def enable_soft_delete_on_existing_vault(self):
"""
enables soft delete on an existing vault.
Soft-delete will be enabled on all key vaults, the ability to opt out of soft-delete will be deprecated soon.
(See https://docs.microsoft.com/azure/key-vault/general/soft-delete-change)
"""
# create a vault with soft delete enabled
# This sample works with a vault that has soft delete disabled, but that we create one with soft delete enabled because soft delete will be enforced soon.
vault = self.create_vault()
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
# NOTE: This value should only None or True, setting the value to false will cause a service validation error
# once soft delete has been enabled on the vault it cannot be disabled
vault.properties.enable_soft_delete = True
# update the vault to enable soft delete
vault = self.keyvault_mgmt_client.vaults.begin_create_or_update(
self.config.group_name, vault.name,
VaultCreateOrUpdateParameters(
location=vault.location,
properties=vault.properties)).result()
print('updated vault {} enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def create_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
vault_name = KeyVaultSampleBase.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_namne, vault_name, parameters)
return vault
def create_vault(self):
self.keyvault_mgmt_client.vaults.create_or_update()
vault_name = KeyVaultSample.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_namne, vault_name, parameters)
return vault
def set_policy(client, resource_group_name, vault_name,
object_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None,
certificate_permissions=None):
""" Update security policy settings for a Key Vault. """
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
# Find the existing policy to set
policy = next((p for p in vault.properties.access_policies
if object_id.lower() == p.object_id.lower() and
vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(AccessPolicyEntry(
tenant_id=vault.properties.tenant_id,
object_id=object_id,
permissions=Permissions(keys=key_permissions,
secrets=secret_permissions,
certificates=certificate_permissions)))
else:
# Modify existing policy.
# If key_permissions is not set, use prev. value (similarly with secret_permissions).
keys = policy.permissions.keys if key_permissions is None else key_permissions
secrets = policy.permissions.secrets if secret_permissions is None else secret_permissions
certs = policy.permissions.certificates \
if certificate_permissions is None else certificate_permissions
policy.permissions = Permissions(keys=keys, secrets=secrets, certificates=certs)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def delete_policy(client,
resource_group_name,
vault_name,
object_id=None,
spn=None,
upn=None):
""" Delete security policy settings for a Key Vault. """
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
prev_policies_len = len(vault.properties.access_policies)
vault.properties.access_policies = [
p for p in vault.properties.access_policies
if vault.properties.tenant_id.lower() != p.tenant_id.lower()
or object_id.lower() != p.object_id.lower()
]
if len(vault.properties.access_policies) == prev_policies_len:
raise CLIError('No matching policies found')
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def create_resource(self, name, **kwargs):
self.client_oid = self.test_class_instance.set_value_to_scrub(
'CLIENT_OID', CLIENT_OID)
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.settings.TENANT_ID,
object_id=self.client_oid,
permissions=self.permissions)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.settings.TENANT_ID,
sku=Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.
enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None)
if self.is_live:
self.client = self.create_mgmt_client(KeyVaultManagementClient)
parameters = VaultCreateOrUpdateParameters(location=self.location,
properties=properties)
self.resource = self.client.vaults.create_or_update(
group, name, parameters).result()
else:
properties.vault_uri = 'https://{}.vault.azure.net/'.format(name)
self.resource = FakeVault(name=name,
location=self.location,
properties=properties)
return {self.parameter_name: self.resource}
def create_resource(self, name, **kwargs):
if self.is_live:
# create a vault with the management client
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.settings.TENANT_ID,
object_id=self.test_class_instance.settings.CLIENT_OID,
permissions=self.permissions,
)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.settings.TENANT_ID,
sku=Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None,
)
parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties)
self.management_client = self.create_mgmt_client(KeyVaultManagementClient)
vault = self.management_client.vaults.create_or_update(group, name, parameters).result()
vault_uri = vault.properties.vault_uri
else:
# playback => we need only the uri used in the recording
vault_uri = "https://{}.vault.azure.net/".format(name)
vault_credentials = self.test_class_instance.settings.get_credentials(resource="https://vault.azure.net")
client = VaultClient(vault_uri, vault_credentials)
return {self.parameter_name: client}
def create_keyvault(client,
resource_group_name,
vault_name,
location=None,
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=None,
tags=None):
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
from azure.cli.core._profile import Profile, CLOUD
from azure.graphrbac.models import GraphErrorException
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=CLOUD.endpoints.active_directory_graph_resource_id)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=CLOUD.endpoints.active_directory_graph_resource_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[
KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete,
KeyPermissions.list, KeyPermissions.update,
KeyPermissions.import_enum, KeyPermissions.backup,
KeyPermissions.restore
],
secrets=[SecretPermissions.all],
certificates=[CertificatePermissions.all])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError(
'Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def _get_params(self):
"""Build the vault parameters block."""
oid = _user_oid(self.auth_client.legacy.token)
sec_perms_all = [perm.value for perm in SecretPermissions]
key_perms_all = [perm.value for perm in KeyPermissions]
cert_perms_all = [perm.value for perm in CertificatePermissions]
permissions = Permissions()
permissions.keys = key_perms_all
permissions.secrets = sec_perms_all
permissions.certificates = cert_perms_all
policy = AccessPolicyEntry(tenant_id=self.tenant_id,
object_id=oid,
permissions=permissions)
properties = VaultProperties(
tenant_id=self.tenant_id,
sku=Sku(name="standard", family="A"),
access_policies=[policy],
)
parameters = VaultCreateOrUpdateParameters(location=self.azure_region,
properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
return parameters
def keyvault_update_setter(client, resource_group_name, vault_name, parameters):
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=parameters.location,
properties=parameters.properties))
def create_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions()
permissions.keys = KEY_PERMISSIONS_ALL
permissions.secrets = SECRET_PERMISSIONS_ALL
permissions.certificates = CERTIFICATE_PERMISSIONS_ALL
policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location, properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
vault = self.keyvault_mgmt_client.vaults.create_or_update(self.config.group_name, vault_name, parameters)
# wait for vault DNS entry to be created
# see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172
self._poll_for_vault_connection(vault.properties.vault_uri)
print('created vault {} {}'.format(vault_name, vault.properties.vault_uri))
return vault
def create(self):
secret_permissions = ['all']
permissions = Permissions(secrets=secret_permissions)
access_policy = AccessPolicyEntry(
tenant_id=self.config.tenant_id,
object_id=self.config.client_object_id,
permissions=permissions)
sku = Sku(name="standard")
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=sku,
access_policies=[access_policy])
vault_paramerters = VaultCreateOrUpdateParameters(
location="eastus", properties=properties)
client = self._get_kv_client()
result = client.vaults.create_or_update(
resource_group_name=self.config.resource_group_name,
vault_name=self.config.key_vault_name,
parameters=vault_paramerters)
_poll_for_complete(result)
def _add_vault(self):
name = input('\nenter vault name:')
all_perms = Permissions()
all_perms.keys = [KeyPermissions.all]
all_perms.secrets = [SecretPermissions.all]
all_perms.certificates = [CertificatePermissions.all]
user_policy = AccessPolicyEntry(self._config.tenant_id,
self._config.user_oid, all_perms)
app_policy = AccessPolicyEntry(CLIENT_TENANT_ID, CLIENT_OID, all_perms)
access_policies = [user_policy, app_policy]
properties = VaultProperties(self._config.tenant_id,
Sku(name='standard'), access_policies)
properties.enabled_for_deployment = True
properties.enabled_for_disk_encryption = True
properties.enabled_for_template_deployment = True
vault = VaultCreateOrUpdateParameters(self._config.location,
properties)
self._mgmt_client.vaults.create_or_update(self._config.resource_group,
name, vault)
print('vault %s created\n' % name)
def deleted_vault_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted key vaults
"""
# create vaults enabling the soft delete feature on each
vault_to_recover = self.create_vault()
self._enable_soft_delete_for_vault(vault_to_recover)
vault_to_purge = self.create_vault()
self._enable_soft_delete_for_vault(vault_to_purge)
print('created vaults {} and {}'.format(vault_to_recover.name,
vault_to_purge.name))
# delete the vaults
self.keyvault_mgmt_client.vaults.delete(self.config.group_name,
vault_to_recover.name)
self._wait_on_delete_completed(None, 'vault', vault_to_recover.name)
print('Deleted vault: {}'.format(vault_to_recover.name))
self.keyvault_mgmt_client.vaults.delete(self.config.group_name,
vault_to_purge.name)
self._wait_on_delete_completed(None, 'vault', vault_to_purge.name)
print('Deleted vault: {}'.format(vault_to_purge.name))
# list the deleted vaults
deleted_vaults = self.keyvault_mgmt_client.vaults.list_deleted()
print('Deleted Vaults: \n{}'.format(self._serialize(deleted_vaults)))
# get the details of a specific deleted vault
deleted_info = self.keyvault_mgmt_client.vaults.get_deleted(
vault_to_recover.name, vault_to_recover.location)
print('Deleted vault info for vault: {}\n{}'.format(
vault_to_recover.name, deleted_info))
# to restore the vault simply supply the group, location, and name and set the 'create_mode' vault property to 'recover'
# setting this property will cause other properties passed to create_or_update to be ignored and will simply
# restore the vault in the state it was when it was deleted
recovery_properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(SkuName.standard.name),
access_policies=[],
create_mode='recover')
recovery_parameters = VaultCreateOrUpdateParameters(
deleted_info.properties.location, recovery_properties)
recovered = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, deleted_info.name, recovery_parameters)
print('Recovered vault: {}'.format(recovered.name))
# list the deleted vaults again only the vault we intend to purge is still deleted
deleted_vaults = self.keyvault_mgmt_client.vaults.list_deleted()
print('Deleted Vaults: \n{}'.format(self._serialize(deleted_vaults)))
# purge the last deleted vault
self.keyvault_mgmt_client.vaults.purge_deleted(vault_to_purge.name,
vault_to_purge.location)
print('Purged vault: {}'.format(vault_to_recover.name))
# verify no deleted vaults remain
deleted_vaults = self.keyvault_mgmt_client.vaults.list_deleted()
print('Deleted Vaults: \n{}'.format(self._serialize(deleted_vaults)))
def create_keyvault(
client,
resource_group_name,
vault_name,
location, #pylint:disable=too-many-arguments
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=False,
tags=None):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID])
graph_client = GraphRbacManagementClient(cred, tenant_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[
KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete,
KeyPermissions.list, KeyPermissions.update,
KeyPermissions.import_enum, KeyPermissions.backup,
KeyPermissions.restore
],
secrets=[SecretPermissions.all],
certificates=[CertificatePermissions.all])
object_id = _get_current_user_object_id(graph_client)
if not object_id:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\n'
'Unable to query active directory for information '\
'about the current user.\n'
'You may try the --no-self-perms flag to create a vault'\
' without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def _enable_soft_delete_for_vault(self, vault):
vault.properties.enable_soft_delete = True
# update the vault to enable soft delete
self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault.name,
VaultCreateOrUpdateParameters(vault.location, vault.properties))
print('updated vault {} enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def create_keyvault(
client,
resource_group_name,
vault_name,
location, #pylint:disable=too-many-arguments
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=False,
tags=None):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(for_graph_client=True)
graph_client = GraphRbacManagementClient(cred, tenant_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
# TODO Use the enums instead of strings when new keyvault SDK is released
# https://github.com/Azure/azure-sdk-for-python/blob/dev/azure-mgmt-keyvault/
# azure/mgmt/keyvault/models/key_vault_management_client_enums.py
permissions = Permissions(keys=[
'get', 'create', 'delete', 'list', 'update', 'import', 'backup',
'restore'
],
secrets=['all'])
object_id = _get_current_user_object_id(graph_client)
if not object_id:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\n'
'Unable to query active directory for information '\
'about the current user.\n'
'You may try the --no-self-perms flag to create a vault'\
' without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def create_resource(self, name, **kwargs):
self.client_oid = self.test_class_instance.set_value_to_scrub(
"CLIENT_OID", CLIENT_OID)
if self.is_live:
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.get_settings_value(
"TENANT_ID"),
object_id=self.client_oid,
permissions=self.permissions,
)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.get_settings_value(
"TENANT_ID"),
sku=Sku(name=self.sku, family=SkuFamily.A)
if SkuFamily else Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.
enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None,
)
parameters = VaultCreateOrUpdateParameters(location=self.location,
properties=properties)
self.client = self.create_mgmt_client(KeyVaultManagementClient)
# ARM may return not found at first even though the resource group has been created
retries = 4
for i in range(retries):
try:
vault = self.client.vaults.begin_create_or_update(
group, name, parameters).result()
break
except Exception as ex:
if "VaultAlreadyExists" in str(ex):
raise NameInUseError(name)
if "ReservedResourceName" in str(ex):
raise ReservedResourceNameError(name)
if "ResourceGroupNotFound" not in str(
ex) or i == retries - 1:
raise
time.sleep(3)
self.test_class_instance.scrubber.register_name_pair(
name, self.resource_moniker)
vault_uri = vault.properties.vault_uri
else:
# playback => we need only the uri used in the recording
vault_uri = "https://{}.vault.azure.net/".format(name)
return {self.parameter_name: vault_uri}
def create_vault_with_network(self):
"""
Creates a key vault with network access limited by a NetworkRuleSet
"""
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions(keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
# Network ACL definitions
# The only action supported for virtual network and IP rules is "allow".
# To deny an address, set the default action to 'deny' and do not explicitly allow the address.
network_acls = NetworkRuleSet(
# allow bypass of network ACL rules by other azure services. Valid values are azure_services or none
bypass=NetworkRuleBypassOptions.azure_services,
# the action to take if access attempt doesn't match any rule. Valid values are allow or deny
default_action=NetworkRuleAction.deny,
# IP rules (allowed IPv4 addresses / ranges)
ip_rules=[IPRule(value='0.0.0.0/0')
], # Allow access from a IP address range
# Virtual network rules(Allows access to Azure Virtual Networks by their Azure Resource ID)
virtual_network_rules=[
# To specifically allow access to a vnet, uncomment the line below and replace the id with the correct
# resource id for your vnet
# VirtualNetworkRule(id='/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1')
])
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy],
network_acls=network_acls)
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
self.vault = self.mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault_name,
parameters=parameters).result()
def create_resource(self, name, **kwargs):
self.client_oid = self.test_class_instance.set_value_to_scrub(
'CLIENT_OID', CLIENT_OID)
if self.is_live:
# create a vault with the management client
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.settings.TENANT_ID,
object_id=self.client_oid,
permissions=self.permissions,
)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.settings.TENANT_ID,
sku=Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.
enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None,
)
parameters = VaultCreateOrUpdateParameters(location=self.location,
properties=properties)
self.management_client = self.create_mgmt_client(
KeyVaultManagementClient)
# ARM may return not found at first even though the resource group has been created
retries = 4
for i in range(retries):
try:
vault = self.management_client.vaults.create_or_update(
group, name, parameters).result()
except Exception as ex:
if "ResourceGroupNotFound" not in str(
ex) or i == retries - 1:
raise
time.sleep(3)
vault_uri = vault.properties.vault_uri
else:
# playback => we need only the uri used in the recording
vault_uri = "https://{}.vault.azure.net/".format(name)
client = self.create_vault_client(vault_uri)
return {self.parameter_name: client}
def deleted_vault_sample(self):
"""
Provides a sample code for enumerating, retrieving, recovering and purging deleted key vaults
:return: None
"""
self.setup_sample()
# create vaults enabling the soft delete feature on each
vault_to_recover = self.create_recoverable_vault_sample()
vault_to_purge = self.create_recoverable_vault_sample()
# delete the vaults
self.keyvault_mgmt_client.vaults.delete(self.config.group_name,
vault_to_recover.name)
self.keyvault_mgmt_client.vaults.delete(self.config.group_name,
vault_to_purge.name)
# list the deleted vaults
deleted_vaults = self.keyvault_mgmt_client.list_deleted()
print(deleted_vaults)
# get the details of a specific deleted vault
deleted_info = self.keyvault_mgmt_client.get_deleted(
vault_to_recover.name, vault_to_recover.location)
print(deleted_info)
# to restore the vault simply supply the group, location, and name and set the 'create_mode' vault property to 'recover'
# setting this property will cause other properties passed to create_or_update to be ignored and will simply
# restore the vault in the state it was when it was deleted
recovery_properties = VaultProperties('',
'',
access_policies=[],
create_mode='recover')
recovery_parameters = VaultCreateOrUpdateParameters(
deleted_info.location, recovery_properties)
self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, deleted_info.name, recovery_parameters)
# list the deleted vaults again only the vault we intend to purge is still deleted
deleted_vaults = self.keyvault_mgmt_client.list_deleted()
print(deleted_vaults)
# purge the last deleted vault
self.keyvault_mgmt_client.vaults.purge_deleted(vault_to_purge.name,
vault_to_purge.location)
# verify no deleted vaults remain
deleted_vaults = self.keyvault_mgmt_client.list_deleted()
print(deleted_vaults)
def recover_keyvault(client, vault_name, resource_group_name, location):
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters, CreateMode
from azure.cli.core._profile import Profile, CLOUD
profile = Profile()
_, _, tenant_id = profile.get_login_credentials(
resource=CLOUD.endpoints.active_directory_graph_resource_id)
params = VaultCreateOrUpdateParameters(location,
properties={'tenant_id': tenant_id,
'sku': Sku(name=SkuName.standard.value),
'create_mode': CreateMode.recover.value})
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=params)
def get_sample_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
if not self.config.vault:
keyvault_mgmt_client = KeyVaultManagementClient(
self.mgmt_client_creds, self.config.subscription_id)
if self.config.vault_name:
vault = keyvault_mgmt_client.vaults.get(
resource_group_name=self.config.group_name,
vault_name=self.config.vault_name)
else:
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions(
keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
vault = keyvault_mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault_name,
parameters=parameters).result()
self.config.vault = vault
return self.config.vault
def create_soft_delete_enabled_vault(self):
"""
creates a key vault which has soft delete enabled so that the vault as well as all of its keys,
certificates and secrets are recoverable
"""
vault_name = get_name('vault')
permissions = Permissions()
permissions.keys = KEY_PERMISSIONS_ALL
permissions.secrets = SECRET_PERMISSIONS_ALL
permissions.certificates = CERTIFICATE_PERMISSIONS_ALL
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
# NOTE: This value should only None or True, setting the value to false will cause a service validation error
# once soft delete has been enabled on the vault it cannot be disabled
parameters.properties.enable_soft_delete = True
print('creating soft delete enabled vault: {}'.format(vault_name))
# create the vault
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters)
# wait for vault DNS entry to be created
# see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172
self._poll_for_vault_connection(vault.properties.vault_uri)
print('vault {} created enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def enable_soft_delete_on_existing_vault(self):
"""
enables soft delete on an existing vault
"""
# create a vault without soft delete enabled
vault = self.create_vault()
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
# NOTE: This value should only None or True, setting the value to false will cause a service validation error
# once soft delete has been enabled on the vault it cannot be disabled
vault.properties.enable_soft_delete = True
# update the vault to enable soft delete
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault.name,
VaultCreateOrUpdateParameters(vault.location, vault.properties))
print('updated vault {} enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def delete_policy(client,
resource_group_name,
vault_name,
object_id=None,
spn=None,
upn=None): #pylint:disable=too-many-arguments
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
prev_policies_len = len(vault.properties.access_policies)
vault.properties.access_policies = [p for p in vault.properties.access_policies if \
vault.properties.tenant_id.lower() != p.tenant_id.lower() \
or object_id.lower() != p.object_id.lower()]
if len(vault.properties.access_policies) == prev_policies_len:
raise CLIError('No matching policies found')
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def create_recoverable_vault_sample(self):
"""
Provides a sample for creating a key vault which has recovery enable so that the vault as well as all of its keys,
certificates and secrets are recoverable
:return: a key vault which has been created with recovery enabled
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
self.setup_sample()
vault_name = KeyVaultSampleBase.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
parameters.properties.enable_soft_delete = True
# create the vault
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters)
print(vault)
return vault
def create_vault(self, group_name, vault_name, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True,
enabled_for_template_deployment=True, enable_soft_delete=None, sku=None):
creds = self.settings.get_credentials()
access_policies = [AccessPolicyEntry(tenant_id=self.settings.TENANT_ID,
object_id=self.settings.CLIENT_OID,
permissions=permissions or self.default_permissions)]
properties = VaultProperties(tenant_id=self.settings.TENANT_ID,
sku=Sku(sku or SkuName.premium.value),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete)
parameters = VaultCreateOrUpdateParameters(location='westus',
properties=properties)
vault = self.mgmt_client.vaults.create_or_update(group_name, vault_name, parameters)
if not self.is_playback():
self.sleep(10)
return vault
def set_policy(
client,
resource_group_name,
vault_name, #pylint:disable=too-many-arguments
object_id=None,
spn=None,
upn=None,
perms_to_keys=None,
perms_to_secrets=None):
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
# Find the existing policy to set
policy = next((p for p in vault.properties.access_policies \
if object_id.lower() == p.object_id.lower() and \
vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(
AccessPolicyEntry(
tenant_id=vault.properties.tenant_id,
object_id=object_id,
permissions=Permissions(keys=perms_to_keys,
secrets=perms_to_secrets)))
else:
# Modify existing policy.
# If perms_to_keys is not set, use prev. value (similarly with perms_to_secrets).
keys = policy.permissions.keys if perms_to_keys is None else perms_to_keys
secrets = policy.permissions.secrets if perms_to_secrets is None else perms_to_secrets
policy.permissions = Permissions(keys=keys, secrets=secrets)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def create_key_vault(
self,
keyvault_client,
resource_group_name,
key_vault_name,
region,
tenant_id,
app_object_id,
stg_principal_id,
):
"""Creates a Key Vault
:param keyvault_client: Instance of the Azure KeyVaultManagementClient.
:param resource_group_name: The name of the resource group.
:param key_vault_name: Name of the Key Vault.
:param region: location of the Key Vault.
:param tenant_id: Azure tenant Id
:param app_object_id: Object Id of the application
:param stg_principal_id: Principal Id of the Storage Account
:type keyvault_client: object
:type resource_group_name: str
:type key_vault_name: str
:type region: str
:type tenant_id: str
:type app_object_id: str
:type stg_principal_id: str
:returns: Vault object
:rtype: object
"""
access_policy_storage_account = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=stg_principal_id,
permissions=Permissions(keys=[
KeyPermissions.GET,
KeyPermissions.UNWRAP_KEY,
KeyPermissions.WRAP_KEY,
], ),
)
access_policy_app = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=app_object_id,
permissions=Permissions(keys=[
KeyPermissions.GET,
KeyPermissions.LIST,
KeyPermissions.CREATE,
KeyPermissions.UPDATE,
KeyPermissions.DELETE,
KeyPermissions.BACKUP,
KeyPermissions.RESTORE,
KeyPermissions.RECOVER,
], ),
)
key_vault_properties = VaultCreateOrUpdateParameters(
location=region,
tags={"Created By": "CHSS"},
properties=VaultProperties(
tenant_id=tenant_id,
sku=Sku(
family="A",
name="standard",
),
access_policies=[
access_policy_storage_account, access_policy_app
],
soft_delete_retention_in_days=90,
enabled_for_disk_encryption=False,
enabled_for_deployment=False,
enabled_for_template_deployment=False,
enable_soft_delete=True,
enable_purge_protection=True,
),
)
logging.info("creating a key vault")
logging.info("executing keyvault_client.vaults.begin_create_or_update")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" vault_name={key_vault_name}")
vault = keyvault_client.vaults.begin_create_or_update(
resource_group_name=resource_group_name,
vault_name=key_vault_name,
parameters=key_vault_properties,
).result()
return vault
