class KeyVaultCertificates: def __init__(self): # DefaultAzureCredential() expects the following environment variables: # * AZURE_CLIENT_ID # * AZURE_CLIENT_SECRET # * AZURE_TENANT_ID authority_host = os.environ.get('AZURE_AUTHORITY_HOST') or KnownAuthorities.AZURE_PUBLIC_CLOUD credential = DefaultAzureCredential(authority=authority_host) self.certificate_client = CertificateClient( vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential ) self.certificate_name = "cert-name-" + uuid.uuid1().hex def create_certificate(self): print("Creating certificate (name: {})".format(self.certificate_name)) create_poller = self.certificate_client.begin_create_certificate( certificate_name=self.certificate_name, policy=CertificatePolicy.get_default()) print("\twaiting...") create_poller.result() print("\tdone") def get_certificate(self): print("Getting a certificate...") certificate = self.certificate_client.get_certificate(certificate_name=self.certificate_name) print("\tdone, certificate: {}.".format(certificate.name)) def delete_certificate(self): print("Deleting a certificate...") poller = self.certificate_client.begin_delete_certificate(certificate_name=self.certificate_name) deleted_certificate = poller.result() print("\tdone: " + deleted_certificate.name) def run(self): print("") print("------------------------") print("Key Vault - Certificates\nIdentity - Credential") print("------------------------") print("1) Create a certificate") print("2) Get that certificate") print("3) Delete that certificate (Clean up the resource)") print("") try: self.create_certificate() self.get_certificate() finally: self.delete_certificate()
class KeyVaultCertificates(KeyVaultBase): def __init__(self): credential = self.get_default_credential() self.certificate_client = CertificateClient( vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential) self.certificate_name = "cert-name-" + uuid.uuid1().hex def create_certificate(self): print("Creating certificate (name: {})".format(self.certificate_name)) create_poller = self.certificate_client.begin_create_certificate( certificate_name=self.certificate_name, policy=CertificatePolicy.get_default()) print("\twaiting...") create_poller.result() print("\tdone") def get_certificate(self): print("Getting a certificate...") certificate = self.certificate_client.get_certificate( certificate_name=self.certificate_name) print("\tdone, certificate: {}.".format(certificate.name)) def delete_certificate(self): print("Deleting a certificate...") poller = self.certificate_client.begin_delete_certificate( certificate_name=self.certificate_name) deleted_certificate = poller.result() print("\tdone: " + deleted_certificate.name) def run(self): print("") print("------------------------") print("Key Vault - Certificates\nIdentity - Credential") print("------------------------") print("1) Create a certificate") print("2) Get that certificate") print("3) Delete that certificate (Clean up the resource)") print("") try: self.create_certificate() self.get_certificate() finally: self.delete_certificate()
print("Certificate with name '{0}' created".format(certificate.name)) # Let's get the bank certificate using its name print("\n.. Get a certificate by name") bank_certificate = client.get_certificate(cert_name) print("Certificate with name '{0}' was found'.".format( bank_certificate.name)) # After one year, the bank account is still active, and we have decided to update the tags. print("\n.. Update a certificate by name") tags = {"a": "b"} updated_certificate = client.update_certificate_properties( certificate_name=bank_certificate.name, tags=tags) print("Certificate with name '{0}' was updated on date '{1}'".format( bank_certificate.name, updated_certificate.properties.updated_on)) print("Certificate with name '{0}' was updated with tags '{1}'".format( bank_certificate.name, updated_certificate.properties.tags)) # The bank account was closed, need to delete its credentials from the Key Vault. print("\n.. Delete certificate") deleted_certificate = client.begin_delete_certificate( bank_certificate.name).result() print("Certificate with name '{0}' was deleted.".format( deleted_certificate.name)) except HttpResponseError as e: print("\nrun_sample has caught an error. {0}".format(e.message)) finally: print("\nrun_sample done")
certificate_name=cert_name, policy=CertificatePolicy.get_default()) # The result call awaits the completion of the create certificate operation and returns the final result. # It will return a certificate if creation is successful, and will return the CertificateOperation if not. certificate = create_certificate_poller.result() print("Certificate with name '{0}' created.".format(cert_name)) # Backups are good to have, if in case certificates gets deleted accidentally. # For long term storage, it is ideal to write the backup to a file. print("\n.. Create a backup for an existing certificate") certificate_backup = client.backup_certificate(cert_name) print("Backup created for certificate with name '{0}'.".format(cert_name)) # The storage account certificate is no longer in use, so you can delete it. print("\n.. Delete the certificate") delete_operation = client.begin_delete_certificate(cert_name) deleted_certificate = delete_operation.result() print("Deleted certificate with name '{0}'".format(deleted_certificate.name)) # Wait for the deletion to complete before purging the certificate. # The purge will take some time, so wait before restoring the backup to avoid a conflict. delete_operation.wait() print("\n.. Purge the certificate") client.purge_deleted_certificate(deleted_certificate.name) time.sleep(60) print("Purged certificate with name '{0}'".format(deleted_certificate.name)) # In the future, if the certificate is required again, we can use the backup value to restore it in the Key Vault. print("\n.. Restore the certificate from the backup") certificate = client.restore_certificate_backup(certificate_backup) print("Restored certificate with name '{0}'".format(certificate.name))
bank_certificate_poller = client.begin_create_certificate( certificate_name=bank_cert_name, policy=CertificatePolicy.get_default() ) storage_certificate_poller = client.begin_create_certificate( certificate_name=storage_cert_name, policy=CertificatePolicy.get_default() ) bank_certificate = bank_certificate_poller.result() storage_certificate = storage_certificate_poller.result() print("Certificate with name '{0}' was created.".format(bank_certificate.name)) print("Certificate with name '{0}' was created.".format(storage_certificate.name)) # The storage account was closed, need to delete its credentials from the Key Vault. print("\n.. Delete a Certificate") deleted_bank_poller = client.begin_delete_certificate(bank_cert_name) deleted_bank_certificate = deleted_bank_poller.result() # To ensure certificate is deleted on the server side. deleted_bank_poller.wait() print( "Certificate with name '{0}' was deleted on date {1}.".format( deleted_bank_certificate.name, deleted_bank_certificate.deleted_on ) ) # We accidentally deleted the bank account certificate. Let's recover it. # A deleted certificate can only be recovered if the Key Vault is soft-delete enabled. print("\n.. Recover Deleted Certificate") recovered_bank_poller = client.begin_recover_deleted_certificate(deleted_bank_certificate.name) recovered_bank_certificate = recovered_bank_poller.result()
# Now we can extract the private key and public certificate from the secret using the cryptography # package. `additional_certificates` will be empty since the secret only contains one certificate. # This example shows how to parse a certificate in PKCS12 format since it's the default in Key Vault, # but PEM certificates are supported as well. With a PEM certificate, you could use load_pem_private_key # in place of load_key_and_certificates. cert_bytes = base64.b64decode(certificate_secret.value) private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates( data=cert_bytes, password=None ) print("Certificate with name '{}' was parsed.".format(certificate_secret.name)) # Now we can clean up the vault by deleting, then purging, the certificate. print("\n.. Delete certificate") delete_operation_poller = certificate_client.begin_delete_certificate( certificate_name=cert_name ) deleted_certificate = delete_operation_poller.result() delete_operation_poller.wait() print("Certificate with name '{}' was deleted.".format(deleted_certificate.name)) certificate_client.purge_deleted_certificate(certificate_name=deleted_certificate.name) print("Certificate with name '{}' is being purged.".format(deleted_certificate.name)) except HttpResponseError as e: print("\nrun_sample has caught an error. {}".format(e.message)) finally: print("\nrun_sample done")
# A long running poller is returned for the create certificate operation. create_certificate_poller = client.begin_create_certificate( certificate_name=cert_name, policy=CertificatePolicy.get_default()) # The result call awaits the completion of the create certificate operation and returns the final result. # It will return a certificate if creation is successful, and will return the CertificateOperation if not. certificate = create_certificate_poller.result() print("Certificate with name '{0}' created.".format(cert_name)) # Backups are good to have, if in case certificates gets deleted accidentally. # For long term storage, it is ideal to write the backup to a file. print("\n.. Create a backup for an existing certificate") certificate_backup = client.backup_certificate(cert_name) print("Backup created for certificate with name '{0}'.".format(cert_name)) # The storage account certificate is no longer in use, so you can delete it. print("\n.. Delete the certificate") client.begin_delete_certificate(cert_name).wait() print("Deleted certificate '{0}'".format(cert_name)) # In future, if the certificate is required again, we can use the backup value to restore it in the Key Vault. print("\n.. Restore the certificate from the backup") certificate = client.restore_certificate_backup(certificate_backup) print("Restored Certificate with name '{0}'".format(certificate.name)) except HttpResponseError as e: print("\nrun_sample has caught an error. {0}".format(e.message)) finally: print("\nrun_sample done")
"Certificate with name '{0}' was created again with tags '{1}'".format( bank_certificate.name, bank_certificate.properties.tags)) # You need to check all the different tags your bank account certificate had previously. Let's print # all the versions of this certificate. print("\n.. List versions of the certificate using its name") certificate_versions = client.list_properties_of_certificate_versions( bank_cert_name) for certificate_version in certificate_versions: print( "Bank Certificate with name '{0}' with version '{1}' has tags: '{2}'." .format(certificate_version.name, certificate_version.version, certificate_version.tags)) # The bank account and storage accounts got closed. Let's delete bank and storage accounts certificates. client.begin_delete_certificate(name=bank_cert_name).wait() client.begin_delete_certificate(name=storage_cert_name).wait() # You can list all the deleted and non-purged certificates, assuming Key Vault is soft-delete enabled. print("\n.. List deleted certificates from the Key Vault") deleted_certificates = client.list_deleted_certificates() for deleted_certificate in deleted_certificates: print("Certificate with name '{0}' has recovery id '{1}'".format( deleted_certificate.name, deleted_certificate.recovery_id)) except HttpResponseError as e: if "(NotSupported)" in e.message: print( "\n{0} Please enable soft delete on Key Vault to perform this operation." .format(e.message)) else:
def deleted_certificate_recovery(self): """ a sample of enumerating, retrieving, recovering and purging deleted certificates from a key vault """ # create a vault enabling the soft delete feature vault = self.create_vault() # create a certificate client credential = DefaultAzureCredential() certificate_client = CertificateClient( vault_url=vault.properties.vault_uri, credential=credential) # create certificates in the vault cert_to_recover = get_name('cert') cert_to_purge = get_name('cert') create_certificate_poller = certificate_client.begin_create_certificate( cert_to_recover, policy=CertificatePolicy.get_default()) created_certificate = create_certificate_poller.result() print('created certificate {}'.format(created_certificate.name)) create_certificate_poller = certificate_client.begin_create_certificate( cert_to_purge, policy=CertificatePolicy.get_default()) created_certificate = create_certificate_poller.result() print('created certificate {}'.format(created_certificate.name)) # list the vault certificates certificates = certificate_client.list_properties_of_certificates() print('list the vault certificates') for certificate in certificates: print(certificate.name) # delete the certificates deleted_certificate_poller = certificate_client.begin_delete_certificate( cert_to_recover) deleted_certificate = deleted_certificate_poller.result() deleted_certificate_poller.wait() print('deleted certificate {}'.format(deleted_certificate.name)) deleted_certificate_poller = certificate_client.begin_delete_certificate( cert_to_purge) deleted_certificate = deleted_certificate_poller.result() deleted_certificate_poller.wait() print('deleted certificate {}'.format(deleted_certificate.name)) # list the deleted certificates deleted_certs = certificate_client.list_deleted_certificates() print('deleted certificates:') for deleted_cert in deleted_certs: print(deleted_cert.name) # recover a deleted certificate recovered_certificate_poller = certificate_client.begin_recover_deleted_certificate( cert_to_recover) recovered_certificate_certificate = recovered_certificate_poller.result( ) print('recovered certificate {}'.format( recovered_certificate_certificate.name)) # purge a deleted certificate certificate_client.purge_deleted_certificate(cert_to_purge) time.sleep(50) print('purged certificate {}'.format(cert_to_purge)) # list the vault certificates certificates = certificate_client.list_properties_of_certificates() print("all of the certificates in the client's vault:") for certificate in certificates: print(certificate.name)