[Key Vault] Add migration guide for azure-keyvault-keys #15819
Conversation
mccoyp
added
KeyVault
Client
| key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential) | ||
| ``` | ||
|
|
||
| You can also create a `CryptographyClient` to enable cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key. |
There was a problem hiding this comment.
| You can also create a `CryptographyClient` to enable cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key. | |
| You can also create a `CryptographyClient` to perform cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key. |
| # create a key with specified type | ||
| key = key_client.create_key(name="key-name", key_type="oct") |
There was a problem hiding this comment.
"oct" will get an error from a standard Key Vault. Also may be useful to show the KeyType enum here:
| # create a key with specified type | |
| key = key_client.create_key(name="key-name", key_type="oct") | |
| from azure.keyvault.keys import KeyType | |
| # create a key with specified type | |
| key = key_client.create_key(name="key-name", key_type=KeyType.ec) |
| rsa_key = key_client.create_rsa_key(name="rsa-key-name", size=2048) | ||
|
|
||
| # create an elliptic curve key | ||
| ec_key = key_client.create_ec_key(name="ec-key-name", curve="P-256") |
There was a problem hiding this comment.
Suggest showing KeyCurveName here
| ) | ||
|
|
||
| for key_item in key_items: | ||
| key_id = KeyId(key_item.kid) |
There was a problem hiding this comment.
This isn't mentioned in the text or used in the example?
There was a problem hiding this comment.
This variable isn't used directly, but I split up the process of fetching the key version because I wanted to clearly show how the KeyId was being used. I don't think condensing lines 159/160 into key_version = KeyId(key_item.kid).version would be too complicated though, if you think that's neater
There was a problem hiding this comment.
Ah, my bad, it's used in the sense I meant on the next line, it's fine like this 🤓
| ciphertext = operation_result.result | ||
| ``` | ||
|
|
||
| Now in `azure-keyvault-keys` you can perform these cryptographic operations by using a `CryptographyClient`. The key used to create the client will be used for these operations. |
There was a problem hiding this comment.
Another difference is that CryptographyClient performs operations locally when it has or can get the key material whereas every KeyVaultClient crypto operation is performed by Key Vault.
mccoyp
force-pushed
the
migration-keys
branch
from
1e55291 to
61fe976
Compare
| ciphertext = operation_result.result | ||
| ``` | ||
|
|
||
| Now in `azure-keyvault-keys` you can perform these cryptographic operations by using a `CryptographyClient`. The key used to create the client will be used for these operations. Cryptographic operations are now performed locally by the client, rather than remotely by Key Vault. |
There was a problem hiding this comment.
This implies CryptographyClient does everything locally, but actually it falls back to Key Vault when it can't get the key material.
There was a problem hiding this comment.
Hm, that makes sense. Is there documentation of the CryptographyClient's behavior that I could refer/link to, or would this have to be gleaned from the source code?
There was a problem hiding this comment.
Good question. It should be documented but is not: #15859
Adding DisableLocalAuth property in PUT payload (Azure#15819) * Adding diable local auth in PUT payload * Adding diable local auth in PUT payload Co-authored-by: Sekhar Samala <chsamala@microsoft.com>
Part of #15118.
This also includes some (very) minor fixes to the azure-keyvault-keys README.