[Key Vault] Add sample for parsing private key/public certificate from certificate #15863
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| # ------------------------------------ | ||
| # Copyright (c) Microsoft Corporation. | ||
| # Licensed under the MIT License. | ||
| # ------------------------------------ | ||
| import base64 | ||
| import os | ||
| from azure.identity import DefaultAzureCredential | ||
| from azure.keyvault.certificates import CertificateClient, CertificatePolicy | ||
| from azure.keyvault.secrets import SecretClient | ||
| from azure.core.exceptions import HttpResponseError | ||
| from cryptography.hazmat.primitives.serialization import pkcs12 | ||
|
|
||
| # ---------------------------------------------------------------------------------------------------------- | ||
| # Prerequisites: | ||
| # 1. An Azure Key Vault. (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) | ||
| # | ||
| # 2. A service principal with certificate get, delete, and purge permissions, as well as secret get | ||
| # permissions. | ||
| # | ||
| # 3. azure-keyvault-certificates, azure-keyvault-secrets, azure-identity, and cryptography (v3.3+) packages | ||
| # (pip install these). | ||
| # | ||
| # 4. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL. (See | ||
| # https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates#authenticate-the-client) | ||
| # | ||
| # ---------------------------------------------------------------------------------------------------------- | ||
| # Sample - demonstrates how to get the private key of an existing Key Vault certificate | ||
| # | ||
| # 1. Create a new certificate (CertificateClient.begin_create_certificate) | ||
| # | ||
| # 2. Get a certificate secret (SecretClient.get_secret) | ||
| # | ||
| # 3. Delete a certificate (CertificateClient.begin_delete_certificate) | ||
| # | ||
| # 4. Purge a certificate (CertificateClient.purge_deleted_secret) | ||
| # | ||
| # ---------------------------------------------------------------------------------------------------------- | ||
|
|
||
| # Instantiate a certificate client that will be used to call the service. | ||
| # Notice that the client is using default Azure credentials. | ||
| # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', | ||
| # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. | ||
| VAULT_URL = os.environ["VAULT_URL"] | ||
| credential = DefaultAzureCredential() | ||
| certificate_client = CertificateClient(vault_url=VAULT_URL, credential=credential) | ||
|
|
||
| # Instantiate a secret client that will be used to call the service. | ||
| # Notice that this client can reuse the credential object created above. | ||
| secret_client = SecretClient(vault_url=VAULT_URL, credential=credential) | ||
| try: | ||
| # Let's create a certificate in the vault. | ||
| # If the certificate already exists in the Key Vault, then a new version of the certificate is created. | ||
| print("\n.. Create certificate") | ||
|
|
||
| # Before creating your certificate, let's create the management policy for your certificate. | ||
| # Here we use the default policy. | ||
| cert_name = "PrivateKeyCertificate" | ||
| cert_policy = CertificatePolicy.get_default() | ||
|
|
||
| # begin_create_certificate returns a poller. Calling result() on the poller will return the certificate | ||
| # as a KeyVaultCertificate if creation is successful, and the CertificateOperation if not. The wait() | ||
| # call on the poller will wait until the long running operation is complete. | ||
| created_certificate = certificate_client.begin_create_certificate( | ||
| certificate_name=cert_name, policy=cert_policy | ||
| ).result() | ||
| print("Certificate with name '{}' was created".format(created_certificate.name)) | ||
|
|
||
| # Key Vault also creates a secret with the same name as the created certificate. | ||
| # This secret contains protected information about the certificate, such as its private key. | ||
| print("\n.. Get a secret by name") | ||
| certificate_secret = secret_client.get_secret(name=cert_name) | ||
| print("Certificate secret with name '{}' was found.".format(certificate_secret.name)) | ||
|
|
||
| # Now we can extract the private key and public certificate from the secret using the cryptography | ||
| # package. `additional_certificates` will be empty since the secret only contains one certificate. | ||
| cert_bytes = base64.b64decode(certificate_secret.value) | ||
| private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates( | ||
|
There was a problem hiding this comment. Key Vault supports PEM as well. If these bytes were PEM encoded, you'd want There was a problem hiding this comment. Got it! I didn't want to provide a PEM example in fear of complicating things, but you're right that it's worth a mention even if we don't walk through an example. |
||
| data=cert_bytes, | ||
| password=None | ||
| ) | ||
| print("Certificate with name '{}' was parsed.".format(certificate_secret.name)) | ||
|
|
||
| # Now we can clean up the vault by deleting, then purging, the certificate. | ||
| print("\n.. Delete certificate") | ||
| delete_operation_poller = certificate_client.begin_delete_certificate( | ||
| certificate_name=cert_name | ||
| ) | ||
| deleted_certificate = delete_operation_poller.result() | ||
| delete_operation_poller.wait() | ||
| print("Certificate with name '{}' was deleted.".format(deleted_certificate.name)) | ||
|
|
||
| certificate_client.purge_deleted_certificate(certificate_name=deleted_certificate.name) | ||
| print("Certificate with name '{}' is being purged.".format(deleted_certificate.name)) | ||
|
|
||
| except HttpResponseError as e: | ||
| print("\nrun_sample has caught an error. {}".format(e.message)) | ||
|
|
||
| finally: | ||
| print("\nrun_sample done") | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| # ------------------------------------ | ||
| # Copyright (c) Microsoft Corporation. | ||
| # Licensed under the MIT License. | ||
| # ------------------------------------ | ||
| import asyncio | ||
| import base64 | ||
| import os | ||
| from azure.identity.aio import DefaultAzureCredential | ||
| from azure.keyvault.certificates.aio import CertificateClient | ||
| from azure.keyvault.certificates import CertificatePolicy | ||
| from azure.keyvault.secrets.aio import SecretClient | ||
| from azure.core.exceptions import HttpResponseError | ||
| from cryptography.hazmat.primitives.serialization import pkcs12 | ||
|
|
||
| # ---------------------------------------------------------------------------------------------------------- | ||
| # Prerequisites: | ||
| # 1. An Azure Key Vault. (https://docs.microsoft.com/en-us/azure/key-vault/quick-create-cli) | ||
| # | ||
| # 2. A service principal with certificate get, delete, and purge permissions, as well as secret get | ||
| # permissions. | ||
| # | ||
| # 3. azure-keyvault-certificates, azure-keyvault-secrets, azure-identity, and cryptography (v3.3+) packages | ||
| # (pip install these). | ||
| # | ||
| # 4. Set Environment variables AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, VAULT_URL. (See | ||
| # https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/keyvault/azure-keyvault-certificates#authenticate-the-client) | ||
| # | ||
| # ---------------------------------------------------------------------------------------------------------- | ||
| # Sample - demonstrates how to get the private key of an existing Key Vault certificate | ||
| # | ||
| # 1. Create a new certificate (CertificateClient.create_certificate) | ||
| # | ||
| # 2. Get a certificate secret (SecretClient.get_secret) | ||
| # | ||
| # 3. Delete a certificate (CertificateClient.delete_certificate) | ||
| # | ||
| # 4. Purge a certificate (CertificateClient.purge_deleted_secret) | ||
| # | ||
| # ---------------------------------------------------------------------------------------------------------- | ||
|
|
||
| async def run_sample(): | ||
| # Instantiate a certificate client that will be used to call the service. | ||
| # Notice that the client is using default Azure credentials. | ||
| # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', | ||
| # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. | ||
| VAULT_URL = os.environ["VAULT_URL"] | ||
| credential = DefaultAzureCredential() | ||
| certificate_client = CertificateClient(vault_url=VAULT_URL, credential=credential) | ||
|
|
||
| # Instantiate a secret client that will be used to call the service. | ||
| # Notice that this client can reuse the credential object created above. | ||
| secret_client = SecretClient(vault_url=VAULT_URL, credential=credential) | ||
| try: | ||
| # Let's create a certificate in the vault. | ||
| # If the certificate already exists in the Key Vault, then a new version of the certificate is created. | ||
| print("\n.. Create certificate") | ||
|
|
||
| # Before creating your certificate, let's create the management policy for your certificate. | ||
| # Here we use the default policy. | ||
| cert_name = "PrivateKeyCertificate" | ||
| cert_policy = CertificatePolicy.get_default() | ||
|
|
||
| # Awaiting create_certificate will return the certificate as a KeyVaultCertificate | ||
| # if creation is successful, and the CertificateOperation if not. | ||
| created_certificate = await certificate_client.create_certificate( | ||
| certificate_name=cert_name, policy=cert_policy | ||
| ) | ||
| print("Certificate with name '{}' was created".format(created_certificate.name)) | ||
|
|
||
| # Key Vault also creates a secret with the same name as the created certificate. | ||
| # This secret contains protected information about the certificate, such as its private key. | ||
| print("\n.. Get a secret by name") | ||
| certificate_secret = await secret_client.get_secret(name=cert_name) | ||
| print("Certificate secret with name '{}' was found.".format(certificate_secret.name)) | ||
|
|
||
| # Now we can extract the private key and public certificate from the secret using the cryptography | ||
| # package. `additional_certificates` will be empty since the secret only contains one certificate. | ||
| cert_bytes = base64.b64decode(certificate_secret.value) | ||
| private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates( | ||
| data=cert_bytes, | ||
| password=None | ||
| ) | ||
| print("Certificate with name '{}' was parsed.".format(certificate_secret.name)) | ||
|
|
||
| # Now we can clean up the vault by deleting, then purging, the certificate. | ||
| print("\n.. Delete certificate") | ||
| deleted_certificate = await certificate_client.delete_certificate(certificate_name=cert_name) | ||
| print("Certificate with name '{}' was deleted.".format(deleted_certificate.name)) | ||
|
|
||
| await certificate_client.purge_deleted_certificate(certificate_name=deleted_certificate.name) | ||
| print("Certificate with name '{}' is being purged.".format(deleted_certificate.name)) | ||
|
|
||
| except HttpResponseError as e: | ||
| print("\nrun_sample has caught an error. {}".format(e.message)) | ||
|
|
||
| finally: | ||
| print("\nrun_sample done") | ||
| await credential.close() | ||
| await certificate_client.close() | ||
| await secret_client.close() | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| try: | ||
| loop = asyncio.get_event_loop() | ||
| loop.run_until_complete(run_sample()) | ||
| loop.close() | ||
|
|
||
| except Exception as e: | ||
| print("Top level error: {}".format(str(e))) |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be more precise: the secret contains the certificate's bytes, which include the private key only when the cert's policy marks it exportable (the service documents this here). We should mention that to make it clear there are by-design cases in which Key Vault won't release a cert's private key.