted_key in deleted_keys:
print("Key with name '{0}' has recovery id '{1}'".format(deleted_key.name, deleted_key.recovery_id))
# Let's create a Key of type RSA.
# if the key already exists in the Key Vault, then a new version of the key is created.
print("\n.. Create Key")
key = client.create_key("keyName", "RSA")
print("Key with name '{0}' created with key type '{1}'".format(
key.name, key.key_type))
# Backups are good to have, if in case keys gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing Key")
key_backup = client.backup_key(key.name)
print("Backup created for key with name '{0}'.".format(key.name))
# The rsa key is no longer in use, so you delete it.
print("\n.. Delete the key")
delete_operation = client.begin_delete_key(key.name)
deleted_key = delete_operation.result()
print("Deleted key with name '{0}'".format(deleted_key.name))
# Wait for the deletion to complete before purging the key.
# The purge will take some time, so wait before restoring the backup to avoid a conflict.
delete_operation.wait()
print("\n.. Purge the key")
client.purge_deleted_key(key.name)
time.sleep(60)
print("Purged key with name '{0}'".format(deleted_key.name))
# In the future, if the key is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the key using the backed up key bytes")
key = client.restore_key_backup(key_backup)
print("Restored key with name '{0}'".format(key.name))
# Let's say we want to update the expiration time for the EC key and disable the key to be usable
# for cryptographic operations. The update method allows the user to modify the metadata (key attributes)
# associated with a key previously stored within Key Vault.
print("\n.. Update a Key by name")
expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
updated_ec_key = client.update_key_properties(
ec_key.name, ec_key.properties.version, expires_on=expires, enabled=False
)
print(
"Key with name '{0}' was updated on date '{1}'".format(updated_ec_key.name, updated_ec_key.properties.updated_on)
)
print(
"Key with name '{0}' was updated to expire on '{1}'".format(
updated_ec_key.name, updated_ec_key.properties.expires_on
)
)
# The RSA key is no longer used, need to delete it from the Key Vault.
print("\n.. Delete Keys")
deleted_ec_key = client.begin_delete_key(ec_key.name).result()
deleted_rsa_key = client.begin_delete_key(rsa_key.name).result()
print("Deleted key '{0}'".format(deleted_ec_key.name))
print("Deleted key '{0}'".format(deleted_rsa_key.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
client = KeyClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create a Key of type RSA.
# if the key already exists in the Key Vault, then a new version of the key is created.
print("\n.. Create Key")
key = client.create_key("keyName", "RSA")
print("Key with name '{0}' created with key type '{1}'".format(
key.name, key.key_type))
# Backups are good to have, if in case keys gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing Key")
key_backup = client.backup_key(key.name)
print("Backup created for key with name '{0}'.".format(key.name))
# The rsa key is no longer in use, so you delete it.
print("\n.. Delete the key")
deleted_key = client.begin_delete_key(key.name).result()
print("Deleted Key with name '{0}'".format(deleted_key.name))
# In future, if the key is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the key using the backed up key bytes")
key = client.restore_key_backup(key_backup)
print("Restored Key with name '{0}'".format(key.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
]
for certificate in test_certificates:
cert_client.begin_delete_certificate(certificate.name).wait()
deleted_test_certificates = [
c for c in cert_client.list_deleted_certificates()
if c.name.startswith("livekvtest")
]
for certificate in deleted_test_certificates:
cert_client.purge_deleted_certificate(certificate.name)
test_keys = [
k for k in key_client.list_properties_of_keys()
if k.name.startswith("livekvtest")
]
for key in test_keys:
key_client.begin_delete_key(key.name).wait()
deleted_test_keys = [
k for k in key_client.list_deleted_keys()
if k.name.startswith("livekvtest")
]
for key in deleted_test_keys:
key_client.purge_deleted_key(key.name)
test_secrets = [
s for s in secret_client.list_properties_of_secrets()
if s.name.startswith("livekvtest")
]
for secret in test_secrets:
secret_client.begin_delete_secret(secret.name).wait()
deleted_test_secrets = [
s for s in secret_client.list_deleted_secrets()
