Microsoft Azure Key Vault Certificates Client Library for Python
Azure Key Vault helps solve the following problems:
Source code | Package (PyPI) | Package (Conda) | API reference documentation | Product documentation | Samples
Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691. Python 3.7 or later is required to use this package. For more details, please refer to Azure SDK for Python version support policy.
Install azure-keyvault-certificates and azure-identity with pip:
pip install azure-keyvault-certificates azure-identity
azure-identity is used for Azure Active Directory authentication as demonstrated below.
In order to interact with the Azure Key Vault service, you will need an instance of a CertificateClient, as well as a vault url and a credential object. This document demonstrates using a DefaultAzureCredential, which is appropriate for most scenarios, including local development and production environments. We recommend using a managed identity for authentication in production environments.
See azure-identity documentation for more information about other methods of authentication and their corresponding credential types.
After configuring your environment for the DefaultAzureCredential to use a suitable method of authentication, you can do the following to create a certificate client (replacing the value of VAULT_URL
with your vault's URL):
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = CertificateClient(vault_url=VAULT_URL, credential=credential)
NOTE: For an asynchronous client, import
azure.keyvault.certificates.aio
'sCertificateClient
instead.
With a CertificateClient you can get certificates from the vault, create new certificates and new versions of existing certificates, update certificate metadata, and delete certificates. You can also manage certificate issuers, contacts, and management policies of certificates. This is illustrated in the examples below.
This section contains code snippets covering common tasks:
begin_create_certificate creates a certificate to be stored in the Azure Key Vault. If a certificate with the same name already exists, a new version of the certificate is created. Before creating a certificate, a management policy for the certificate can be created or our default policy will be used. This method returns a long running operation poller.
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
create_certificate_poller = certificate_client.begin_create_certificate(
certificate_name="cert-name", policy=CertificatePolicy.get_default()
)
print(create_certificate_poller.result())
If you would like to check the status of your certificate creation, you can call status()
on the poller or
get_certificate_operation
with the name of the certificate.
get_certificate retrieves the latest version of a certificate previously stored in the Key Vault.
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
certificate = certificate_client.get_certificate("cert-name")
print(certificate.name)
print(certificate.properties.version)
print(certificate.policy.issuer_name)
get_certificate_version retrieves a specific version of a certificate.
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
certificate = certificate_client.get_certificate_version(certificate_name="cert-name", version="cert-version")
print(certificate.name)
print(certificate.properties.version)
update_certificate_properties updates a certificate previously stored in the Key Vault.
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
# we will now disable the certificate for further use
updated_certificate= certificate_client.update_certificate_properties(
certificate_name="cert-name", enabled=False
)
print(updated_certificate.name)
print(updated_certificate.properties.enabled)
begin_delete_certificate
requests Key Vault delete a certificate, returning a poller which allows you to wait for the deletion to finish.
Waiting is helpful when the vault has soft-delete enabled, and you want to purge
(permanently delete) the certificate as soon as possible. When soft-delete is disabled,
begin_delete_certificate
itself is permanent.
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
deleted_certificate_poller = certificate_client.begin_delete_certificate("cert-name")
deleted_certificate = deleted_certificate_poller.result()
print(deleted_certificate.name)
print(deleted_certificate.deleted_on)
list_properties_of_certificates lists the properties of all certificates in the specified Key Vault.
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
certificates = certificate_client.list_properties_of_certificates()
for certificate in certificates:
# this list doesn't include versions of the certificates
print(certificate.name)
This library includes a complete set of async APIs. To use them, you must first install an async transport, such as aiohttp. See azure-core documentation for more information.
Async clients and credentials should be closed when they're no longer needed. These
objects are async context managers and define async close
methods. For
example:
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.certificates.aio import CertificateClient
credential = DefaultAzureCredential()
# call close when the client and credential are no longer needed
client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
...
await client.close()
await credential.close()
# alternatively, use them as async context managers (contextlib.AsyncExitStack can help)
client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
async with client:
async with credential:
...
create_certificate
creates a certificate to be stored in the Azure Key Vault. If a certificate with the same name already exists, a new
version of the certificate is created. Before creating a certificate, a management policy for the certificate can be
created or our default policy will be used. Awaiting create_certificate
returns your created certificate if creation
is successful, and a
CertificateOperation
if it is not.
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.certificates.aio import CertificateClient
from azure.keyvault.certificates import CertificatePolicy
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
create_certificate_result = await certificate_client.create_certificate(
certificate_name="cert-name", policy=CertificatePolicy.get_default()
)
print(create_certificate_result)
list_properties_of_certificates lists all the properties of the certificates in the client's vault:
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.certificates.aio import CertificateClient
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
certificates = certificate_client.list_properties_of_certificates()
async for certificate in certificates:
print(certificate.name)
See the azure-keyvault-certificates
troubleshooting guide
for details on how to diagnose various failure scenarios.
Key Vault clients raise exceptions defined in azure-core. For example, if you try to get a key that doesn't exist in the vault, CertificateClient raises ResourceNotFoundError:
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
from azure.core.exceptions import ResourceNotFoundError
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
try:
certificate_client.get_certificate("which-does-not-exist")
except ResourceNotFoundError as e:
print(e.message)
This library uses the standard logging library for logging. Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFO level.
Detailed DEBUG level logging, including request/response bodies and unredacted
headers, can be enabled on a client with the logging_enable
argument:
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient
import sys
import logging
# Create a logger for the 'azure' SDK
logger = logging.getLogger('azure')
logger.setLevel(logging.DEBUG)
# Configure a console output
handler = logging.StreamHandler(stream=sys.stdout)
logger.addHandler(handler)
credential = DefaultAzureCredential()
# This client will log detailed information about its HTTP sessions, at DEBUG level
client = CertificateClient(
vault_url="https://my-key-vault.vault.azure.net/",
credential=credential,
logging_enable=True
)
Network trace logging can also be enabled for any single operation:
certificate = certificate_client.get_certificate(certificate_name="cert-name", logging_enable=True)
Several samples are available in the Azure SDK for Python GitHub repository. These samples provide example code for additional Key Vault scenarios:
File | Description |
---|---|
hello_world.py (async version) | create/get/update/delete certificates |
backup_restore_operations.py (async version) | back up and recover certificates |
import_certificate.py (async version) | import PKCS#12 (PFX) and PEM-formatted certificates into Key Vault |
list_operations.py (async version) | list certificates |
recover_purge_operations.py (async version) | recover and purge certificates |
issuers.py (async version) | manage certificate issuers |
contacts.py (async version) | manage certificate contacts |
parse_certificate.py (async version) | extract a certificate's private key |
For more extensive documentation on Azure Key Vault, see the API reference documentation.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
7.4
send_request
method that can be used to send custom requests using the
client's existing pipeline (#25172)KeyVaultCertificate.cer
and DeletedCertificate.cer
are now
Optional[bytearray]
instead of Optional[bytes]
(#28959)7.4
is now the defaultazure-core
version to 1.24.0msrest
requirementisodate>=0.6.1
(isodate
was required by msrest
)typing-extensions>=4.0.1
verify_challenge_resource=False
to client constructors to disable.
See https://aka.ms/azsdk/blog/vault-uri for more information.vault_url
property of a KeyVaultCertificateIdentifier
(#24446)azure-identity
1.8.0 or newer (#20698)KeyType
now ignores casing during declaration, which resolves a scenario where Key Vault
keys created with non-standard casing could not be fetched with the SDK
(#22797)azure-core
version to 1.20.0get_token
calls during challenge
authentication requests now pass in a tenant_id
keyword argument
(#20698). See
https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate
this parameter if get_token
is implemented by a custom credential.get_token
calls during challenge
authentication requests now pass in a tenant_id
keyword argument
(#20698)azure-identity
1.7.1 or newer
(#20698)azure-core
version to 1.15.0This is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+.
msrest
version to 0.6.21issuer_name
parameter for CertificatePolicy
is now optionalKeyVaultCertificateIdentifier
that parses out a full ID returned by Key Vault,
so users can easily access the certificate's name
, vault_url
, and version
.AttributeError
during get_certificate_version
import_certificate
no longer raises AttributeError
when the policy
keyword argument isn't passedx-ms-keyvault-region
and x-ms-keyvault-service-version
headers
are no longer redacted in logging outputazure-core
version to 1.7.0CustomHookPolicy
through the optional
keyword argument custom_hook_policy
x-ms-client-request-id
azure-common
for multiapi supportrecoverable_days
to CertificateProperties
ApiVersion
enum identifying Key Vault versions supported by this packageCertificateClient
instances have a close
method which closes opened
sockets. Used as a context manager, a CertificateClient
closes opened sockets
on exit. (#9906)azure.keyvault.certificates
defines __version__
msrest
requirement to >=0.6.0KeyVaultErrorException
(#9690)vault_url
property to CertificateOperation
id
, expires_on
, not_before
, and recover_level
properties from CertificatePolicy
vault_url
property from CertificateIssuer
vault_url
property from IssuerProperties
msrest
requirement to >=0.6.0get_policy
to get_certificate_policy
update_policy
to update_certificate_policy
create_contacts
to set_contacts
admin_details
of create_issuer
and update_issuer
to admin_contacts
name
parameters to include the name of the object whose name we are referring to.
For example, the name
parameter of get_certificate
is now certificate_name
AdministratorDetails
to AdministratorContact
ekus
property of CertificatePolicy
to enhanced_key_usage
curve
property of CertificatePolicy
to key_curve_name
san_upns
property of CertificatePolicy
to san_user_principal_names
subject_name
property of CertificatePolicy
a kwarg and renamed it to subject
deleted_date
property of DeletedCertificate
to deleted_on
issuer_properties
property from CertificateIssuer
and added the provider
property
directly onto CertificateIssuer
admin_details
of CertificateIssuer
to admin_contacts
thumbprint
property of CertificateProperties
to x509_thumbprint
WellKnownIssuerNames
enum class that holds popular issuer namesSecretContentType
enum class to CertificateContentType
Removed redundant method get_pending_certificate_signing_request()
. A pending CSR can be retrieved via get_certificate_operation()
.
Renamed the sync method create_certificate
to begin_create_certificate
Renamed restore_certificate
to restore_certificate_backup
Renamed get_certificate
to get_certificate_version
Renamed get_certificate_with_policy
to get_certificate
Renamed list_certificates
to list_properties_of_certificates
Renamed list_properties_of_issuers
to list_properties_of_issuers
Renamed list_certificate_versions
to list_properties_of_certificate_versions
create_certificate
now has policy as a required parameter
All optional positional parameters besides version
have been moved to kwargs
Renamed sync method delete_certificate
to begin_delete_certificate
Renamed sync method recover_certificate
to begin_recover_deleted_certificate
Renamed async method recover_certificate
to recover_deleted_certificate
The sync method begin_delete_certificate
and async delete_certificate
now return pollers that return a DeletedCertificate
The sync method begin_recover_deleted_certificate
and async recover_deleted_certificate
now return pollers that return a KeyVaultCertificate
Renamed enum ActionType
to CertificatePolicyAction
Renamed Certificate
to KeyVaultCertificate
Renamed Contact
to CertificateContact
Renamed Issuer
to CertificateIssuer
Renamed CertificateError
to CertificateOperationError
Renamed expires
property of CertificateProperties
and CertificatePolicy
to expires_on
Renamed created
property of CertificateProperties
, CertificatePolicy
, and CertificateIssuer
to created_on
Renamed updated
property of CertificateProperties
, CertificatePolicy
, and CertificateIssuer
to updated_on
The vault_endpoint
parameter of CertificateClient
has been renamed to vault_url
The property vault_endpoint
has been renamed to vault_url
in all models
CertificatePolicy
now has a public class method get_default
allowing users to get the default CertificatePolicy
Logging can now be enabled properly on the client level
Enums JsonWebKeyCurveName
and JsonWebKeyType
have been renamed to KeyCurveName
and KeyType
, respectively.
Both async and sync versions of create_certificate
now return pollers that return the created Certificate
if creation is successful,
and a CertificateOperation
if not.
Certificate
now has attribute properties
, which holds certain properties of the
certificate, such as version
. This changes the shape of the Certificate
type,
as certain properties of Certificate
(such as version
) have to be accessed
through the properties
property.
update_certificate
has been renamed to update_certificate_properties
The vault_url
parameter of CertificateClient
has been renamed to vault_endpoint
The property vault_url
has been renamed to vault_endpoint
in all models
Version 4.0.0b3 is the first preview of our efforts to create a user-friendly and Pythonic client library for Azure Key Vault's certificates.
This library is not a direct replacement for azure-keyvault
. Applications
using that library would require code changes to use azure-keyvault-certificates
.
This package's
documentation
and
samples
demonstrate the new API.
azure-keyvault
:azure-keyvault-certificates
contains a client for certificate operationsazure-identity
credentials
azure.keyvault.certificates.aio
namespace contains an async equivalent of
the synchronous client in azure.keyvault.certificates