Skip to content

Final Key Vault 4.0.0b3 updates #7189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chlowell merged 6 commits into from
Sep 11, 2019
Merged

Final Key Vault 4.0.0b3 updates #7189

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
282288b
update readmes
chlowell Sep 3, 2019
827410c
CryptographyClient initialization snippets
chlowell Sep 4, 2019
858ae88
update changelogs
chlowell Sep 9, 2019
4ac9f7a
update versions
chlowell Sep 9, 2019
444e31c
require enum34
chlowell Sep 10, 2019
786858f
update release dates
chlowell Sep 10, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
update readmes
  • Loading branch information
@chlowell
chlowell committed Sep 10, 2019
commit 282288b46991a0db77b84f03e944d025140a96a6
233 changes: 149 additions & 84 deletions sdk/keyvault/azure-keyvault-keys/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,17 @@
# Azure Key Vault Keys client library for Python
Azure Key Vault allows you to create and store keys in the Key Vault. Azure Key Vault client supports RSA keys and elliptic curve keys, each with corresponding support in hardware security modules (HSM).

Multiple keys, and multiple versions of the same key, can be kept in the Key Vault. Cryptographic keys in Key Vault are represented as [JSON Web Key (JWK)][JWK] objects. This library offers operations to create, retrieve, update, delete, purge, backup, restore and list the keys and its versions.
Azure Key Vault helps solve the following problems:
- Cryptographic key management (this library) - create, store, and control
access to the keys used to encrypt your data
- Secrets management
([`azure-keyvault-secrets`](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-secrets)) -
securely store and control access to tokens, passwords, certificates, API keys,
and other secrets
- Certificate management
([`azure-keyvault-certificates`](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates)) -
create, manage, and deploy public and private SSL/TLS certificates

[Source code][key_client_src] | [Package (PyPI)][pypi_package_keys] | [API reference documentation][reference_docs] | [Product documentation][keyvault_docs] | [Samples][key_samples]

## Getting started
### Install the package
Install the Azure Key Vault Keys client library for Python with [pip][pip]:
Expand All @@ -13,19 +21,54 @@ pip install azure-keyvault-keys
```

### Prerequisites
* An [Azure subscription][azure_sub].
* Python 2.7, 3.5 or later to use this package.
* An existing Key Vault. If you need to create a Key Vault, you can use the [Azure Cloud Shell][azure_cloud_shell] to create one with this Azure CLI command. Replace `<your-resource-group-name>` and `<your-key-vault-name>` with your own, unique names:

* An [Azure subscription][azure_sub]
* Python 2.7, 3.5 or later
* A Key Vault. If you need to create one, you can use the
[Azure Cloud Shell][azure_cloud_shell] to create one with this command (replace
`<your resource group name>` and `<your key vault name>` with your own, unique
names):
```Bash
az keyvault create --resource-group <your-resource-group-name> --name <your-key-vault-name>
az keyvault create --resource-group <your resource group name> --name <your key vault name>
```

Output:
```json
{
"id": "...",
"location": "westus2",
"name": "<your key vault name>",
"properties": {
"accessPolicies": [...],
"createMode": null,
"enablePurgeProtection": null,
"enableSoftDelete": null,
"enabledForDeployment": false,
"enabledForDiskEncryption": null,
"enabledForTemplateDeployment": null,
"networkAcls": null,
"provisioningState": "Succeeded",
"sku": { "name": "standard" },
"tenantId": "...",
"vaultUri": "https://<your key vault name>.vault.azure.net/"
},
"resourceGroup": "<your resource group name>",
"type": "Microsoft.KeyVault/vaults"
}
```

> The `"vaultUri"` property is the `vault_url` used by `KeyClient`.

### Authenticate the client
In order to interact with the Key Vault service, you'll need to create an instance of the [KeyClient][key_client_docs] class. You would need a **vault url** and **client secret credentials (client id, client secret, tenant id)** to instantiate a client object for using the `DefaultAzureCredential` examples in the README. `DefaultAzureCredential` authentication by providing client secret credentials is being used in this getting started section but you can find more ways to authenticate with [azure-identity][azure_identity].
To interact with a Key Vault's keys, you'll need an instance of the
[KeyClient][key_client_docs] class. Creating one requires a **vault url** and
**credential**. This document demonstrates using `DefaultAzureCredential` as
the credential, authenticating with a service principal's client id, secret,
and tenant id. Other authentication methods are supported. See the
[azure-identity][azure_identity] documentation for more details.

#### Create/Get credentials
Use the [Azure Cloud Shell][azure_cloud_shell] snippet below to create/get client secret credentials.
#### Create a service principal
Use this [Azure Cloud Shell][azure_cloud_shell] snippet to create a
service principal:

* Create a service principal and configure its access to Azure resources:
```Bash
Expand All @@ -34,71 +77,74 @@ Use the [Azure Cloud Shell][azure_cloud_shell] snippet below to create/get clien
Output:
```json
{
"appId": "generated-app-ID",
"displayName": "dummy-app-name",
"name": "http://dummy-app-name",
"password": "random-password",
"tenant": "tenant-ID"
"appId": "generated app id",
"displayName": "your-application-name",
"name": "http://your-application-name",
"password": "random password",
"tenant": "tenant id"
}
```
* Use the credentials returned above to set **AZURE_CLIENT_ID**(appId), **AZURE_CLIENT_SECRET**(password) and **AZURE_TENANT_ID**(tenant) environment variables. The following example shows a way to do this in Bash:

* Use the output to set **AZURE_CLIENT_ID** (appId), **AZURE_CLIENT_SECRET**
(password) and **AZURE_TENANT_ID** (tenant) environment variables. The
following example shows a way to do this in Bash:
```Bash
export AZURE_CLIENT_ID="generated-app-ID"
export AZURE_CLIENT_SECRET="random-password"
export AZURE_TENANT_ID="tenant-ID"
export AZURE_CLIENT_ID="generated app id"
export AZURE_CLIENT_SECRET="random password"
export AZURE_TENANT_ID="tenant id"
```

* Grant the above mentioned application authorization to perform key operations on the keyvault:
* Authorize the service principal to perform key operations in your Key Vault:
```Bash
az keyvault set-policy --name <your-key-vault-name> --spn $AZURE_CLIENT_ID --key-permissions backup delete get list create
az keyvault set-policy --name <your key vault name> --spn $AZURE_CLIENT_ID --key-permissions backup delete get list create
```
> --key-permissions:
> Accepted values (management operations): backup, delete, get, list, purge, recover, restore, create, update, import
> Accepted values (cryptographic operations): decrypt, encrypt, unwrapKey, wrapKey, verify, sign
> Possible key permissions:
> - Key management: backup, delete, get, list, purge, recover, restore, create, update, import
> - Cryptographic operations: decrypt, encrypt, unwrapKey, wrapKey, verify, sign

* Use the above mentioned Key Vault name to retrieve details of your Vault which also contains your Key Vault URL:
```Bash
az keyvault show --name <your-key-vault-name>
```

#### Create Key client
Once you've populated the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and **AZURE_TENANT_ID** environment variables and replaced **your-vault-url** with the above returned URI for example "<https://myvault.vault.azure.net>", you can create the [KeyClient][key_client_docs]:
#### Create a client
After setting the **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET** and
**AZURE_TENANT_ID** environment variables, you can create the
[KeyClient][key_client_docs]:

```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()

# Create a new Key client using the default credential
key_client = KeyClient(vault_url=<your-vault-url>, credential=credential)
```

## Key concepts
### Key
Azure Key Vault supports multiple key types and algorithms, and enables the use of Hardware Security Modules
(HSM) for high value keys. In addition to the key value, the following attributes may be specified:
* enabled: Specifies whether the key is enabled and useable for cryptographic operations.
* not_before: Identifies the time before which the key must not be used for cryptographic operations.
* expires: Identifies the expiration time on or after which the key MUST NOT be used for cryptographic operation.
* created: Indicates when this version of the key was created.
* updated: Indicates when this version of the key was updated.

### Key Client:
The Key client performs the interactions with the Azure Key Vault service for getting, setting, updating, deleting,and listing keys and its versions. An asynchronous and synchronous, KeyClient, client exists in the SDK allowing for selection of a client based on an application's use case. Once you've initialized a Key, you can interact with the primary resource types in Key Vault.
With a `KeyClient`, you can get keys from the vault, create new keys and new
versions of existing keys, update key metadata, and delete keys, as shown in
the [examples](#examples) below.

### Keys
Azure Key Vault can create and store RSA and elliptic curve keys. Both can
optionally be protected by hardware security modules (HSMs). Azure Key Vault
can also perform cryptographic operations with them. For more information about
keys and supported operations and algorithms, see the
[Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys)
.

## Examples
The following section provides several code snippets using the above created `key_client`, covering some of the most common Azure Key Vault Key service related tasks, including:
This section contains code snippets covering common tasks:
* [Create a Key](#create-a-key)
* [Retrieve a Key](#retrieve-a-key)
* [Update an existing Key](#update-an-existing-key)
* [Delete a Key](#delete-a-key)
* [List Keys](#list-keys)
* [Asynchronously create a Key](#asynchronously-create-a-key)
* [Asynchronously list Keys](#asynchronously-list-keys)
* [Perform cryptographic operations](#cryptographic-operations)

### Create a Key
`create_rsa_key` and `create_ec_key` create RSA and elliptic curve keys in the vault, respectively.
If a key with the same name already exists, a new version of the key is created.
`create_rsa_key` and `create_ec_key` create RSA and elliptic curve keys in the
vault, respectively. If a key with the same name already exists, a new version
of that key is created.

```python
# Create an RSA key
Expand All @@ -113,10 +159,9 @@ print(ec_key.key_material.kty)
```

### Retrieve a Key
`get_key` retrieves a key previously stored in the Key Vault.
`get_key` retrieves a key previously stored in the vault.
```python
key = key_client.get_key("key-name")

print(key.name)
```

Expand All @@ -135,15 +180,19 @@ print(updated_key.tags)
```

### Delete a Key
`delete_key` deletes a key previously stored in the Key Vault. When [soft-delete][soft_delete] is not enabled for the Key Vault, this operation permanently deletes the key.
`delete_key` deletes a key previously stored in the Key Vault. If
[soft-delete][soft_delete] is not enabled for the vault, this permanently
deletes the key.

```python
deleted_key = key_client.delete_key("key-name")

print(deleted_key.name)
print(deleted_key.deleted_date)
```
### List keys
This example lists all the keys in the specified Key Vault.
This example lists all the keys in the client's vault.

```python
keys = key_client.list_keys()

Expand All @@ -164,13 +213,16 @@ from azure.keyvault.keys.crypto import EncryptionAlgorithm
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault_url, credential=credential)

key = key_client.get_key("my-key")
key = key_client.get_key("mykey")
crypto_client = key_client.get_cryptography_client(key)

result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
crypto_client.decrypt(result.algorithm, result.ciphertext)
decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext)
```
See the [reference documentation][reference_docs] for more information.

See the
[package documentation](https://azure.github.io/azure-sdk-for-python/ref/azure.keyvault.keys.crypto.html)
for more details of the cryptography API.

### Async operations
This library includes a complete async API supported on Python 3.5+. To use it, you must
Expand Down Expand Up @@ -202,7 +254,7 @@ print(ec_key.key_material.kty)
```

### Asynchronously list keys
This example lists all the keys in the specified Key Vault.
This example lists all the keys in the client's vault:

```python
keys = key_client.list_keys()
Expand All @@ -213,20 +265,26 @@ async for key in keys:

## Troubleshooting
### General
Key Vault clients raise exceptions defined in azure-core. For more detailed infromation about exceptions and how to deal with them, see [Azure Core exceptions][azure_core_exceptions].
Key Vault clients raise exceptions defined in [`azure-core`][azure_core_exceptions].
For example, if you try to get a key that doesn't exist in the vault, `KeyClient`
raises `ResourceNotFoundError`:

For example, if you try to retrieve a key after it is deleted a `404` error is returned, indicating resource not found. In the following snippet, the error is handled gracefully by catching the exception and displaying additional information about the error.
```python
from azure.core.exceptions import ResourceNotFoundError

key_client.delete_key("my-key")

try:
key_client.get_key("deleted_key")
key_client.get_key("my-key")
except ResourceNotFoundError as e:
print(e.message)

Output: "Key not found:deleted_key"
```

### Logging
Network trace logging is disabled by default for this library. When enabled, this will be logged at DEBUG level. The logging policy is used to output the HTTP network trace to the configured logger. You can configure logging to print out debugging information to the stdout or write it to a file using the following example:
Network trace logging is disabled by default for this library. When enabled,
HTTP requests will be logged at DEBUG level using the `logging` library. You
can configure logging to print debugging information to stdout or write it
to a file:

```python
import sys
Expand All @@ -244,40 +302,47 @@ logger.addHandler(handler)
file_handler = logging.FileHandler(filename)
logger.addHandler(file_handler)

# Enable network trace logging. This will be logged at DEBUG level.
# By default, network tracing logging is disabled.
# Enable network trace logging to log all HTTP requests at DEBUG level
config = KeyClient.create_config(credential, logging_enable=True)
client = KeyClient(url, credential, config=config)
client = KeyClient(vault_url, credential, config=config)
```
The logger can also be enabled per operation.

Network trace logging can also be enabled for any single operation:
```python
key = key_client.get_key("key-name", logging_enable=True)
```

## Next steps
Several KeyVault Python SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Key Vault:
* [test_samples_keys.py][test_examples_keys] and [test_samples_keys_async.py][test_example_keys_async] - Contains the code snippets working with Key Vault keys.
* [hello_world.py][hello_world_sample] and [hello_world_async.py][hello_world_async_sample] - Python code for working with Azure Key Vault, including:
* Create a key
* Get an existing key
* Update an existing key
* Delete key
* [backup_restore_operations.py][backup_operations_sample] and [backup_restore_operations_async.py][backup_operations_async_sample] - Example code for working with Key Vault keys backup and recovery, including:
* Create key
* Backup a key
* Delete the key
* Use backed up key bytes to restore the deleted key

### Additional Documentation
For more extensive documentation on Azure Key Vault, see the [API reference documentation][reference_docs].
Several samples are available in the Azure SDK for Python GitHub repository.
These provide example code for additional Key Vault scenarios:
* [test_samples_keys.py][test_examples_keys] and
[test_samples_keys_async.py][test_example_keys_async] - code snippets from
the library's documentation
* [hello_world.py][hello_world_sample] and
[hello_world_async.py][hello_world_async_sample] - create/get/update/delete keys
* [backup_restore_operations.py][backup_operations_sample] and
[backup_restore_operations_async.py][backup_operations_async_sample] - backup and
recover keys

### Additional Documentation
For more extensive documentation on Azure Key Vault, see the
[API reference documentation][reference_docs].

## Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct]. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
This project welcomes contributions and suggestions. Most contributions require
you to agree to a Contributor License Agreement (CLA) declaring that you have
the right to, and actually do, grant us the rights to use your contribution.
For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether
you need to provide a CLA and decorate the PR appropriately (e.g., label,
comment). Simply follow the instructions provided by the bot. You will only
need to do this once across all repos using our CLA.

This project has adopted the
[Microsoft Open Source Code of Conduct][code_of_conduct]. For more information,
see the Code of Conduct FAQ or contact [email protected] with any
additional questions or comments.

[azure_cloud_shell]: https://shell.azure.com/bash
[azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/core/azure-core/docs/exceptions.md
Expand Down
Loading