Give AlbumentationsX a star on GitHub — it powers this leaderboard

Star on GitHub

azure-keyvault-certificates

Microsoft Corporation Key Vault Certificates Client Library for Python

Downloads: 0 (30 days)
View on PyPIGitHubOwner: Azure

Description

Azure Key Vault Certificates client library for Python

Azure Key Vault helps solve the following problems:

  • Certificate management (this library) - create, manage, and deploy public and private SSL/TLS certificates
  • Cryptographic key management (azure-keyvault-keys) - create, store, and control access to the keys used to encrypt your data
  • Secrets management (azure-keyvault-secrets) - securely store and control access to tokens, passwords, certificates, API keys, and other secrets
  • Vault administration (azure-keyvault-administration) - role-based access control (RBAC), and vault-level backup and restore options

[Source code][library_src] | [Package (PyPI)][pypi_package_certificates] | Package (Conda) | [API reference documentation][reference_docs] | [Product documentation][azure_keyvault] | [Samples][certificates_samples]

Disclaimer

Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691. Python 3.9 or later is required to use this package. For more details, please refer to Azure SDK for Python version support policy.

Getting started

Install the package

Install [azure-keyvault-certificates][pypi_package_certificates] and [azure-identity][azure_identity_pypi] with [pip][pip]:

pip install azure-keyvault-certificates azure-identity

[azure-identity][azure_identity] is used for Azure Active Directory authentication as demonstrated below.

Prerequisites

  • An [Azure subscription][azure_sub]
  • Python 3.9 or later
  • An existing [Azure Key Vault][azure_keyvault]. If you need to create one, you can do so using the Azure CLI by following the steps in [this document][azure_keyvault_cli].

Authenticate the client

In order to interact with the Azure Key Vault service, you will need an instance of a [CertificateClient][certificate_client_docs], as well as a vault url and a credential object. This document demonstrates using a [DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios, including local development and production environments. We recommend using a [managed identity][managed_identity] for authentication in production environments.

See [azure-identity][azure_identity] documentation for more information about other methods of authentication and their corresponding credential types.

Create a client

After configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of authentication, you can do the following to create a certificate client (replacing the value of VAULT_URL with your vault's URL):

<!-- SNIPPET:hello_world.create_a_certificate_client --> 
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_url=VAULT_URL, credential=credential)
<!-- END SNIPPET -->

NOTE: For an asynchronous client, import azure.keyvault.certificates.aio's CertificateClient instead.

Key concepts

CertificateClient

With a [CertificateClient][certificate_client_docs] you can get certificates from the vault, create new certificates and new versions of existing certificates, update certificate metadata, and delete certificates. You can also manage certificate issuers, contacts, and management policies of certificates. This is illustrated in the examples below.

Examples

This section contains code snippets covering common tasks:

Create a certificate

begin_create_certificate creates a certificate to be stored in the Azure Key Vault. If a certificate with the same name already exists, a new version of the certificate is created. Before creating a certificate, a management policy for the certificate can be created or our default policy will be used. This method returns a long running operation poller.

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()

certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)

create_certificate_poller = certificate_client.begin_create_certificate(
    certificate_name="cert-name", policy=CertificatePolicy.get_default()
)
print(create_certificate_poller.result())

If you would like to check the status of your certificate creation, you can call status() on the poller or get_certificate_operation with the name of the certificate.

Retrieve a certificate

get_certificate retrieves the latest version of a certificate previously stored in the Key Vault.

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

credential = DefaultAzureCredential()

certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)

certificate = certificate_client.get_certificate("cert-name")

print(certificate.name)
print(certificate.properties.version)
print(certificate.policy.issuer_name)

get_certificate_version retrieves a specific version of a certificate.

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

credential = DefaultAzureCredential()

certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
certificate = certificate_client.get_certificate_version(certificate_name="cert-name", version="cert-version")

print(certificate.name)
print(certificate.properties.version)

Update properties of an existing certificate

update_certificate_properties updates a certificate previously stored in the Key Vault.

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

credential = DefaultAzureCredential()

certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)

# we will now disable the certificate for further use
updated_certificate= certificate_client.update_certificate_properties(
    certificate_name="cert-name", enabled=False
)

print(updated_certificate.name)
print(updated_certificate.properties.enabled)

Delete a certificate

begin_delete_certificate requests Key Vault delete a certificate, returning a poller which allows you to wait for the deletion to finish. Waiting is helpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the certificate as soon as possible. When [soft-delete][soft_delete] is disabled, begin_delete_certificate itself is permanent.

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

credential = DefaultAzureCredential()

certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)

deleted_certificate_poller = certificate_client.begin_delete_certificate("cert-name")

deleted_certificate = deleted_certificate_poller.result()
print(deleted_certificate.name)
print(deleted_certificate.deleted_on)

List properties of certificates

list_properties_of_certificates lists the properties of all certificates in the specified Key Vault.

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

credential = DefaultAzureCredential()

certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)

certificates = certificate_client.list_properties_of_certificates()

for certificate in certificates:
    # this list doesn't include versions of the certificates
    print(certificate.name)

Async operations

This library includes a complete set of async APIs. To use them, you must first install an async transport, such as aiohttp. See [azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPE