def deleted_key_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted keys from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a key client
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault.properties.vault_uri,
credential=credential)
# create keys in the vault
key_to_recover = get_name('key')
key_to_purge = get_name('key')
key = key_client.create_key(key_to_recover, 'RSA')
print('created key {}'.format(key.name))
key = key_client.create_key(key_to_purge, 'RSA')
print('created key {}'.format(key.name))
# list the vault keys
keys = key_client.list_properties_of_keys()
print("keys:")
for key in keys:
print(key.name)
# delete the keys
key_client.begin_delete_key(key_to_recover).wait()
print('deleted key {}'.format(key_to_recover))
key_client.begin_delete_key(key_to_purge).wait()
print('deleted key {}'.format(key_to_purge))
# list the deleted keys
deleted_keys = key_client.list_deleted_keys()
print("deleted keys:")
for deleted_key in deleted_keys:
print(deleted_key.name)
# recover a deleted key
recover_key_poller = key_client.begin_recover_deleted_key(
key_to_recover)
recovered_key = recover_key_poller.result()
print('recovered key {}'.format(recovered_key.name))
# purge a deleted key
key_client.purge_deleted_key(key_to_purge)
time.sleep(50)
print('purged key {}'.format(key_to_purge))
# list the vaults key
keys = key_client.list_properties_of_keys()
print("all of the keys in the client's vault:")
for key in keys:
print(key.name)
def backup_restore_key(self):
"""
backs up a key vault key and restores it to another key vault
"""
# create a key vault
first_vault = self.create_vault()
# create a key in the vault
key_name = get_name('key')
key = self.keyvault_data_client.create_key(first_vault.properties.vault_uri, key_name, 'RSA')
print('created key {}\n{}'.format(key_name, self._serialize(key)))
# list the keys in the vault
keys = self.keyvault_data_client.get_keys(first_vault.properties.vault_uri)
print('vault {} secrets:\n{}'.format(first_vault.name, self._serialize(keys)))
# backup the key
backup = self.keyvault_data_client.backup_key(first_vault.properties.vault_uri, key_name)
print('backed up key {} value: {}'.format(key_name, backup))
# create a second vault
second_vault = self.create_vault()
# restore the key to the new vault
restored = self.keyvault_data_client.restore_key(second_vault.properties.vault_uri, backup.value)
print('restored secret {}\n{}'.format(key_name, self._serialize(restored)))
# list the keys in the new vault
keys = self.keyvault_data_client.get_keys(second_vault.properties.vault_uri)
print('vault {} secrets:\n{}'.format(second_vault.name, self._serialize(keys)))
def backup_restore_secret(self):
"""
backs up a key vault secret and restores it to another key vault
"""
# create a key vault
first_vault = self.create_vault()
# add a secret to the vault
secret_name = get_name('secret')
secret_value = 'this is a secret value to be migrated from one vault to another'
secret = self.keyvault_data_client.set_secret(first_vault.properties.vault_uri, secret_name, secret_value)
print('created secret {}\n{}'.format(secret_name, self._serialize(secret)))
# list the secrets in the vault
secrets = self.keyvault_data_client.get_secrets(first_vault.properties.vault_uri)
print('vault {} secrets:\n{}'.format(first_vault.name, self._serialize(secrets)))
# backup the secret
backup = self.keyvault_data_client.backup_secret(first_vault.properties.vault_uri, secret_name)
print('backed up secret {} value: {}'.format(secret_name, backup))
# create a second vault
second_vault = self.create_vault()
# restore the secret to the new vault
restored = self.keyvault_data_client.restore_secret(second_vault.properties.vault_uri, backup.value)
print('restored secret {}\n{}'.format(secret_name, self._serialize(restored)))
# list the secrets in the new vault
secrets = self.keyvault_data_client.get_secrets(second_vault.properties.vault_uri)
print('vault {} secrets:\n{}'.format(second_vault.name, self._serialize(secrets)))
def create_soft_delete_enabled_vault(self):
"""
creates a key vault which has soft delete enabled so that the vault as well as all of its keys,
certificates and secrets are recoverable
"""
vault_name = get_name('vault')
print('creating soft delete enabled vault: {}'.format(vault_name))
vault = self.create_vault()
print('vault {} created enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def backup_restore_certificate(self):
"""
backs up a key vault certificate and restores it to another key vault
"""
# create a key vault
first_vault = self.create_vault()
# create a certificate client
credential = DefaultAzureCredential()
first_certificate_client = CertificateClient(
vault_url=first_vault.properties.vault_uri, credential=credential)
# add a certificate to the vault
certificate_name = get_name('certificate')
certificate = first_certificate_client.begin_create_certificate(
certificate_name, CertificatePolicy.get_default()).result()
print('created certificate {}'.format(certificate.name))
# list the certificates in the vault
certificate_properties = first_certificate_client.list_properties_of_certificates(
)
print("all of the certificates in the client's vault:")
for certificate_property in certificate_properties:
print(certificate_property.name)
# backup the certificate
backup = first_certificate_client.backup_certificate(certificate_name)
print('backed up certificate {}'.format(certificate_name))
# create a second vault
second_vault = self.create_vault()
# create a certificate client
second_certificate_client = CertificateClient(
vault_url=second_vault.properties.vault_uri, credential=credential)
# restore the certificate to the new vault
restored = second_certificate_client.restore_certificate_backup(backup)
print('restored certificate {}'.format(restored.name))
# list the certificates in the new vault
certificate_properties = second_certificate_client.list_properties_of_certificates(
)
print("all of the certificates in the new vault:")
for certificate_property in certificate_properties:
print(certificate_property.name)
def backup_restore_secret(self):
"""
backs up a key vault secret and restores it to another key vault
"""
# create a key vault
first_vault = self.create_vault()
# create a secret client
credential = DefaultAzureCredential()
first_secret_client = SecretClient(
vault_url=first_vault.properties.vault_uri, credential=credential)
# add a secret to the vault
secret_name = get_name('secret')
secret_value = 'this is a secret value to be migrated from one vault to another'
secret = first_secret_client.set_secret(secret_name, secret_value)
print('created secret {}'.format(secret.name))
# list the secrets in the vault
secret_properties = first_secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
# backup the secret
backup = first_secret_client.backup_secret(secret_name)
print('backed up secret {}'.format(secret_name))
# create a second vault
second_vault = self.create_vault()
# create a secret client
second_secret_client = SecretClient(
vault_url=second_vault.properties.vault_uri, credential=credential)
# restore the secret to the new vault
restored = second_secret_client.restore_secret_backup(backup)
print('restored secret {}'.format(restored.name))
# list the secrets in the new vault
secret_properties = second_secret_client.list_properties_of_secrets()
print("all of the secrets in the new vault:")
for secret_property in secret_properties:
print(secret_property.name)
def create_soft_delete_enabled_vault(self):
"""
creates a key vault which has soft delete enabled so that the vault as well as all of its keys,
certificates and secrets are recoverable
"""
vault_name = get_name('vault')
permissions = Permissions()
permissions.keys = KEY_PERMISSIONS_ALL
permissions.secrets = SECRET_PERMISSIONS_ALL
permissions.certificates = CERTIFICATE_PERMISSIONS_ALL
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
# NOTE: This value should only None or True, setting the value to false will cause a service validation error
# once soft delete has been enabled on the vault it cannot be disabled
parameters.properties.enable_soft_delete = True
print('creating soft delete enabled vault: {}'.format(vault_name))
# create the vault
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters)
# wait for vault DNS entry to be created
# see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172
self._poll_for_vault_connection(vault.properties.vault_uri)
print('vault {} created enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def backup_restore_key(self):
"""
backs up a key vault key and restores it to another key vault
"""
# create a key vault
first_vault = self.create_vault()
# create a key client
credential = DefaultAzureCredential()
first_key_client = KeyClient(
vault_url=first_vault.properties.vault_uri, credential=credential)
# create a key in the vault
key_name = get_name('key')
key = first_key_client.create_key(key_name, 'RSA')
print('created key {}'.format(key.name))
# list the keys in the vault
keys = first_key_client.list_properties_of_keys()
print("keys in the first vault:")
for key in keys:
print(key.name)
# backup the key
backup = first_key_client.backup_key(key_name)
print('backed up key {}'.format(key_name))
# create a second vault
second_vault = self.create_vault()
# create a key client
second_key_client = KeyClient(
vault_url=second_vault.properties.vault_uri, credential=credential)
# restore the key to the new vault
restored = second_key_client.restore_key_backup(backup)
print('restored secret {}'.format(restored.name))
# list the keys in the new vault
keys = second_key_client.list_properties_of_keys()
print("keys in the second vault:")
for key in keys:
print(key.name)
def deleted_certificate_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted certificates from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a certificate client
credential = DefaultAzureCredential()
certificate_client = CertificateClient(
vault_url=vault.properties.vault_uri, credential=credential)
# create certificates in the vault
cert_to_recover = get_name('cert')
cert_to_purge = get_name('cert')
create_certificate_poller = certificate_client.begin_create_certificate(
cert_to_recover, policy=CertificatePolicy.get_default())
created_certificate = create_certificate_poller.result()
print('created certificate {}'.format(created_certificate.name))
create_certificate_poller = certificate_client.begin_create_certificate(
cert_to_purge, policy=CertificatePolicy.get_default())
created_certificate = create_certificate_poller.result()
print('created certificate {}'.format(created_certificate.name))
# list the vault certificates
certificates = certificate_client.list_properties_of_certificates()
print('list the vault certificates')
for certificate in certificates:
print(certificate.name)
# delete the certificates
deleted_certificate_poller = certificate_client.begin_delete_certificate(
cert_to_recover)
deleted_certificate = deleted_certificate_poller.result()
deleted_certificate_poller.wait()
print('deleted certificate {}'.format(deleted_certificate.name))
deleted_certificate_poller = certificate_client.begin_delete_certificate(
cert_to_purge)
deleted_certificate = deleted_certificate_poller.result()
deleted_certificate_poller.wait()
print('deleted certificate {}'.format(deleted_certificate.name))
# list the deleted certificates
deleted_certs = certificate_client.list_deleted_certificates()
print('deleted certificates:')
for deleted_cert in deleted_certs:
print(deleted_cert.name)
# recover a deleted certificate
recovered_certificate_poller = certificate_client.begin_recover_deleted_certificate(
cert_to_recover)
recovered_certificate_certificate = recovered_certificate_poller.result(
)
print('recovered certificate {}'.format(
recovered_certificate_certificate.name))
# purge a deleted certificate
certificate_client.purge_deleted_certificate(cert_to_purge)
time.sleep(50)
print('purged certificate {}'.format(cert_to_purge))
# list the vault certificates
certificates = certificate_client.list_properties_of_certificates()
print("all of the certificates in the client's vault:")
for certificate in certificates:
print(certificate.name)
def deleted_secret_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted secrets from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a secret client
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url=vault.properties.vault_uri,
credential=credential)
# create secrets in the vault
secret_to_recover = get_name('secret')
secret_to_purge = get_name('secret')
secret = secret_client.set_secret(secret_to_recover,
"secret to restore")
print('created secret {}'.format(secret.name))
secret = secret_client.set_secret(secret_to_purge, "secret to purge")
print('created secret {}'.format(secret.name))
# list the name of all of the secrets in the client's vault
secret_properties = secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
# delete the secrets
delete_secret_poller = secret_client.begin_delete_secret(
secret_to_recover)
deleted_secret = delete_secret_poller.result()
delete_secret_poller.wait()
print('deleted secret {}'.format(deleted_secret.name))
delete_secret_poller = secret_client.begin_delete_secret(
secret_to_purge)
deleted_secret = delete_secret_poller.result()
delete_secret_poller.wait()
print('deleted secret {}'.format(deleted_secret.name))
# list the deleted secrets
deleted_secrets = secret_client.list_deleted_secrets()
print("all of the deleted secrets in the client's vault:")
for deleted_secret in deleted_secrets:
print(deleted_secret.name)
# recover a deleted secret
recover_secret_poller = secret_client.begin_recover_deleted_secret(
secret_to_recover)
recovered_secret = recover_secret_poller.result()
print('recovered secret {}'.format(recovered_secret.name))
# purge a deleted secret
secret_client.purge_deleted_secret(secret_to_purge)
time.sleep(50)
print('purged secret {}'.format(secret_to_purge))
# list the name of all of the secrets in the client's vault
secret_properties = secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
def deleted_certificate_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted certificates from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
self._enable_soft_delete_for_vault(vault)
# create certificates in the vault
cert_to_recover = get_name('cert')
cert_to_purge = get_name('cert')
cert = self.keyvault_data_client.create_certificate(
vault.properties.vault_uri, cert_to_recover)
print('created certificate {}\n{}'.format(cert_to_recover,
self._serialize(cert)))
cert = self.keyvault_data_client.create_certificate(
vault.properties.vault_uri, cert_to_purge)
print('created certificate {}\n{}'.format(cert_to_purge,
self._serialize(cert)))
# list the vaults certificates
certs = self.keyvault_data_client.get_certificates(
vault.properties.vault_uri)
print('certificates: \n{}'.format(self._serialize(certs)))
# delete the certificates
deleted_cert = self.keyvault_data_client.delete_certificate(
vault.properties.vault_uri, cert_to_recover)
self._wait_on_delete_completed(vault.properties.vault_uri,
'certificate', cert_to_recover)
print('deleted certificate {}\n{}'.format(
cert_to_recover, self._serialize(deleted_cert)))
deleted_cert = self.keyvault_data_client.delete_certificate(
vault.properties.vault_uri, cert_to_purge)
self._wait_on_delete_completed(vault.properties.vault_uri,
'certificate', cert_to_purge)
print('deleted certificate {}\n{}'.format(
cert_to_purge, self._serialize(deleted_cert)))
# list the deleted certificates
deleted_certs = self.keyvault_data_client.get_deleted_certificates(
vault.properties.vault_uri)
print('deleted certificates: \n{}'.format(
self._serialize(deleted_certs)))
# recover a deleted certificate
cert = self.keyvault_data_client.recover_deleted_certificate(
vault.properties.vault_uri, cert_to_recover)
self._wait_on_recover_completed(vault.properties.vault_uri, 'key',
cert_to_recover)
print('recovered certificate {}\n{}'.format(cert_to_recover,
self._serialize(cert)))
# purge a deleted certificate
self.keyvault_data_client.purge_deleted_certificate(
vault.properties.vault_uri, cert_to_purge)
print('purged certificate {}'.format(cert_to_purge))
# list the vaults certificate
keys = self.keyvault_data_client.get_certificates(
vault.properties.vault_uri)
print('certificates: \n{}'.format(self._serialize(certs)))
def deleted_key_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted keys from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
self._enable_soft_delete_for_vault(vault)
# create keys in the vault
key_to_recover = get_name('key')
key_to_purge = get_name('key')
key = self.keyvault_data_client.create_key(vault.properties.vault_uri,
key_to_recover, 'RSA')
print('created key {}\n{}'.format(key_to_recover,
self._serialize(key)))
key = self.keyvault_data_client.create_key(vault.properties.vault_uri,
key_to_purge, 'RSA')
print('created key {}\n{}'.format(key_to_purge, self._serialize(key)))
# list the vault keys
keys = self.keyvault_data_client.get_keys(vault.properties.vault_uri)
print('keys: \n{}'.format(self._serialize(keys)))
# delete the keys
deleted_key = self.keyvault_data_client.delete_key(
vault.properties.vault_uri, key_to_recover)
self._wait_on_delete_completed(vault.properties.vault_uri, 'key',
key_to_recover)
print('deleted key {}\n{}'.format(key_to_recover,
self._serialize(deleted_key)))
deleted_key = self.keyvault_data_client.delete_key(
vault.properties.vault_uri, key_to_purge)
self._wait_on_delete_completed(vault.properties.vault_uri, 'key',
key_to_purge)
print('deleted key {}\n{}'.format(key_to_purge,
self._serialize(deleted_key)))
# list the deleted keys
deleted_keys = self.keyvault_data_client.get_deleted_keys(
vault.properties.vault_uri)
print('deleted keys: \n{}'.format(self._serialize(deleted_keys)))
# recover a deleted key
key = self.keyvault_data_client.recover_deleted_key(
vault.properties.vault_uri, key_to_recover)
self._wait_on_recover_completed(vault.properties.vault_uri, 'key',
key_to_recover)
print('recovered key {}\n{}'.format(key_to_recover,
self._serialize(key)))
# purge a deleted key
self.keyvault_data_client.purge_deleted_key(vault.properties.vault_uri,
key_to_purge)
print('purged key {}'.format(key_to_purge))
# list the vaults key
keys = self.keyvault_data_client.get_keys(vault.properties.vault_uri)
print('keys: \n{}'.format(self._serialize(keys)))
def deleted_secret_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted secrets from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
self._enable_soft_delete_for_vault(vault)
# create secrets in the vault
secret_to_recover = get_name('secret')
secret_to_purge = get_name('secret')
secret = self.keyvault_data_client.set_secret(
vault.properties.vault_uri, secret_to_recover, "secret to restore")
print('created secret {}\n{}'.format(secret_to_recover,
self._serialize(secret)))
secret = self.keyvault_data_client.set_secret(
vault.properties.vault_uri, secret_to_purge, "secret to purge")
print('created secret {}\n{}'.format(secret_to_purge,
self._serialize(secret)))
# list the vault secrets
secrets = self.keyvault_data_client.get_secrets(
vault.properties.vault_uri)
print('secrets: \n{}'.format(self._serialize(secrets)))
# delete the secrets
deleted_secret = self.keyvault_data_client.delete_secret(
vault.properties.vault_uri, secret_to_recover)
self._wait_on_delete_completed(vault.properties.vault_uri, 'secret',
secret_to_recover)
print('deleted secret {}\n{}'.format(secret_to_recover,
self._serialize(deleted_secret)))
deleted_secret = self.keyvault_data_client.delete_secret(
vault.properties.vault_uri, secret_to_purge)
self._wait_on_delete_completed(vault.properties.vault_uri, 'secret',
secret_to_purge)
print('deleted secret {}\n{}'.format(secret_to_purge,
self._serialize(deleted_secret)))
# list the deleted secrets
deleted_secrets = self.keyvault_data_client.get_deleted_secrets(
vault.properties.vault_uri)
print('deleted secrets: \n{}'.format(self._serialize(deleted_secrets)))
# recover a deleted secret
secret = self.keyvault_data_client.recover_deleted_secret(
vault.properties.vault_uri, secret_to_recover)
self._wait_on_recover_completed(vault.properties.vault_uri, 'secret',
secret_to_recover)
print('recovered secret {}\n{}'.format(secret_to_recover,
self._serialize(secret)))
# purge a deleted secret
self.keyvault_data_client.purge_deleted_secret(
vault.properties.vault_uri, secret_to_purge)
print('purged secret {}'.format(secret_to_purge))
# list the vault secrets
secrets = self.keyvault_data_client.get_secrets(
vault.properties.vault_uri)
print('secrets: \n{}'.format(self._serialize(secrets)))