diff --git a/sdk/keyvault/azure-keyvault-certificates/HISTORY.md b/sdk/keyvault/azure-keyvault-certificates/HISTORY.md index 09161e2a6d53..48464a3671a9 100644 --- a/sdk/keyvault/azure-keyvault-certificates/HISTORY.md +++ b/sdk/keyvault/azure-keyvault-certificates/HISTORY.md @@ -1,6 +1,6 @@ # Release History -## 4.0.0b3 (2019-09-10) +## 4.0.0b3 (2019-09-11) Version 4.0.0b3 is the first preview of our efforts to create a user-friendly and Pythonic client library for Azure Key Vault. For more information about preview releases of other Azure SDK libraries, please visit https://aka.ms/azure-sdk-preview1-python. diff --git a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_version.py b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_version.py index ccaa7193d0b4..4c2a24867ae8 100644 --- a/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_version.py +++ b/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_version.py @@ -3,4 +3,4 @@ # Licensed under the MIT License. # ------------------------------------ -VERSION = "4.0.0b1" +VERSION = "4.0.0b3" diff --git a/sdk/keyvault/azure-keyvault-certificates/setup.py b/sdk/keyvault/azure-keyvault-certificates/setup.py index 3e9a42092f47..157680533100 100644 --- a/sdk/keyvault/azure-keyvault-certificates/setup.py +++ b/sdk/keyvault/azure-keyvault-certificates/setup.py @@ -79,5 +79,9 @@ ] ), install_requires=["azure-core<2.0.0,>=1.0.0b2", "azure-common~=1.1", "msrest>=0.5.0"], - extras_require={":python_version<'3.0'": ["azure-keyvault-nspkg"], ":python_version<'3.5'": ["typing"]}, + extras_require={ + ":python_version<'3.0'": ["azure-keyvault-nspkg"], + ":python_version<'3.4'": ["enum34>=1.0.4"], + ":python_version<'3.5'": ["typing"], + }, ) diff --git a/sdk/keyvault/azure-keyvault-keys/HISTORY.md b/sdk/keyvault/azure-keyvault-keys/HISTORY.md index 8b2b0e6aaca6..15d14bc3613e 100644 --- a/sdk/keyvault/azure-keyvault-keys/HISTORY.md +++ b/sdk/keyvault/azure-keyvault-keys/HISTORY.md @@ -1,5 +1,15 @@ # Release History +## 4.0.0b3 (2019-09-11) +### Breaking changes: +- `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and +`unwrap_key`, respectively. + +### New features: +- `CryptographyClient` performs encrypt, verify and wrap operations locally +when its key's public material is available (i.e., when it has keys/get +permission). + ## 4.0.0b2 (2019-08-06) ### Breaking changes: - Removed `azure.core.Configuration` from the public API in preparation for a diff --git a/sdk/keyvault/azure-keyvault-keys/README.md b/sdk/keyvault/azure-keyvault-keys/README.md index 8a436495784d..e4e96a8ead15 100644 --- a/sdk/keyvault/azure-keyvault-keys/README.md +++ b/sdk/keyvault/azure-keyvault-keys/README.md @@ -1,9 +1,17 @@ # Azure Key Vault Keys client library for Python -Azure Key Vault allows you to create and store keys in the Key Vault. Azure Key Vault client supports RSA keys and elliptic curve keys, each with corresponding support in hardware security modules (HSM). - -Multiple keys, and multiple versions of the same key, can be kept in the Key Vault. Cryptographic keys in Key Vault are represented as [JSON Web Key (JWK)][JWK] objects. This library offers operations to create, retrieve, update, delete, purge, backup, restore and list the keys and its versions. +Azure Key Vault helps solve the following problems: +- Cryptographic key management (this library) - create, store, and control +access to the keys used to encrypt your data +- Secrets management +([`azure-keyvault-secrets`](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-secrets)) - +securely store and control access to tokens, passwords, certificates, API keys, +and other secrets +- Certificate management +([`azure-keyvault-certificates`](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates)) - +create, manage, and deploy public and private SSL/TLS certificates [Source code][key_client_src] | [Package (PyPI)][pypi_package_keys] | [API reference documentation][reference_docs] | [Product documentation][keyvault_docs] | [Samples][key_samples] + ## Getting started ### Install the package Install the Azure Key Vault Keys client library for Python with [pip][pip]: @@ -13,19 +21,54 @@ pip install azure-keyvault-keys ``` ### Prerequisites -* An [Azure subscription][azure_sub]. -* Python 2.7, 3.5 or later to use this package. -* An existing Key Vault. If you need to create a Key Vault, you can use the [Azure Cloud Shell][azure_cloud_shell] to create one with this Azure CLI command. Replace `` and `` with your own, unique names: - +* An [Azure subscription][azure_sub] +* Python 2.7, 3.5 or later +* A Key Vault. If you need to create one, you can use the +[Azure Cloud Shell][azure_cloud_shell] to create one with this command (replace +`` and `` with your own, unique +names): ```Bash - az keyvault create --resource-group --name + az keyvault create --resource-group --name ``` + Output: + ```json + { + "id": "...", + "location": "westus2", + "name": "", + "properties": { + "accessPolicies": [...], + "createMode": null, + "enablePurgeProtection": null, + "enableSoftDelete": null, + "enabledForDeployment": false, + "enabledForDiskEncryption": null, + "enabledForTemplateDeployment": null, + "networkAcls": null, + "provisioningState": "Succeeded", + "sku": { "name": "standard" }, + "tenantId": "...", + "vaultUri": "https://.vault.azure.net/" + }, + "resourceGroup": "", + "type": "Microsoft.KeyVault/vaults" + } + ``` + + > The `"vaultUri"` property is the `vault_url` used by `KeyClient`. + ### Authenticate the client -In order to interact with the Key Vault service, you'll need to create an instance of the [KeyClient][key_client_docs] class. You would need a **vault url** and **client secret credentials (client id, client secret, tenant id)** to instantiate a client object for using the `DefaultAzureCredential` examples in the README. `DefaultAzureCredential` authentication by providing client secret credentials is being used in this getting started section but you can find more ways to authenticate with [azure-identity][azure_identity]. +To interact with a Key Vault's keys, you'll need an instance of the +[KeyClient][key_client_docs] class. Creating one requires a **vault url** and +**credential**. This document demonstrates using `DefaultAzureCredential` as +the credential, authenticating with a service principal's client id, secret, +and tenant id. Other authentication methods are supported. See the +[azure-identity][azure_identity] documentation for more details. - #### Create/Get credentials -Use the [Azure Cloud Shell][azure_cloud_shell] snippet below to create/get client secret credentials. + #### Create a service principal +Use this [Azure Cloud Shell][azure_cloud_shell] snippet to create a +service principal: * Create a service principal and configure its access to Azure resources: ```Bash @@ -34,35 +77,36 @@ Use the [Azure Cloud Shell][azure_cloud_shell] snippet below to create/get clien Output: ```json { - "appId": "generated-app-ID", - "displayName": "dummy-app-name", - "name": "http://dummy-app-name", - "password": "random-password", - "tenant": "tenant-ID" + "appId": "generated app id", + "displayName": "your-application-name", + "name": "http://your-application-name", + "password": "random password", + "tenant": "tenant id" } ``` -* Use the credentials returned above to set **AZURE_CLIENT_ID**(appId), **AZURE_CLIENT_SECRET**(password) and **AZURE_TENANT_ID**(tenant) environment variables. The following example shows a way to do this in Bash: + +* Use the output to set **AZURE_CLIENT_ID** (appId), **AZURE_CLIENT_SECRET** +(password) and **AZURE_TENANT_ID** (tenant) environment variables. The +following example shows a way to do this in Bash: ```Bash - export AZURE_CLIENT_ID="generated-app-ID" - export AZURE_CLIENT_SECRET="random-password" - export AZURE_TENANT_ID="tenant-ID" + export AZURE_CLIENT_ID="generated app id" + export AZURE_CLIENT_SECRET="random password" + export AZURE_TENANT_ID="tenant id" ``` -* Grant the above mentioned application authorization to perform key operations on the keyvault: +* Authorize the service principal to perform key operations in your Key Vault: ```Bash - az keyvault set-policy --name --spn $AZURE_CLIENT_ID --key-permissions backup delete get list create + az keyvault set-policy --name --spn $AZURE_CLIENT_ID --key-permissions backup delete get list create ``` - > --key-permissions: - > Accepted values (management operations): backup, delete, get, list, purge, recover, restore, create, update, import - > Accepted values (cryptographic operations): decrypt, encrypt, unwrapKey, wrapKey, verify, sign + > Possible key permissions: + > - Key management: backup, delete, get, list, purge, recover, restore, create, update, import + > - Cryptographic operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign -* Use the above mentioned Key Vault name to retrieve details of your Vault which also contains your Key Vault URL: - ```Bash - az keyvault show --name - ``` -#### Create Key client -Once you've populated the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and **AZURE_TENANT_ID** environment variables and replaced **your-vault-url** with the above returned URI for example "", you can create the [KeyClient][key_client_docs]: +#### Create a client +After setting the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and +**AZURE_TENANT_ID** environment variables, you can create the +[KeyClient][key_client_docs]: ```python from azure.identity import DefaultAzureCredential @@ -70,24 +114,24 @@ from azure.keyvault.keys import KeyClient credential = DefaultAzureCredential() -# Create a new Key client using the default credential key_client = KeyClient(vault_url=, credential=credential) ``` + ## Key concepts -### Key - Azure Key Vault supports multiple key types and algorithms, and enables the use of Hardware Security Modules - (HSM) for high value keys. In addition to the key value, the following attributes may be specified: -* enabled: Specifies whether the key is enabled and useable for cryptographic operations. -* not_before: Identifies the time before which the key must not be used for cryptographic operations. -* expires: Identifies the expiration time on or after which the key MUST NOT be used for cryptographic operation. -* created: Indicates when this version of the key was created. -* updated: Indicates when this version of the key was updated. - -### Key Client: -The Key client performs the interactions with the Azure Key Vault service for getting, setting, updating, deleting,and listing keys and its versions. An asynchronous and synchronous, KeyClient, client exists in the SDK allowing for selection of a client based on an application's use case. Once you've initialized a Key, you can interact with the primary resource types in Key Vault. +With a `KeyClient`, you can get keys from the vault, create new keys and new +versions of existing keys, update key metadata, and delete keys, as shown in +the [examples](#examples) below. + +### Keys +Azure Key Vault can create and store RSA and elliptic curve keys. Both can +optionally be protected by hardware security modules (HSMs). Azure Key Vault +can also perform cryptographic operations with them. For more information about +keys and supported operations and algorithms, see the +[Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys) +. ## Examples -The following section provides several code snippets using the above created `key_client`, covering some of the most common Azure Key Vault Key service related tasks, including: +This section contains code snippets covering common tasks: * [Create a Key](#create-a-key) * [Retrieve a Key](#retrieve-a-key) * [Update an existing Key](#update-an-existing-key) @@ -95,10 +139,12 @@ The following section provides several code snippets using the above created `ke * [List Keys](#list-keys) * [Asynchronously create a Key](#asynchronously-create-a-key) * [Asynchronously list Keys](#asynchronously-list-keys) +* [Perform cryptographic operations](#cryptographic-operations) ### Create a Key -`create_rsa_key` and `create_ec_key` create RSA and elliptic curve keys in the vault, respectively. -If a key with the same name already exists, a new version of the key is created. +`create_rsa_key` and `create_ec_key` create RSA and elliptic curve keys in the +vault, respectively. If a key with the same name already exists, a new version +of that key is created. ```python # Create an RSA key @@ -113,10 +159,9 @@ print(ec_key.key_material.kty) ``` ### Retrieve a Key -`get_key` retrieves a key previously stored in the Key Vault. +`get_key` retrieves a key previously stored in the vault. ```python key = key_client.get_key("key-name") - print(key.name) ``` @@ -135,7 +180,10 @@ print(updated_key.tags) ``` ### Delete a Key -`delete_key` deletes a key previously stored in the Key Vault. When [soft-delete][soft_delete] is not enabled for the Key Vault, this operation permanently deletes the key. +`delete_key` deletes a key previously stored in the Key Vault. If +[soft-delete][soft_delete] is not enabled for the vault, this permanently +deletes the key. + ```python deleted_key = key_client.delete_key("key-name") @@ -143,7 +191,8 @@ print(deleted_key.name) print(deleted_key.deleted_date) ``` ### List keys -This example lists all the keys in the specified Key Vault. +This example lists all the keys in the client's vault. + ```python keys = key_client.list_keys() @@ -164,13 +213,16 @@ from azure.keyvault.keys.crypto import EncryptionAlgorithm credential = DefaultAzureCredential() key_client = KeyClient(vault_url=vault_url, credential=credential) -key = key_client.get_key("my-key") +key = key_client.get_key("mykey") crypto_client = key_client.get_cryptography_client(key) result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) -crypto_client.decrypt(result.algorithm, result.ciphertext) +decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext) ``` -See the [reference documentation][reference_docs] for more information. + +See the +[package documentation](https://azure.github.io/azure-sdk-for-python/ref/azure.keyvault.keys.crypto.html) +for more details of the cryptography API. ### Async operations This library includes a complete async API supported on Python 3.5+. To use it, you must @@ -202,7 +254,7 @@ print(ec_key.key_material.kty) ``` ### Asynchronously list keys -This example lists all the keys in the specified Key Vault. +This example lists all the keys in the client's vault: ```python keys = key_client.list_keys() @@ -213,20 +265,26 @@ async for key in keys: ## Troubleshooting ### General -Key Vault clients raise exceptions defined in azure-core. For more detailed infromation about exceptions and how to deal with them, see [Azure Core exceptions][azure_core_exceptions]. +Key Vault clients raise exceptions defined in [`azure-core`][azure_core_exceptions]. +For example, if you try to get a key that doesn't exist in the vault, `KeyClient` +raises `ResourceNotFoundError`: -For example, if you try to retrieve a key after it is deleted a `404` error is returned, indicating resource not found. In the following snippet, the error is handled gracefully by catching the exception and displaying additional information about the error. ```python from azure.core.exceptions import ResourceNotFoundError + +key_client.delete_key("my-key") + try: - key_client.get_key("deleted_key") + key_client.get_key("my-key") except ResourceNotFoundError as e: print(e.message) - -Output: "Key not found:deleted_key" ``` + ### Logging -Network trace logging is disabled by default for this library. When enabled, this will be logged at DEBUG level. The logging policy is used to output the HTTP network trace to the configured logger. You can configure logging to print out debugging information to the stdout or write it to a file using the following example: +Network trace logging is disabled by default for this library. When enabled, +HTTP requests will be logged at DEBUG level using the `logging` library. You +can configure logging to print debugging information to stdout or write it +to a file: ```python import sys @@ -244,40 +302,47 @@ logger.addHandler(handler) file_handler = logging.FileHandler(filename) logger.addHandler(file_handler) -# Enable network trace logging. This will be logged at DEBUG level. -# By default, network tracing logging is disabled. +# Enable network trace logging to log all HTTP requests at DEBUG level config = KeyClient.create_config(credential, logging_enable=True) -client = KeyClient(url, credential, config=config) +client = KeyClient(vault_url, credential, config=config) ``` -The logger can also be enabled per operation. +Network trace logging can also be enabled for any single operation: ```python key = key_client.get_key("key-name", logging_enable=True) ``` ## Next steps -Several KeyVault Python SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Key Vault: -* [test_samples_keys.py][test_examples_keys] and [test_samples_keys_async.py][test_example_keys_async] - Contains the code snippets working with Key Vault keys. -* [hello_world.py][hello_world_sample] and [hello_world_async.py][hello_world_async_sample] - Python code for working with Azure Key Vault, including: - * Create a key - * Get an existing key - * Update an existing key - * Delete key -* [backup_restore_operations.py][backup_operations_sample] and [backup_restore_operations_async.py][backup_operations_async_sample] - Example code for working with Key Vault keys backup and recovery, including: - * Create key - * Backup a key - * Delete the key - * Use backed up key bytes to restore the deleted key - - ### Additional Documentation -For more extensive documentation on Azure Key Vault, see the [API reference documentation][reference_docs]. +Several samples are available in the Azure SDK for Python GitHub repository. +These provide example code for additional Key Vault scenarios: +* [test_samples_keys.py][test_examples_keys] and +[test_samples_keys_async.py][test_example_keys_async] - code snippets from +the library's documentation +* [hello_world.py][hello_world_sample] and +[hello_world_async.py][hello_world_async_sample] - create/get/update/delete keys +* [backup_restore_operations.py][backup_operations_sample] and +[backup_restore_operations_async.py][backup_operations_async_sample] - backup and +recover keys + +### Additional Documentation +For more extensive documentation on Azure Key Vault, see the +[API reference documentation][reference_docs]. ## Contributing -This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. - -When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. - -This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments. +This project welcomes contributions and suggestions. Most contributions require +you to agree to a Contributor License Agreement (CLA) declaring that you have +the right to, and actually do, grant us the rights to use your contribution. +For details, visit https://cla.microsoft.com. + +When you submit a pull request, a CLA-bot will automatically determine whether +you need to provide a CLA and decorate the PR appropriately (e.g., label, +comment). Simply follow the instructions provided by the bot. You will only +need to do this once across all repos using our CLA. + +This project has adopted the +[Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, +see the Code of Conduct FAQ or contact opencode@microsoft.com with any +additional questions or comments. [azure_cloud_shell]: https://shell.azure.com/bash [azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/core/azure-core/docs/exceptions.md diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py index 51472a3285f4..4c2a24867ae8 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py @@ -3,4 +3,4 @@ # Licensed under the MIT License. # ------------------------------------ -VERSION = "4.0.0b2" +VERSION = "4.0.0b3" diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/client.py index 1dc576643e3f..fc306518cbea 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/client.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/client.py @@ -28,14 +28,43 @@ class CryptographyClient(AsyncKeyVaultClientBase): :param key: Either a :class:`~azure.keyvault.keys.models.Key` instance as returned by - :func:`~azure.keyvault.keys.KeyClient.get_key`, or a string. + :func:`~azure.keyvault.keys.aio.KeyClient.get_key`, or a string. If a string, the value must be the full identifier of an Azure Key Vault key with a version. :type key: str or :class:`~azure.keyvault.keys.models.Key` :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity` + :mod:`azure.identity.aio` Keyword arguments - - *api_version* - version of the Key Vault API to use. Defaults to the most recent. + - **api_version** - version of the Key Vault API to use. Defaults to the most recent. + + Creating a ``CryptographyClient``: + + .. code-block:: python + + from azure.identity.aio import DefaultAzureCredential + from azure.keyvault.keys.crypto.aio import CryptographyClient + + credential = DefaultAzureCredential() + + # create a CryptographyClient using a Key instance + key = await key_client.get_key("mykey") + crypto_client = CryptographyClient(key, credential) + + # or a Key's id, which must include a version + key_id = "https://.vault.azure.net/keys/mykey/fe4fdcab688c479a9aa80f01ffeac26" + crypto_client = CryptographyClient(key_id, credential) + + You can also obtain a ``CryptographyClient`` from a :class:`~azure.keyvault.keys.aio.KeyClient`: + + .. code-block:: python + + from azure.identity.aio import DefaultAzureCredential + from azure.keyvault.keys.aio import KeyClient + + credential = DefaultAzureCredential() + key_client = KeyClient(vault_url=, credential=credential) + crypto_client = key_client.get_cryptography_client("mykey") + """ def __init__(self, key: "Union[Key, str]", credential: "TokenCredential", **kwargs: "**Any") -> None: diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/client.py index b012898361ad..973da8a9d4f8 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/client.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/client.py @@ -36,7 +36,36 @@ class CryptographyClient(KeyVaultClientBase): :mod:`azure.identity` Keyword arguments - - *api_version* - version of the Key Vault API to use. Defaults to the most recent. + - **api_version** - version of the Key Vault API to use. Defaults to the most recent. + + Creating a ``CryptographyClient``: + + .. code-block:: python + + from azure.identity import DefaultAzureCredential + from azure.keyvault.keys.crypto import CryptographyClient + + credential = DefaultAzureCredential() + + # create a CryptographyClient using a Key instance + key = key_client.get_key("mykey") + crypto_client = CryptographyClient(key, credential) + + # or a Key's id, which must include a version + key_id = "https://.vault.azure.net/keys/mykey/fe4fdcab688c479a9aa80f01ffeac26" + crypto_client = CryptographyClient(key_id, credential) + + You can also obtain a ``CryptographyClient`` from a :class:`~azure.keyvault.keys.KeyClient`: + + .. code-block:: python + + from azure.identity import DefaultAzureCredential + from azure.keyvault.keys import KeyClient + + credential = DefaultAzureCredential() + key_client = KeyClient(vault_url=, credential=credential) + crypto_client = key_client.get_cryptography_client("mykey") + """ def __init__(self, key, credential, **kwargs): diff --git a/sdk/keyvault/azure-keyvault-keys/setup.py b/sdk/keyvault/azure-keyvault-keys/setup.py index aa22ea762ed9..c2398fa9ce85 100644 --- a/sdk/keyvault/azure-keyvault-keys/setup.py +++ b/sdk/keyvault/azure-keyvault-keys/setup.py @@ -79,5 +79,9 @@ ] ), install_requires=["azure-core<2.0.0,>=1.0.0b2", "azure-common~=1.1", "msrest>=0.5.0"], - extras_require={":python_version<'3.0'": ["azure-keyvault-nspkg"], ":python_version<'3.5'": ["typing"]}, + extras_require={ + ":python_version<'3.0'": ["azure-keyvault-nspkg"], + ":python_version<'3.4'": ["enum34>=1.0.4"], + ":python_version<'3.5'": ["typing"], + }, ) diff --git a/sdk/keyvault/azure-keyvault-secrets/HISTORY.md b/sdk/keyvault/azure-keyvault-secrets/HISTORY.md index f1609d331b59..f5a9864a7a98 100644 --- a/sdk/keyvault/azure-keyvault-secrets/HISTORY.md +++ b/sdk/keyvault/azure-keyvault-secrets/HISTORY.md @@ -1,4 +1,6 @@ # Release History +## 4.0.0b3 (2019-09-11) +This release includes only internal changes. ## 4.0.0b2 (2019-08-06) ### Breaking changes: diff --git a/sdk/keyvault/azure-keyvault-secrets/README.md b/sdk/keyvault/azure-keyvault-secrets/README.md index 5a2745ba7bf3..25d6b343a2e3 100644 --- a/sdk/keyvault/azure-keyvault-secrets/README.md +++ b/sdk/keyvault/azure-keyvault-secrets/README.md @@ -1,42 +1,74 @@ # Azure Key Vault Secret client library for Python -This client library helps you to set, get, update, and delete Azure Key Vault -Secrets. Secrets are a resource for storing secret values, such as passwords, -API keys, and connection strings, and controlling access to them. - -Use this library to: -- Set, get, and delete secrets. -- Update secrets and their attributes. -- Backup and restore secrets. -- List the secrets in a vault, or the versions of a particular secret. +Azure Key Vault helps solve the following problems: +- Secrets management (this library) - +securely store and control access to tokens, passwords, certificates, API keys, +and other secrets +- Cryptographic key management +([`azure-keyvault-keys`](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-secrets)) - +create, store, and control access to the keys used to encrypt your data +- Certificate management +([`azure-keyvault-certificates`](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates)) - +create, manage, and deploy public and private SSL/TLS certificates [Source code][secret_client_src] | [Package (PyPI)][pypi_package_secrets] | [API reference documentation][reference_docs] | [Product documentation][keyvault_docs] | [Samples][secret_samples] + ## Getting started ### Install the package -Install the Azure Key Vault client library for Python with [pip][pip]: +Install the Azure Key Vault Secrets client library for Python with [pip][pip]: ```Bash pip install azure-keyvault-secrets ``` ### Prerequisites -* An [Azure subscription][azure_sub]. -* Python 2.7, 3.4 or later to use this package. -* An existing Key Vault. If you need to create a Key Vault, you can use the [Azure Cloud Shell][azure_cloud_shell] to create one with this Azure CLI command. Replace `` and `` with your own, unique names: - +* An [Azure subscription][azure_sub] +* Python 2.7, 3.5 or later +* A Key Vault. If you need to create one, you can use the +[Azure Cloud Shell][azure_cloud_shell] to create one with this command (replace +`` and `` with your own, unique +names): ```Bash - az keyvault create --resource-group --name + az keyvault create --resource-group --name + ``` + + Output: + ```json + { + "id": "...", + "location": "westus2", + "name": "", + "properties": { + "accessPolicies": [...], + "createMode": null, + "enablePurgeProtection": null, + "enableSoftDelete": null, + "enabledForDeployment": false, + "enabledForDiskEncryption": null, + "enabledForTemplateDeployment": null, + "networkAcls": null, + "provisioningState": "Succeeded", + "sku": { "name": "standard" }, + "tenantId": "...", + "vaultUri": "https://.vault.azure.net/" + }, + "resourceGroup": "", + "type": "Microsoft.KeyVault/vaults" + } ``` + > The `"vaultUri"` property is the `vault_url` used by `SecretClient`. + ### Authenticate the client -In order to interact with secrets in a vault, you'll need to create an instance -of [`SecretClient`][secret_client_docs]. That requires a **vault url**, and a -**credential** that can authenticate the client to the vault. This document -shows authentication with a client secret credential configured via environment -variables, but other credential types can be used. See -[azure-identity][azure_identity] documentation for more information. +In order to interact with a Key Vault's secrets, you'll need an instance of the +[`SecretClient`][secret_client_docs] class. Creating one requires a **vault url** and +**credential**. This document demonstrates using `DefaultAzureCredential` as +the credential, authenticating with a service principal's client id, secret, +and tenant id. Other authentication methods are supported. See the +[azure-identity][azure_identity] documentation for more details. - #### Create/Get credentials -Use the [Azure Cloud Shell][azure_cloud_shell] snippet below to create/get client secret credentials. + #### Create a service principal +Use this [Azure Cloud Shell][azure_cloud_shell] snippet to create a +service principal: * Create a service principal and configure its access to Azure resources: ```Bash @@ -45,36 +77,36 @@ Use the [Azure Cloud Shell][azure_cloud_shell] snippet below to create/get clien Output: ```json { - "appId": "generated-app-ID", - "displayName": "dummy-app-name", - "name": "http://dummy-app-name", - "password": "random-password", - "tenant": "tenant-ID" + "appId": "generated app id", + "displayName": "your-application-name", + "name": "http://your-application-name", + "password": "random password", + "tenant": "tenant id" } ``` -* Use the credentials returned above to set **AZURE_CLIENT_ID**(appId), **AZURE_CLIENT_SECRET**(password) and (password) and **AZURE_TENANT_ID**(tenant) environment variables. The following example shows a way to do this in Bash: + +* Use the output to set **AZURE_CLIENT_ID** (appId), **AZURE_CLIENT_SECRET** +(password) and **AZURE_TENANT_ID** (tenant) environment variables. The +following example shows a way to do this in Bash: ```Bash - export AZURE_CLIENT_ID="generated-app-ID" - export AZURE_CLIENT_SECRET="random-password" - export AZURE_TENANT_ID="tenant-ID" + export AZURE_CLIENT_ID="generated app id" + export AZURE_CLIENT_SECRET="random password" + export AZURE_TENANT_ID="tenant id" ``` -* Grant the above mentioned application authorization to perform secret operations on the keyvault: +* Authorize the service principal to perform key operations in your Key Vault: ```Bash - az keyvault set-policy --name --spn $AZURE_CLIENT_ID --secret-permissions backup delete get list set + az keyvault set-policy --name --spn $AZURE_CLIENT_ID --key-permissions backup delete get list create ``` - > --secret-permissions: - > Accepted values: backup, delete, get, list, purge, recover, restore, set + > Possible key permissions: + > - Key management: backup, delete, get, list, purge, recover, restore, create, update, import + > - Cryptographic operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign -* Use the above mentioned Key Vault name to retrieve details of your Vault which also contains your Key Vault URL: - ```Bash - az keyvault show --name - ``` -#### Create Secret client -Once you've populated the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and -**AZURE_TENANT_ID** environment variables and replaced **your-vault-url** -with the above returned URI, you can create the [`SecretClient`][secret_client_docs]: +#### Create a client +After setting the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and +**AZURE_TENANT_ID** environment variables, you can create the +[`SecretClient`][secret_client_docs]: ```python from azure.identity import DefaultAzureCredential @@ -82,30 +114,35 @@ with the above returned URI, you can create the [`SecretClient`][secret_client_d credential = DefaultAzureCredential() - # Create a new secret client using the default credential secret_client = SecretClient(vault_url=, credential=credential) ``` + ## Key concepts -### Secret - In Azure Key Vault, a Secret consists of a secret value and its associated - metadata and management information. From the perspective of a developer, the - secret values themselves are strings. +With a `SecretClient`, you can get secrets from the vault, create new secrets +and update their values, and delete secrets, as shown in the +[examples](#examples) below. -### Secret Client: -The Secret client performs the interactions with the Azure Key Vault service for getting, setting, updating,deleting, and listing secrets and its versions. An asynchronous and synchronous, SecretClient, client exists in the SDK allowing for selection of a client based on an application's use case. Once you've initialized a SecretClient, you can interact with the primary resource types in Key Vault. +### Secret +A Secret consists of a secret value and its associated metadata and management +information. For this library secret values are strings, but Azure Key Vault +doesn't store them as such. For more information about secrets and how Key +Vault stores and manages them, see the +[Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-secrets) +. ## Examples -The following section provides several code snippets using the above created `secret_client`, covering some of the most common Azure Key Vault Secret service related tasks, including: -* [Create a Secret](#create-a-secret) +This section contains code snippets covering common tasks: * [Retrieve a Secret](#retrieve-a-secret) -* [Update an existing Secret](#update-an-existing-secret) +* [Update Secret metadata](#update-secret-metadata) * [Delete a Secret](#delete-a-secret) * [List Secrets](#list-secrets) * [Async create a Secret](#async-create-a-secret) * [Async list Secrets](#async-list-secrets) ### Create a Secret -`set_secret` creates a Secret to be stored in the Azure Key Vault. If a secret with the same name already exists, then a new version of the secret is created. +`set_secret` creates a Secret in the vault. If a secret with the same name +already exists, a new version of that secret is created. + ```python secret = secret_client.set_secret("secret-name", "secret-value") @@ -116,6 +153,7 @@ The following section provides several code snippets using the above created `se ### Retrieve a Secret `get_secret` retrieves a secret previously stored in the Key Vault. + ```python secret = secret_client.get_secret("secret-name") @@ -123,8 +161,10 @@ The following section provides several code snippets using the above created `se print(secret.value) ``` -### Update an existing Secret -`update_secret` updates a secret previously stored in the Key Vault. +### Update Secret metadata +`update_secret` updates a secret's metadata. It cannot change the secret's +value; use [`set_secret`](#create-a-secret) to set a secret's value. + ```python # Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved content_type = "text/plain" @@ -133,24 +173,26 @@ The following section provides several code snippets using the above created `se updated_secret = secret_client.update_secret("secret-name", content_type=content_type, tags=tags) - print(updated_secret.name) - print(updated_secret.version) print(updated_secret.updated) print(updated_secret.content_type) print(updated_secret.tags) - ``` ### Delete a Secret -`delete_secret` deletes a secret previously stored in the Key Vault. When [soft-delete][soft_delete] is not enabled for the Key Vault, this operation permanently deletes the secret. +`delete_secret` deletes a secret. If [soft-delete][soft_delete] is not enabled +for the vault, this permanently deletes the secret. + ```python deleted_secret = secret_client.delete_secret("secret-name") print(deleted_secret.name) print(deleted_secret.deleted_date) ``` + ### List secrets -This example lists all the secrets in the specified Key Vault. +This example lists all the secrets in the vault. The list doesn't include +secret values; use [`get_secret`](#retrieve-a-secret) to get a secret's value. + ```python secrets = secret_client.list_secrets() @@ -172,9 +214,7 @@ This example creates a secret in the Key Vault with the specified optional argum from azure.identity.aio import DefaultAzureCredential from azure.keyvault.secrets.aio import SecretClient - # for async operations use DefaultAzureCredential credential = DefaultAzureCredential() - # Create a new secret client using the default credential secret_client = SecretClient(vault_url=vault_url, credential=credential) secret = await secret_client.set_secret("secret-name", "secret-value") @@ -183,8 +223,10 @@ This example creates a secret in the Key Vault with the specified optional argum print(secret.value) print(secret.version) ``` + ### Async list secrets This example lists all the secrets in the specified Key Vault. + ```python secrets = secret_client.list_secrets() @@ -195,72 +237,85 @@ This example lists all the secrets in the specified Key Vault. ## Troubleshooting ### General -Key Vault clients raise exceptions defined in azure-core. For more detailed infromation about exceptions and how to deal with them, see [Azure Core exceptions][azure_core_exceptions]. +Key Vault clients raise exceptions defined in [`azure-core`][azure_core_exceptions]. +For example, if you try to get a key that doesn't exist in the vault, +`SecretClient` raises `ResourceNotFoundError`: -For example, if you try to retrieve a secret after it is deleted a `404` error is returned, indicating resource not found. In the following snippet, the error is handled gracefully by catching the exception and displaying additional information about the error. ```python from azure.core.exceptions import ResourceNotFoundError + +secret_client.delete_secret("my-secret") + try: - secret_client.get_secret("deleted_secret") + secret_client.get_secret("my-secret") except ResourceNotFoundError as e: print(e.message) - -Output: "Secret not found:deleted_secret" ``` + ### Logging -Network trace logging is disabled by default for this library. When enabled, this will be logged at DEBUG level. The logging policy is used to output the HTTP network trace to the configured logger. You can configure logging to print out debugging information to the stdout or write it to a file using the following example: +Network trace logging is disabled by default for this library. When enabled, +HTTP requests will be logged at DEBUG level using the `logging` library. You +can configure logging to print debugging information to stdout or write it +to a file: - ```python +```python import sys import logging - # Create a logger for the 'azure' SDK + +# Create a logger for the 'azure' SDK logger = logging.getLogger(__name__) logger.setLevel(logging.DEBUG) - # Configure a console output + +# Configure a console output handler = logging.StreamHandler(stream=sys.stdout) logger.addHandler(handler) - # Configure a file output + +# Configure a file output file_handler = logging.FileHandler(filename) logger.addHandler(file_handler) -# Enable network trace logging. This will be logged at DEBUG level. -# By default, network trace logging is disabled. +# Enable network trace logging to log all HTTP requests at DEBUG level config = SecretClient.create_config(credential, logging_enable=True) client = SecretClient(url, credential, config=config) ``` -The logger can also be enabled per operation. +Network trace logging can also be enabled for any single operation: ```python secret = secret_client.get_secret("secret-name", logging_enable=True) ``` ## Next steps -Several KeyVault Python SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Key Vault: -* [test_samples_secrets.py][test_examples_secrets] and [test_samples_secrets_async.py][test_example_secrets_async] - Contains the code snippets working with Key Vault secrets. -* [hello_world.py][hello_world_sample] and [hello_world_async.py][hello_world_async_sample] - Python code for working with Azure Key Vault, including: - * Create a secret - * Get an existing secret - * Update an existing secret - * Delete secret -* [list_operations.py][list_operations_sample] and [list_operations_async.py][list_operations_async_sample] - Example code for working with Key Vault secrets backup and recovery, including: - * Create secrets - * List all secrets in the Key Vault - * Update secrets in the Key Vault - * List versions of a specified secret - * Delete secrets from the Key Vault - * List deleted secrets in the Key Vault - - ### Additional Documentation -For more extensive documentation on Azure Key Vault, see the [API reference documentation][reference_docs]. +Several samples are available in the Azure SDK for Python GitHub repository. +These provide example code for additional Key Vault scenarios: +* [test_samples_secrets.py][test_examples_secrets] and +[test_samples_secrets_async.py][test_example_secrets_async] - code snippets +from the library's documentation +* [hello_world.py][hello_world_sample] and +[hello_world_async.py][hello_world_async_sample] - create/get/update/delete +secrets +* [list_operations.py][list_operations_sample] and +[list_operations_async.py][list_operations_async_sample] - list secrets + +### Additional Documentation +For more extensive documentation on Azure Key Vault, see the +[API reference documentation][reference_docs]. ## Contributing -This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com. +This project welcomes contributions and suggestions. Most contributions require +you to agree to a Contributor License Agreement (CLA) declaring that you have +the right to, and actually do, grant us the rights to use your contribution. +For details, visit https://cla.microsoft.com. -When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. +When you submit a pull request, a CLA-bot will automatically determine whether +you need to provide a CLA and decorate the PR appropriately (e.g., label, +comment). Simply follow the instructions provided by the bot. You will only +need to do this once across all repos using our CLA. -This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments. +This project has adopted the +[Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, +see the Code of Conduct FAQ or contact opencode@microsoft.com with any +additional questions or comments. - [azure_cloud_shell]: https://shell.azure.com/bash [azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/core/azure-core/docs/exceptions.md [azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/identity/azure-identity diff --git a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_version.py b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_version.py index 51472a3285f4..4c2a24867ae8 100644 --- a/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_version.py +++ b/sdk/keyvault/azure-keyvault-secrets/azure/keyvault/secrets/_version.py @@ -3,4 +3,4 @@ # Licensed under the MIT License. # ------------------------------------ -VERSION = "4.0.0b2" +VERSION = "4.0.0b3" diff --git a/sdk/keyvault/azure-keyvault-secrets/setup.py b/sdk/keyvault/azure-keyvault-secrets/setup.py index 4d5c98936576..ccecb514929d 100644 --- a/sdk/keyvault/azure-keyvault-secrets/setup.py +++ b/sdk/keyvault/azure-keyvault-secrets/setup.py @@ -79,5 +79,9 @@ ] ), install_requires=["azure-core<2.0.0,>=1.0.0b2", "azure-common~=1.1", "msrest>=0.5.0"], - extras_require={":python_version<'3.0'": ["azure-keyvault-nspkg"], ":python_version<'3.5'": ["typing"]}, + extras_require={ + ":python_version<'3.0'": ["azure-keyvault-nspkg"], + ":python_version<'3.4'": ["enum34>=1.0.4"], + ":python_version<'3.5'": ["typing"], + }, )