[Key Vault] Add azure-keyvault-administration samples (Azure#19736)

Author: mccoyp

sdk/keyvault/azure-keyvault-administration/samples/README.md

@@ -0,0 +1,42 @@
+---
+page_type: sample
+languages:
+  - python
+products:
+  - azure
+  - azure-key-vault
+urlFragment: keyvault-administration-samples
+---
+
+# Azure Key Vault Administration Client Library Python Samples
+
+## Prerequisites
+
+You must have an [Azure subscription](https://azure.microsoft.com/free) and an
+[Azure Managed HSM](https://docs.microsoft.com/azure/key-vault/managed-hsm/) to run
+these samples. You can create a managed HSM with the
+[Azure CLI](https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli).
+
+## Setup
+
+To run these samples, first install the Key Vault Administration and Azure Identity libraries:
+
+```commandline
+pip install azure-keyvault-administration azure-identity
+```
+
+[Azure Identity](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md) is used for authenticating Key Vault clients. These samples use the
+[DefaultAzureCredential](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md#defaultazurecredential), but any credential from the library can be used with Key Vault clients.
+
+## Contents
+| File | Description |
+|-------------|-------------|
+| [access_control_operations.py][access_control_operations_sample] | create/update/delete role definitions and role assignments |
+| [access_control_operations_async.py][access_control_operations_async_sample] | create/update/delete role definitions and role assignments with an async client |
+| [backup_restore_operations.py][backup_operations_sample] | full backup and restore |
+| [backup_restore_operations_async.py][backup_operations_async_sample] | full backup and restore with an async client |
+
+[access_control_operations_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration/samples/access_control_operations.py
+[access_control_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration/samples/access_control_operations_async.py
+[backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration/samples/backup_restore_operations.py
+[backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration/samples/backup_restore_operations_async.py

sdk/keyvault/azure-keyvault-administration/samples/access_control_operations.py

@@ -0,0 +1,90 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import os
+
+from azure.keyvault.administration import (
+    KeyVaultAccessControlClient,
+    KeyVaultDataAction,
+    KeyVaultPermission,
+    KeyVaultRoleScope,
+)
+from azure.identity import DefaultAzureCredential
+
+# ----------------------------------------------------------------------------------------------------------
+# Prerequisites:
+# 1. A managed HSM (https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli)
+#
+# 2. azure-keyvault-administration and azure-identity libraries (pip install these)
+#
+# 3. Set environment variable MANAGED_HSM_URL with the URL of your managed HSM
+#    
+# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with
+#    environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID
+#    (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration#authenticate-the-client)
+#
+# ----------------------------------------------------------------------------------------------------------
+# Sample - demonstrates role definition and assignment operations for Managed HSM
+#
+# 1. Create a role definition (set_role_definition)
+#
+# 2. Update a role definition (set_role_definition)
+#
+# 3. Create a role assignment (create_role_assignment)
+#
+# 4. Delete a role assignment (delete_role_assignment)
+#
+# 5. Delete a role definition (delete_role_definition)
+# ----------------------------------------------------------------------------------------------------------
+
+MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
+
+# Instantiate an access control client that will be used to call the service.
+# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
+credential = DefaultAzureCredential()
+client = KeyVaultAccessControlClient(vault_url=MANAGED_HSM_URL, credential=credential)
+
+# Let's first create a custom role definition. This role permits creating keys in a Managed HSM.
+# We'll provide a friendly role name, and let a unique role definition name (a GUID) be generated for us.
+print("\n.. Create a role definition")
+role_name = "customRole"
+scope = KeyVaultRoleScope.GLOBAL
+permissions = [KeyVaultPermission(data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])]
+role_definition = client.set_role_definition(scope=scope, role_name=role_name, permissions=permissions)
+print("Role definition '{}' created successfully.".format(role_definition.role_name))
+
+# Let's update our role definition to allow reading keys, but not allow creating keys.
+# To update an existing definition, pass the name keyword argument to set_role_definition. This is the unique name
+# of the role definition, which is stored in KeyVaultRoleDefinition.name.
+print("\n.. Update a role definition")
+new_permissions = [
+    KeyVaultPermission(
+        data_actions=[KeyVaultDataAction.READ_HSM_KEY],
+        not_data_actions=[KeyVaultDataAction.CREATE_HSM_KEY]
+    )
+]
+unique_definition_name = role_definition.name
+updated_definition = client.set_role_definition(
+    scope=scope, name=unique_definition_name, role_name=role_name, permissions=new_permissions
+)
+print("Role definition '{}' updated successfully.".format(updated_definition.role_name))
+
+# Now let's create a role assignment to apply our role definition to our service principal.
+# Since we don't provide the name keyword argument to create_role_definition, a unique role assignment name (a GUID)
+# is generated for us.
+print("\n.. Create a role assignment")
+principal_id = os.environ["AZURE_CLIENT_ID"]
+definition_id = updated_definition.id
+role_assignment = client.create_role_assignment(scope=scope, definition_id=definition_id, principal_id=principal_id)
+print("Role assignment created successfully.")
+
+# Let's delete the role assignment.
+print("\n.. Delete a role assignment")
+client.delete_role_assignment(scope=scope, name=role_assignment.name)
+print("Role assignment deleted successfully.")
+
+# Finally, let's delete the role definiton as well.
+print("\n.. Delete a role definition")
+client.delete_role_definition(scope=scope, name=definition_id)
+print("Role definition deleted successfully.")

sdk/keyvault/azure-keyvault-administration/samples/access_control_operations_async.py

@@ -0,0 +1,99 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import asyncio
+import os
+
+from azure.keyvault.administration import KeyVaultDataAction, KeyVaultPermission, KeyVaultRoleScope
+from azure.keyvault.administration.aio import KeyVaultAccessControlClient
+from azure.identity.aio import DefaultAzureCredential
+
+# ----------------------------------------------------------------------------------------------------------
+# Prerequisites:
+# 1. A managed HSM (https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli)
+#
+# 2. azure-keyvault-administration and azure-identity libraries (pip install these)
+#
+# 3. Set environment variable MANAGED_HSM_URL with the URL of your managed HSM
+#    
+# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with
+#    environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID
+#    (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration#authenticate-the-client)
+#
+# ----------------------------------------------------------------------------------------------------------
+# Sample - demonstrates role definition and assignment operations for Managed HSM
+#
+# 1. Create a role definition (set_role_definition)
+#
+# 2. Update a role definition (set_role_definition)
+#
+# 3. Create a role assignment (create_role_assignment)
+#
+# 4. Delete a role assignment (delete_role_assignment)
+#
+# 5. Delete a role definition (delete_role_definition)
+# ----------------------------------------------------------------------------------------------------------
+
+async def run_sample():
+    MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
+
+    # Instantiate an access control client that will be used to call the service.
+    # Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
+    credential = DefaultAzureCredential()
+    client = KeyVaultAccessControlClient(vault_url=MANAGED_HSM_URL, credential=credential)
+    
+    # Let's first create a custom role definition. This role permits creating keys in a Managed HSM.
+    # We'll provide a friendly role name, and let a unique role definition name (a GUID) be generated for us.
+    print("\n.. Create a role definition")
+    role_name = "customRole"
+    scope = KeyVaultRoleScope.GLOBAL
+    permissions = [KeyVaultPermission(data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])]
+    role_definition = await client.set_role_definition(scope=scope, role_name=role_name, permissions=permissions)
+    print("Role definition '{}' created successfully.".format(role_definition.role_name))
+
+    # Let's update our role definition to allow reading keys, but not allow creating keys.
+    # To update an existing definition, pass the name keyword argument to set_role_definition. This is the unique
+    # name of the role definition, which is stored in KeyVaultRoleDefinition.name.
+    print("\n.. Update a role definition")
+    new_permissions = [
+        KeyVaultPermission(
+            data_actions=[KeyVaultDataAction.READ_HSM_KEY],
+            not_data_actions=[KeyVaultDataAction.CREATE_HSM_KEY]
+        )
+    ]
+    unique_definition_name = role_definition.name
+    updated_definition = await client.set_role_definition(
+        scope=scope, name=unique_definition_name, role_name=role_name, permissions=new_permissions
+    )
+    print("Role definition '{}' updated successfully.".format(updated_definition.role_name))
+
+    # Now let's create a role assignment to apply our role definition to our service principal.
+    # Since we don't provide the name keyword argument to create_role_definition, a unique role assignment name
+    # (a GUID) is generated for us.
+    print("\n.. Create a role assignment")
+    principal_id = os.environ["AZURE_CLIENT_ID"]
+    definition_id = updated_definition.id
+    role_assignment = await client.create_role_assignment(
+        scope=scope, definition_id=definition_id, principal_id=principal_id
+    )
+    print("Role assignment created successfully.")
+
+    # Let's delete the role assignment.
+    print("\n.. Delete a role assignment")
+    await client.delete_role_assignment(scope=scope, name=role_assignment.name)
+    print("Role assignment deleted successfully.")
+
+    # Finally, let's delete the role definiton as well.
+    print("\n.. Delete a role definition")
+    await client.delete_role_definition(scope=scope, name=definition_id)
+    print("Role definition deleted successfully.")
+
+    await credential.close()
+    await client.close()
+
+
+if __name__ == "__main__":
+    loop = asyncio.get_event_loop()
+    loop.run_until_complete(run_sample())
+    loop.close()

sdk/keyvault/azure-keyvault-administration/samples/backup_restore_operations.py

@@ -0,0 +1,59 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import os
+
+from azure.keyvault.administration import KeyVaultBackupClient
+from azure.identity import DefaultAzureCredential
+
+# ----------------------------------------------------------------------------------------------------------
+# Prerequisites:
+# 1. A managed HSM (https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli)
+#
+# 2. azure-keyvault-administration and azure-identity libraries (pip install these)
+#
+# 3. Set environment variable MANAGED_HSM_URL with the URL of your managed HSM
+#    
+# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with
+#    environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID
+#    (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration#authenticate-the-client)
+#
+# 5. A storage account containing a blob storage container
+#    (See https://docs.microsoft.com/azure/storage/blobs/storage-blobs-introduction)
+#
+# 6. Set environment variables CONTAINER_URL and SAS_TOKEN corresponding to your blob container's URI and SAS
+#    (See https://docs.microsoft.com/azure/storage/common/storage-sas-overview)
+#
+# For more details, see https://docs.microsoft.com/azure/key-vault/managed-hsm/backup-restore
+#
+# ----------------------------------------------------------------------------------------------------------
+# Sample - demonstrates full backup and restore operations for Managed HSM
+#
+# 1. Perform a full backup (begin_backup)
+#
+# 2. Perform a full restore (begin_restore)
+# ----------------------------------------------------------------------------------------------------------
+
+MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
+CONTAINER_URL = os.environ["CONTAINER_URL"]
+SAS_TOKEN = os.environ["SAS_TOKEN"]
+
+# Instantiate a backup client that will be used to call the service.
+# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
+credential = DefaultAzureCredential()
+client = KeyVaultBackupClient(vault_url=MANAGED_HSM_URL, credential=credential)
+
+# Let's back up the vault with begin_backup, which returns a poller. Calling result() on the poller will return a
+# KeyVaultBackupResult that contains the URL of the backup after the operation completes. Calling wait() on the
+# poller will wait until the operation is complete.
+print("\n.. Back up the vault")
+backup_result = client.begin_backup(CONTAINER_URL, SAS_TOKEN).result()
+print("Vault backed up successfully.")
+
+# Now let's the vault by calling begin_restore, which also returns a poller. Calling result() on the poller will
+# return None after the operation completes. Calling wait() on the poller will wait until the operation is complete.
+# To restore a single key from the backed up vault instead, pass the key_name keyword argument.
+print("\n.. Restore the full vault")
+client.begin_restore(backup_result.folder_url, SAS_TOKEN).wait()
+print("Vault restored successfully.")

sdk/keyvault/azure-keyvault-administration/samples/backup_restore_operations_async.py

@@ -0,0 +1,72 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import asyncio
+import os
+
+from azure.keyvault.administration.aio import KeyVaultBackupClient
+from azure.identity.aio import DefaultAzureCredential
+
+# ----------------------------------------------------------------------------------------------------------
+# Prerequisites:
+# 1. A managed HSM (https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli)
+#
+# 2. azure-keyvault-administration and azure-identity libraries (pip install these)
+#
+# 3. Set environment variable MANAGED_HSM_URL with the URL of your managed HSM
+#    
+# 4. Set up your environment to use azure-identity's DefaultAzureCredential. To authenticate a service principal with
+#    environment variables, set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID
+#    (See https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration#authenticate-the-client)
+#
+# 5. A storage account containing a blob storage container
+#    (See https://docs.microsoft.com/azure/storage/blobs/storage-blobs-introduction)
+#
+# 6. Set environment variables CONTAINER_URL and SAS_TOKEN corresponding to your blob container's URI and SAS
+#    (See https://docs.microsoft.com/azure/storage/common/storage-sas-overview)
+#
+# For more details, see https://docs.microsoft.com/azure/key-vault/managed-hsm/backup-restore
+#
+# ----------------------------------------------------------------------------------------------------------
+# Sample - demonstrates full backup and restore operations for Managed HSM
+#
+# 1. Perform a full backup (begin_backup)
+#
+# 2. Perform a full restore (begin_restore)
+# ----------------------------------------------------------------------------------------------------------
+
+async def run_sample():
+    MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
+    CONTAINER_URL = os.environ["CONTAINER_URL"]
+    SAS_TOKEN = os.environ["SAS_TOKEN"]
+
+    # Instantiate a backup client that will be used to call the service.
+    # Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
+    credential = DefaultAzureCredential()
+    client = KeyVaultBackupClient(vault_url=MANAGED_HSM_URL, credential=credential)
+    
+    # Let's back up the vault with begin_backup, which returns a poller. Calling result() on the poller will return
+    # a KeyVaultBackupResult that contains the URL of the backup after the operation completes. Calling wait() on
+    # the poller will wait until the operation is complete.
+    print("\n.. Back up the vault")
+    backup_poller = await client.begin_backup(CONTAINER_URL, SAS_TOKEN)
+    backup_result = await backup_poller.result()
+    print("Vault backed up successfully.")
+
+    # Now let's the vault by calling begin_restore, which also returns a poller. Calling result() on the poller will
+    # return None after the operation completes. Calling wait() on the poller will wait until the operation is
+    # complete. To restore a single key from the backed up vault instead, pass the key_name keyword argument.
+    print("\n.. Restore the full vault")
+    restore_poller = await client.begin_restore(backup_result.folder_url, SAS_TOKEN)
+    await restore_poller.wait()
+    print("Vault restored successfully.")
+
+    await credential.close()
+    await client.close()
+
+
+if __name__ == "__main__":
+    loop = asyncio.get_event_loop()
+    loop.run_until_complete(run_sample())
+    loop.close()

sdk/keyvault/azure-keyvault-administration/tests/test_examples_administration.py

@@ -66,7 +66,7 @@ def test_example_backup_and_restore(self, container_uri, sas_token):
         restore_poller = backup_client.begin_restore(folder_url, sas_token)
 
         # check if the restore completed
-        done = backup_poller.done()
+        done = restore_poller.done()
 
         # wait for the restore to complete
         restore_poller.wait()
@@ -91,7 +91,7 @@ def test_example_selective_key_restore(self, container_uri, sas_token):
         restore_poller = backup_client.begin_restore(folder_url, sas_token, key_name=key_name)
 
         # check if the restore completed
-        done = backup_poller.done()
+        done = restore_poller.done()
 
         # wait for the restore to complete
         restore_poller.wait()