1# ------------------------------------ 2# Copyright (c) Microsoft Corporation. 3# Licensed under the MIT License. 4# ------------------------------------ 5import os 6from azure.identity import DefaultAzureCredential 7from azure.keyvault.certificates import CertificateClient, CertificatePolicy, CertificateContentType, WellKnownIssuerNames 8from azure.core.exceptions import HttpResponseError 9 10# ---------------------------------------------------------------------------------------------------------- 11# Prerequisites: 12# 1. An Azure Key Vault (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) 13# 14# 2. azure-keyvault-certificates and azure-identity packages (pip install these) 15# 16# 3. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL. (See 17# https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates#authenticate-the-client) 18# 19# ---------------------------------------------------------------------------------------------------------- 20# Sample - demonstrates the basic CRUD operations on a vault(certificate) resource for Azure Key Vault 21# 22# 1. Create a new certificate (begin_create_certificate) 23# 24# 2. Get an existing certificate (get_certificate) 25# 26# 3. Update an existing certificate (update_certificate) 27# 28# 4. Delete a certificate (begin_delete_certificate) 29# 30# ---------------------------------------------------------------------------------------------------------- 31 32# Instantiate a certificate client that will be used to call the service. 33# Notice that the client is using default Azure credentials. 34# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', 35# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. 36VAULT_URL = os.environ["VAULT_URL"] 37credential = DefaultAzureCredential() 38client = CertificateClient(vault_url=VAULT_URL, credential=credential) 39try: 40 # Let's create a certificate for holding bank account credentials valid for 1 year. 41 # if the certificate already exists in the Key Vault, then a new version of the certificate is created. 42 print("\n.. Create certificate") 43 44 # Before creating your certificate, let's create the management policy for your certificate. 45 # Here you specify the properties of the key, secret, and issuer backing your certificate, 46 # the X509 component of your certificate, and any lifetime actions you would like to be taken 47 # on your certificate 48 49 # Alternatively, if you would like to use our default policy, use CertificatePolicy.get_default() 50 cert_policy = CertificatePolicy( 51 issuer_name=WellKnownIssuerNames.self, 52 subject="CN=*.microsoft.com", 53 san_dns_names=["sdk.azure-int.net"], 54 exportable=True, 55 key_type="RSA", 56 key_size=2048, 57 reuse_key=False, 58 content_type=CertificateContentType.pkcs12, 59 validity_in_months=24, 60 ) 61 cert_name = "HelloWorldCertificate" 62 63 # begin_create_certificate returns a poller. Calling result() on the poller will return the certificate 64 # as a KeyVaultCertificate if creation is successful, and the CertificateOperation if not. The wait() 65 # call on the poller will wait until the long running operation is complete. 66 certificate = client.begin_create_certificate( 67 certificate_name=cert_name, policy=cert_policy 68 ).result() 69 print("Certificate with name '{0}' created".format(certificate.name)) 70 71 # Let's get the bank certificate using its name 72 print("\n.. Get a certificate by name") 73 bank_certificate = client.get_certificate(cert_name) 74 print("Certificate with name '{0}' was found'.".format(bank_certificate.name)) 75 76 # After one year, the bank account is still active, and we have decided to update the tags. 77 print("\n.. Update a certificate by name") 78 tags = {"a": "b"} 79 updated_certificate = client.update_certificate_properties( 80 certificate_name=bank_certificate.name, tags=tags 81 ) 82 print( 83 "Certificate with name '{0}' was updated on date '{1}'".format( 84 bank_certificate.name, updated_certificate.properties.updated_on 85 ) 86 ) 87 print( 88 "Certificate with name '{0}' was updated with tags '{1}'".format( 89 bank_certificate.name, updated_certificate.properties.tags 90 ) 91 ) 92 93 # The bank account was closed, need to delete its credentials from the Key Vault. 94 print("\n.. Delete certificate") 95 deleted_certificate = client.begin_delete_certificate(bank_certificate.name).result() 96 print("Certificate with name '{0}' was deleted.".format(deleted_certificate.name)) 97 98except HttpResponseError as e: 99 print("\nrun_sample has caught an error. {0}".format(e.message)) 100 101finally: 102 print("\nrun_sample done") 103