SecretClient Class
A high-level interface for managing a vault's secrets.
- Inheritance
-
azure.keyvault.secrets._shared.client_base.KeyVaultClientBaseSecretClient
Constructor
SecretClient(vault_url: str, credential: TokenCredential, **kwargs: Any)
Parameters
Name | Description |
---|---|
vault_url
Required
|
URL of the vault the client will access. This is also called the vault's "DNS Name". You should validate that this URL references a valid Key Vault resource. See https://aka.ms/azsdk/blog/vault-uri for details. |
credential
Required
|
An object which can provide an access token for the vault, such as a credential from identity |
Keyword-Only Parameters
Name | Description |
---|---|
api_version
|
ApiVersion or
str
Version of the service API to use. Defaults to the most recent. |
verify_challenge_resource
|
Whether to verify the authentication challenge resource matches the Key Vault domain. Defaults to True. |
Methods
backup_secret |
Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission. |
begin_delete_secret |
Delete all versions of a secret. Requires secrets/delete permission. When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete. |
begin_recover_deleted_secret |
Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled. Requires the secrets/recover permission. If the vault does not have soft-delete enabled, begin_delete_secret is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error. When this method returns Key Vault has begun recovering the secret. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered secret in another operation immediately. |
close |
Close sockets opened by the client. Calling this method is unnecessary when using the client as a context manager. |
get_deleted_secret |
Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission. |
get_secret |
Get a secret. Requires the secrets/get permission. |
list_deleted_secrets |
Lists all deleted secrets. Possible only in vaults with soft-delete enabled. Requires secrets/list permission. |
list_properties_of_secret_versions |
List properties of all versions of a secret, excluding their values. Requires secrets/list permission. List items don't include secret values. Use get_secret to get a secret's value. |
list_properties_of_secrets |
List identifiers and attributes of all secrets in the vault. Requires secrets/list permission. List items don't include secret values. Use get_secret to get a secret's value. |
purge_deleted_secret |
Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled. Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a secret before its scheduled_purge_date. Requires secrets/purge permission. |
restore_secret_backup |
Restore a backed up secret. Requires the secrets/restore permission. |
send_request |
Runs a network request using the client's existing pipeline. The request URL can be relative to the vault URL. The service API version used for the request is the same as the client's unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request. |
set_secret |
Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret. Requires secrets/set permission. |
update_secret_properties |
Update properties of a secret other than its value. Requires secrets/set permission. This method updates properties of the secret, such as whether it's enabled, but can't change the secret's value. Use set_secret to change the secret's value. |
backup_secret
Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission.
backup_secret(name: str, **kwargs: Any) -> bytes
Parameters
Name | Description |
---|---|
name
Required
|
Name of the secret to back up |
Returns
Type | Description |
---|---|
The backup result, in a protected bytes format that can only be used by Azure Key Vault. |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
begin_delete_secret
Delete all versions of a secret. Requires secrets/delete permission.
When this method returns Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to wait for deletion to complete.
begin_delete_secret(name: str, **kwargs: Any) -> LROPoller[DeletedSecret]
Parameters
Name | Description |
---|---|
name
Required
|
Name of the secret to delete. |
Returns
Type | Description |
---|---|
A poller for the delete operation. The poller's result method returns the DeletedSecret without waiting for deletion to complete. If the vault has soft-delete enabled and you want to permanently delete the secret with purge_deleted_secret, call the poller's wait method first. It will block until the deletion is complete. The wait method requires secrets/get permission. |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
begin_recover_deleted_secret
Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled.
Requires the secrets/recover permission. If the vault does not have soft-delete enabled, begin_delete_secret is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error. When this method returns Key Vault has begun recovering the secret. Recovery may take several seconds. This method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when you want to use the recovered secret in another operation immediately.
begin_recover_deleted_secret(name: str, **kwargs: Any) -> LROPoller[SecretProperties]
Parameters
Name | Description |
---|---|
name
Required
|
Name of the deleted secret to recover |
Returns
Type | Description |
---|---|
A poller for the recovery operation. The poller's result method returns the recovered secret's SecretProperties without waiting for recovery to complete. If you want to use the recovered secret immediately, call the poller's wait method, which blocks until the secret is ready to use. The wait method requires secrets/get permission. |
Exceptions
Type | Description |
---|---|
close
Close sockets opened by the client.
Calling this method is unnecessary when using the client as a context manager.
close() -> None
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
get_deleted_secret
Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission.
get_deleted_secret(name: str, **kwargs: Any) -> DeletedSecret
Parameters
Name | Description |
---|---|
name
Required
|
Name of the deleted secret |
Returns
Type | Description |
---|---|
The deleted secret. |
Exceptions
Type | Description |
---|---|
the former if the deleted secret doesn't exist; the latter for other errors |
get_secret
Get a secret. Requires the secrets/get permission.
get_secret(name: str, version: str | None = None, **kwargs: Any) -> KeyVaultSecret
Parameters
Name | Description |
---|---|
name
Required
|
The name of the secret |
version
Required
|
(optional) Version of the secret to get. If unspecified, gets the latest version. |
Returns
Type | Description |
---|---|
The fetched secret. |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
list_deleted_secrets
Lists all deleted secrets. Possible only in vaults with soft-delete enabled.
Requires secrets/list permission.
list_deleted_secrets(**kwargs: Any) -> ItemPaged[DeletedSecret]
Returns
Type | Description |
---|---|
An iterator of deleted secrets, excluding their values |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
list_properties_of_secret_versions
List properties of all versions of a secret, excluding their values. Requires secrets/list permission.
List items don't include secret values. Use get_secret to get a secret's value.
list_properties_of_secret_versions(name: str, **kwargs: Any) -> ItemPaged[SecretProperties]
Parameters
Name | Description |
---|---|
name
Required
|
Name of the secret |
Returns
Type | Description |
---|---|
An iterator of secrets, excluding their values |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
list_properties_of_secrets
List identifiers and attributes of all secrets in the vault. Requires secrets/list permission.
List items don't include secret values. Use get_secret to get a secret's value.
list_properties_of_secrets(**kwargs: Any) -> ItemPaged[SecretProperties]
Returns
Type | Description |
---|---|
An iterator of secrets, excluding their values |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
purge_deleted_secret
Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled.
Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if the recovery_level does not specify 'Purgeable'. This method is only necessary for purging a secret before its scheduled_purge_date.
Requires secrets/purge permission.
purge_deleted_secret(name: str, **kwargs: Any) -> None
Parameters
Name | Description |
---|---|
name
Required
|
Name of the deleted secret to purge |
Returns
Type | Description |
---|---|
None |
Exceptions
Type | Description |
---|---|
Examples
# if the vault has soft-delete enabled, purge permanently deletes the secret
# (with soft-delete disabled, begin_delete_secret is permanent)
secret_client.purge_deleted_secret("secret-name")
restore_secret_backup
Restore a backed up secret. Requires the secrets/restore permission.
restore_secret_backup(backup: bytes, **kwargs: Any) -> SecretProperties
Parameters
Name | Description |
---|---|
backup
Required
|
A secret backup as returned by backup_secret |
Returns
Type | Description |
---|---|
The restored secret |
Exceptions
Type | Description |
---|---|
the former if the secret's name is already in use; the latter for other errors |
send_request
Runs a network request using the client's existing pipeline.
The request URL can be relative to the vault URL. The service API version used for the request is the same as the client's unless otherwise specified. This method does not raise if the response is an error; to raise an exception, call raise_for_status() on the returned response object. For more information about how to send custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request.
send_request(request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse
Parameters
Name | Description |
---|---|
request
Required
|
The network request you want to make. |
Keyword-Only Parameters
Name | Description |
---|---|
stream
|
Whether the response payload will be streamed. Defaults to False. |
Returns
Type | Description |
---|---|
The response of your network call. Does not do error handling on your response. |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
set_secret
Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret.
Requires secrets/set permission.
set_secret(name: str, value: str, *, enabled: bool | None = None, tags: Dict[str, str] | None = None, content_type: str | None = None, not_before: datetime | None = None, expires_on: datetime | None = None, **kwargs: Any) -> KeyVaultSecret
Parameters
Name | Description |
---|---|
name
Required
|
The name of the secret |
value
Required
|
The value of the secret |
Keyword-Only Parameters
Name | Description |
---|---|
enabled
|
Whether the secret is enabled for use. |
tags
|
Application specific metadata in the form of key-value pairs. |
content_type
|
An arbitrary string indicating the type of the secret, e.g. 'password' |
not_before
|
Not before date of the secret in UTC |
expires_on
|
Expiry date of the secret in UTC |
Returns
Type | Description |
---|---|
The created or updated secret. |
Exceptions
Type | Description |
---|---|
update_secret_properties
Update properties of a secret other than its value. Requires secrets/set permission.
This method updates properties of the secret, such as whether it's enabled, but can't change the secret's value. Use set_secret to change the secret's value.
update_secret_properties(name: str, version: str | None = None, *, enabled: bool | None = None, tags: Dict[str, str] | None = None, content_type: str | None = None, not_before: datetime | None = None, expires_on: datetime | None = None, **kwargs: Any) -> SecretProperties
Parameters
Name | Description |
---|---|
name
Required
|
Name of the secret |
version
Required
|
(optional) Version of the secret to update. If unspecified, the latest version is updated. |
Keyword-Only Parameters
Name | Description |
---|---|
enabled
|
Whether the secret is enabled for use. |
tags
|
Application specific metadata in the form of key-value pairs. |
content_type
|
An arbitrary string indicating the type of the secret, e.g. 'password' |
not_before
|
Not before date of the secret in UTC |
expires_on
|
Expiry date of the secret in UTC |
Returns
Type | Description |
---|---|
The updated secret properties. |
Exceptions
Type | Description |
---|---|
the former if the secret doesn't exist; the latter for other errors |
Attributes
vault_url
Azure SDK for Python