SecretClient Class

Reference

A high-level interface for managing a vault's secrets.

Inheritance: azure.keyvault.secrets._shared.client_base.KeyVaultClientBase

SecretClient

Constructor

SecretClient(vault_url: str, credential: TokenCredential, **kwargs: Any)

Parameters

Name	Description
vault_url Required	str URL of the vault the client will access. This is also called the vault's "DNS Name". You should validate that this URL references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details.
credential Required	TokenCredential An object which can provide an access token for the vault, such as a credential from identity

Keyword-Only Parameters

Name	Description
api_version	ApiVersion or str Version of the service API to use. Defaults to the most recent.
verify_challenge_resource	bool Whether to verify the authentication challenge resource matches the Key Vault domain. Defaults to True.

Methods

backup_secret	Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission.
begin_delete_secret	Delete all versions of a secret. Requires secrets/delete permission. When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
begin_recover_deleted_secret	Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled. Requires the secrets/recover permission. If the vault does not have soft-delete enabled, begin_delete_secret is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error. When this method returns Key Vault has begun recovering the secret. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered secret in another operation immediately.
close	Close sockets opened by the client. Calling this method is unnecessary when using the client as a context manager.
get_deleted_secret	Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission.
get_secret	Get a secret. Requires the secrets/get permission.
list_deleted_secrets	Lists all deleted secrets. Possible only in vaults with soft-delete enabled. Requires secrets/list permission.
list_properties_of_secret_versions	List properties of all versions of a secret, excluding their values. Requires secrets/list permission. List items don't include secret values. Use get_secret to get a secret's value.
list_properties_of_secrets	List identifiers and attributes of all secrets in the vault. Requires secrets/list permission. List items don't include secret values. Use get_secret to get a secret's value.
purge_deleted_secret	Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled. Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a secret before its scheduled_purge_date. Requires secrets/purge permission.
restore_secret_backup	Restore a backed up secret. Requires the secrets/restore permission.
send_request	Runs a network request using the client's existing pipeline. The request URL can be relative to the vault URL. The service API version used for the request is the same as the client's unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request.
set_secret	Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret. Requires secrets/set permission.
update_secret_properties	Update properties of a secret other than its value. Requires secrets/set permission. This method updates properties of the secret, such as whether it's enabled, but can't change the secret's value. Use set_secret to change the secret's value.

backup_secret

Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission.

backup_secret(name: str, **kwargs: Any) -> bytes

Parameters

Name	Description
name Required	str Name of the secret to back up

Returns

Type	Description
bytes	The backup result, in a protected bytes format that can only be used by Azure Key Vault.

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

begin_delete_secret

Delete all versions of a secret. Requires secrets/delete permission.

When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.

begin_delete_secret(name: str, **kwargs: Any) -> LROPoller[DeletedSecret]

Parameters

Name	Description
name Required	str Name of the secret to delete.

Returns

Type	Description
LROPoller[DeletedSecret]	A poller for the delete operation. The poller's result method returns the DeletedSecret without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the secret with purge_deleted_secret, call the poller's wait method first. It will block until the deletion is complete. The wait method requires secrets/get permission.

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

begin_recover_deleted_secret

Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled.

Requires the secrets/recover permission. If the vault does not have soft-delete enabled, begin_delete_secret is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error. When this method returns Key Vault has begun recovering the secret. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered secret in another operation immediately.

begin_recover_deleted_secret(name: str, **kwargs: Any) -> LROPoller[SecretProperties]

Parameters

Name	Description
name Required	str Name of the deleted secret to recover

Returns

Type	Description
LROPoller[SecretProperties]	A poller for the recovery operation. The poller's result method returns the recovered secret's SecretProperties without waiting for recovery to complete. If you want to use the recovered secret immediately, call the poller's wait method, which blocks until the secret is ready to use. The wait method requires secrets/get permission.

Exceptions

Type	Description
HttpResponseError

close

Close sockets opened by the client.

Calling this method is unnecessary when using the client as a context manager.

close() -> None

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

get_deleted_secret

Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission.

get_deleted_secret(name: str, **kwargs: Any) -> DeletedSecret

Parameters

Name	Description
name Required	str Name of the deleted secret

Returns

Type	Description
DeletedSecret	The deleted secret.

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the deleted secret doesn't exist; the latter for other errors

get_secret

Get a secret. Requires the secrets/get permission.

get_secret(name: str, version: str | None = None, **kwargs: Any) -> KeyVaultSecret

Parameters

Name	Description
name Required	str The name of the secret
version Required	str (optional) Version of the secret to get. If unspecified, gets the latest version.

Returns

Type	Description
KeyVaultSecret	The fetched secret.

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

list_deleted_secrets

Lists all deleted secrets. Possible only in vaults with soft-delete enabled.

Requires secrets/list permission.

list_deleted_secrets(**kwargs: Any) -> ItemPaged[DeletedSecret]

Returns

Type	Description
ItemPaged[DeletedSecret]	An iterator of deleted secrets, excluding their values

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

list_properties_of_secret_versions

List properties of all versions of a secret, excluding their values. Requires secrets/list permission.

List items don't include secret values. Use get_secret to get a secret's value.

list_properties_of_secret_versions(name: str, **kwargs: Any) -> ItemPaged[SecretProperties]

Parameters

Name	Description
name Required	str Name of the secret

Returns

Type	Description
ItemPaged[SecretProperties]	An iterator of secrets, excluding their values

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

list_properties_of_secrets

List identifiers and attributes of all secrets in the vault. Requires secrets/list permission.

List items don't include secret values. Use get_secret to get a secret's value.

list_properties_of_secrets(**kwargs: Any) -> ItemPaged[SecretProperties]

Returns

Type	Description
ItemPaged[SecretProperties]	An iterator of secrets, excluding their values

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

purge_deleted_secret

Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled.

Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a secret before its scheduled_purge_date.

Requires secrets/purge permission.

purge_deleted_secret(name: str, **kwargs: Any) -> None

Parameters

Name	Description
name Required	str Name of the deleted secret to purge

Returns

Type	Description
	None

Exceptions

Type	Description
HttpResponseError

Examples


   # if the vault has soft-delete enabled, purge permanently deletes the secret
   # (with soft-delete disabled, begin_delete_secret is permanent)
   secret_client.purge_deleted_secret("secret-name")

restore_secret_backup

Restore a backed up secret. Requires the secrets/restore permission.

restore_secret_backup(backup: bytes, **kwargs: Any) -> SecretProperties

Parameters

Name	Description
backup Required	bytes A secret backup as returned by backup_secret

Returns

Type	Description
SecretProperties	The restored secret

Exceptions

Type	Description
ResourceExistsError
HttpResponseError	the former if the secret's name is already in use; the latter for other errors

send_request

Runs a network request using the client's existing pipeline.

The request URL can be relative to the vault URL. The service API version used for the request is the same as the client's unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request.

send_request(request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse

Parameters

Name	Description
request Required	HttpRequest The network request you want to make.

Keyword-Only Parameters

Name	Description
stream	bool Whether the response payload will be streamed. Defaults to False.

Returns

Type	Description
HttpResponse	The response of your network call. Does not do error handling on your response.

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

set_secret

Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret.

Requires secrets/set permission.

set_secret(name: str, value: str, *, enabled: bool | None = None, tags: Dict[str, str] | None = None, content_type: str | None = None, not_before: datetime | None = None, expires_on: datetime | None = None, **kwargs: Any) -> KeyVaultSecret

Parameters

Name	Description
name Required	str The name of the secret
value Required	str The value of the secret

Keyword-Only Parameters

Name	Description
enabled	bool Whether the secret is enabled for use.
tags	Dict[str, str] or None Application specific metadata in the form of key-value pairs.
content_type	str An arbitrary string indicating the type of the secret, e.g. 'password'
not_before	datetime Not before date of the secret in UTC
expires_on	datetime Expiry date of the secret in UTC

Returns

Type	Description
KeyVaultSecret	The created or updated secret.

Exceptions

Type	Description
HttpResponseError

update_secret_properties

Update properties of a secret other than its value. Requires secrets/set permission.

This method updates properties of the secret, such as whether it's enabled, but can't change the secret's value. Use set_secret to change the secret's value.

update_secret_properties(name: str, version: str | None = None, *, enabled: bool | None = None, tags: Dict[str, str] | None = None, content_type: str | None = None, not_before: datetime | None = None, expires_on: datetime | None = None, **kwargs: Any) -> SecretProperties

Parameters

Name	Description
name Required	str Name of the secret
version Required	str (optional) Version of the secret to update. If unspecified, the latest version is updated.

Keyword-Only Parameters

Name	Description
enabled	bool Whether the secret is enabled for use.
tags	Dict[str, str] or None Application specific metadata in the form of key-value pairs.
content_type	str An arbitrary string indicating the type of the secret, e.g. 'password'
not_before	datetime Not before date of the secret in UTC
expires_on	datetime Expiry date of the secret in UTC

Returns

Type	Description
SecretProperties	The updated secret properties.

Exceptions

Type	Description
ResourceNotFoundError
HttpResponseError	the former if the secret doesn't exist; the latter for other errors

Share via

SecretClient Class

Constructor

Parameters

Keyword-Only Parameters

Methods

backup_secret

Parameters

Returns

Exceptions

begin_delete_secret

Parameters

Returns

Exceptions

begin_recover_deleted_secret

Parameters

Returns

Exceptions

close

Exceptions

get_deleted_secret

Parameters

Returns

Exceptions

get_secret

Parameters

Returns

Exceptions

list_deleted_secrets

Returns

Exceptions

list_properties_of_secret_versions

Parameters

Returns

Exceptions

list_properties_of_secrets

Returns

Exceptions

purge_deleted_secret

Parameters

Returns

Exceptions

Examples

restore_secret_backup

Parameters

Returns

Exceptions

send_request

Parameters

Keyword-Only Parameters

Returns

Exceptions

set_secret

Parameters

Keyword-Only Parameters

Returns

Exceptions

update_secret_properties

Parameters

Keyword-Only Parameters

Returns

Exceptions

Attributes

vault_url

Additional resources