# Azure Key Vault Keys client library for Python
Azure Key Vault helps solve the following problems:
- Cryptographic key management (this library) - create, store, and control
access to the keys used to encrypt your data
- Secrets management
([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) -
securely store and control access to tokens, passwords, certificates, API keys,
and other secrets
- Certificate management
([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) -
create, manage, and deploy public and private SSL/TLS certificates
- Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options
[Source code][library_src]
| [Package (PyPI)][pypi_package_keys]
| [Package (Conda)](https://anaconda.org/microsoft/azure-keyvault/)
| [API reference documentation][reference_docs]
| [Product documentation][azure_keyvault]
| [Samples][key_samples]
## _Disclaimer_
_Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_.
_Python 3.8 or later is required to use this package. For more details, please refer to [Azure SDK for Python version support policy](https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy)._
## Getting started
### Install the package
Install [azure-keyvault-keys][pypi_package_keys] and
[azure-identity][azure_identity_pypi] with [pip][pip]:
```Bash
pip install azure-keyvault-keys azure-identity
```
[azure-identity][azure_identity] is used for Azure Active Directory authentication as demonstrated below.
### Prerequisites
* An [Azure subscription][azure_sub]
* Python 3.8 or later
* An existing [Azure Key Vault][azure_keyvault]. If you need to create one, you can do so using the Azure CLI by following the steps in [this document][azure_keyvault_cli].
* If using Managed HSM, an existing [Key Vault Managed HSM][managed_hsm]. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in [this document][managed_hsm_cli].
### Authenticate the client
In order to interact with the Azure Key Vault service, you will need an instance of a [KeyClient][key_client_docs], as
well as a **vault URL** and a credential object. This document demonstrates using a
[DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios. We recommend using a
[managed identity][managed_identity] for authentication in production environments.
See [azure-identity][azure_identity] documentation for more information about other methods of authentication and their
corresponding credential types.
#### Create a client
After configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of
authentication, you can do the following to create a key client (replacing the value of `VAULT_URL` with your vault's
URL):
<!-- SNIPPET:hello_world.create_a_key_client -->
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = KeyClient(vault_url=VAULT_URL, credential=credential)
```
<!-- END SNIPPET -->
> **NOTE:** For an asynchronous client, import `azure.keyvault.keys.aio`'s `KeyClient` instead.
## Key concepts
### Keys
Azure Key Vault can create and store RSA and elliptic curve keys. Both can optionally be protected by hardware security
modules (HSMs). Azure Key Vault can also perform cryptographic operations with them. For more information about keys
and supported operations and algorithms, see the
[Key Vault documentation](https://docs.microsoft.com/azure/key-vault/keys/about-keys).
[KeyClient][key_client_docs] can create keys in the vault, get existing keys
from the vault, update key metadata, and delete keys, as shown in the
[examples](#examples) below.
## Examples
This section contains code snippets covering common tasks:
* [Create a key](#create-a-key)
* [Retrieve a key](#retrieve-a-key)
* [Update an existing key](#update-an-existing-key)
* [Delete a key](#delete-a-key)
* [Configure automatic key rotation](#configure-automatic-key-rotation)
* [List keys](#list-keys)
* [Perform cryptographic operations](#cryptographic-operations)
* [Async API](#async-api)
* [Asynchronously create a key](#asynchronously-create-a-key)
* [Asynchronously list keys](#asynchronously-list-keys)
### Create a key
The [create_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_key) method can be
used by a `KeyClient` to create a key of any type -- alternatively, specific helpers such as
[create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_rsa_key) and
[create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_ec_key)
create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version
of that key is created.
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
# Create an RSA key
rsa_key = key_client.create_rsa_key("rsa-key-name", size=2048)
print(rsa_key.name)
print(rsa_key.key_type)
# Create an elliptic curve key
ec_key = key_client.create_ec_key("ec-key-name", curve="P-256")
print(ec_key.name)
print(ec_key.key_type)
```
### Retrieve a key
[get_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.get_key) retrieves a key
previously stored in the Vault.
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
key = key_client.get_key("key-name")
print(key.name)
```
### Update an existing key
[update_key_properties](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_properties)
updates the properties of a key previously stored in the Key Vault.
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
# we will now disable the key for further use
updated_key = key_client.update_key_properties("key-name", enabled=False)
print(updated_key.name)
print(updated_key.properties.enabled)
```
### Delete a key
[begin_delete_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.begin_delete_key)
requests Key Vault delete a key, returning a poller which allows you to wait for the deletion to finish. Waiting is
helpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the key as
soon as possible. When [soft-delete][soft_delete] is disabled, `begin_delete_key` itself is permanent.
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
deleted_key = key_client.begin_delete_key("key-name").result()
print(deleted_key.name)
print(deleted_key.deleted_date)
```
### Configure automatic key rotation
[update_key_rotation_policy](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_rotation_policy)
can be used by a `KeyClient` to configure automatic key rotation for a key by specifying a rotation policy.
<!-- SNIPPET:key_rotation.update_a_rotation_policy -->
```python
from azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicy, KeyRotationPolicyAction
# Here we set the key's automated rotation policy to rotate the key two months after the key was created.
# If you pass an empty KeyRotationPolicy() as the `policy` parameter, the rotation policy will be set to the
# default policy. Any keyword arguments will update specified properties of the policy.
actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate, time_after_create="P2M")]
updated_policy = client.update_key_rotation_policy(
"rotation-sample-key", policy=KeyRotationPolicy(), expires_in="P90D", lifetime_actions=actions
)
assert updated_policy.expires_in == "P90D"
```
<!-- END SNIPPET -->
In addition,
[rotate_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.rotate_key)
allows you to rotate a key on-demand by creating a new version of the given key.
<!-- SNIPPET:key_rotation.rotate_key -->
```python
rotated_key = client.rotate_key("rotation-sample-key")
print(f"Rotated the key on-demand; new version is {rotated_key.properties.version}")
```
<!-- END SNIPPET -->
### List keys
[list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.list_properties_of_keys)
lists the properties of all of the keys in the client's vault.
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
keys = key_client.list_properties_of_keys()
for key in keys:
# the list doesn't include values or versions of the keys
print(key.name)
```
### Cryptographic operations
[CryptographyClient](https://aka.ms/azsdk/python/keyvault-keys/crypto/docs#azure.keyvault.keys.crypto.CryptographyClient)
enables cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key.
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
key = key_client.get_key("key-name")
crypto_client = CryptographyClient(key, credential=credential)
plaintext = b"plaintext"
result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
decrypted = crypto_client.decrypt(result.algorithm, result.ciphertext)
```
See the
[package documentation][crypto_client_docs]
for more details of the cryptography API.
### Async API
This library includes a complete set of async APIs. To use them, you must
first install an async transport, such as [aiohttp](https://pypi.org/project/aiohttp/).
See
[azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPER.md#transport)
for more information.
Async clients and credentials should be closed when they're no longer needed. These
objects are async context managers and define async `close` methods. For
example:
```python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.keys.aio import KeyClient
credential = DefaultAzureCredential()
# call close when the client and credential are no longer needed
client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
...
await client.close()
await credential.close()
# alternatively, use them as async context managers (contextlib.AsyncExitStack can help)
client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
async with client:
async with credential:
...
```
### Asynchronously create a key
[create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_rsa_key) and
[create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_ec_key)
create RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new
version of the key is created.
```python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.keys.aio import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
# Create an RSA key
rsa_key = await key_client.create_rsa_key("rsa-key-name", size=2048)
print(rsa_key.name)
print(rsa_key.key_type)
# Create an elliptic curve key
ec_key = await key_client.create_ec_key("ec-key-name", curve="P-256")
print(ec_key.name)
print(ec_key.key_type)
```
### Asynchronously list keys
[list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.list_properties_of_keys)
lists the properties of all of the keys in the client's vault.
```python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.keys.aio import KeyClient
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
keys = key_client.list_properties_of_keys()
async for key in keys:
print(key.name)
```
## Troubleshooting
See the `azure-keyvault-keys`
[troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/TROUBLESHOOTING.md)
for details on how to diagnose various failure scenarios.
### General
Key Vault clients raise exceptions defined in [azure-core][azure_core_exceptions].
For example, if you try to get a key that doesn't exist in the vault, [KeyClient][key_client_docs]
raises [ResourceNotFoundError](https://aka.ms/azsdk-python-core-exceptions-resource-not-found-error):
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
from azure.core.exceptions import ResourceNotFoundError
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
try:
key_client.get_key("which-does-not-exist")
except ResourceNotFoundError as e:
print(e.message)
```
### Logging
This library uses the standard
[logging](https://docs.python.org/3/library/logging.html) library for logging.
Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFO
level.
Detailed DEBUG level logging, including request/response bodies and unredacted
headers, can be enabled on a client with the `logging_enable` argument:
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
import sys
import logging
# Create a logger for the 'azure' SDK
logger = logging.getLogger('azure')
logger.setLevel(logging.DEBUG)
# Configure a console output
handler = logging.StreamHandler(stream=sys.stdout)
logger.addHandler(handler)
credential = DefaultAzureCredential()
# This client will log detailed information about its HTTP sessions, at DEBUG level
client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential, logging_enable=True)
```
Similarly, `logging_enable` can enable detailed logging for a single operation,
even when it isn't enabled for the client:
```python
client.get_key("my-key", logging_enable=True)
```
## Next steps
Several samples are available in the Azure SDK for Python GitHub repository.
These provide example code for additional Key Vault scenarios:
- [Create/get/update/delete keys][hello_world_sample] ([async version][hello_world_async_sample])
- [Basic list operations for keys][list_operations_sample] ([async version][list_operations_async_sample])
- [Back up and recover keys][backup_operations_sample] ([async version][backup_operations_async_sample])
- [Recover and purge keys][recover_purge_sample] ([async version][recover_purge_async_sample])
- [Create/update key rotation policies and rotate keys on-demand][key_rotation_sample] ([async version][key_rotation_async_sample])
- [Use the `send_request` client method][send_request_sample]
### Additional documentation
For more extensive documentation on Azure Key Vault, see the
[API reference documentation][reference_docs].
## Contributing
This project welcomes contributions and suggestions. Most contributions require
you to agree to a Contributor License Agreement (CLA) declaring that you have
the right to, and actually do, grant us the rights to use your contribution.
For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether
you need to provide a CLA and decorate the PR appropriately (e.g., label,
comment). Simply follow the instructions provided by the bot. You will only
need to do this once across all repos using our CLA.
This project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct].
For more information, see the
[Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
contact opencode@microsoft.com with any additional questions or comments.
<!-- LINKS -->
[azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions
[azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity
[azure_identity_pypi]: https://pypi.org/project/azure-identity/
[azure_keyvault]: https://docs.microsoft.com/azure/key-vault/
[azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/general/quick-create-cli
[azure_sub]: https://azure.microsoft.com/free/
[backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py
[backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py
[code_of_conduct]: https://opensource.microsoft.com/codeofconduct/
[crypto_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/crypto/docs
[default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential
[hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py
[hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py
[key_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient
[key_rotation_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py
[key_rotation_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py
[key_samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples
[library_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys
[list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py
[list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py
[managed_hsm]: https://docs.microsoft.com/azure/key-vault/managed-hsm/overview
[managed_hsm_cli]: https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli
[managed_identity]: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
[pip]: https://pypi.org/project/pip/
[pypi_package_keys]: https://pypi.org/project/azure-keyvault-keys/
[recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py
[recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py
[reference_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs
[send_request_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/send_request.py
[soft_delete]: https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview
# Release History
## 4.9.0 (2024-02-22)
### Features Added
- Added support for service API version `7.5`
- (From 4.9.0b2) The `cryptography` library's `RSAPrivateKey` and `RSAPublicKey` interfaces are now implemented by
`KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey` classes that can use keys managed by Key Vault
- (From 4.9.0b2) `CryptographyClient` has `create_rsa_private_key` and `create_rsa_public_key` methods that return a
`KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey`, respectively
- (From 4.9.0b3) Added `KeyProperties.hsm_platform` to get the underlying HSM platform
### Bugs Fixed
- (From 4.9.0b1) Token requests made during AD FS authentication no longer specify an erroneous "adfs" tenant ID
([#29888](https://github.com/Azure/azure-sdk-for-python/issues/29888))
### Other Changes
- Python 3.7 is no longer supported. Please use Python version 3.8 or later.
- `asyncio` is no longer directly referenced by the library
([#33819](https://github.com/Azure/azure-sdk-for-python/pull/33819))
- Updated minimum `azure-core` version to 1.29.5
- Dropped `azure-common` requirement
## 4.9.0b3 (2023-11-03)
### Features Added
- Added support for service API version `7.5-preview.1`
- Added `KeyProperties.hsm_platform` to get the underlying HSM platform
### Other Changes
- Key Vault API version `7.5-preview.1` is now the default
## 4.9.0b2 (2023-10-12)
### Features Added
- The `cryptography` library's `RSAPrivateKey` and `RSAPublicKey` interfaces are now implemented by
`KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey` classes that can use keys managed by Key Vault
- `CryptographyClient` has `create_rsa_private_key` and `create_rsa_public_key` methods that return a
`KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey`, respectively
## 4.9.0b1 (2023-05-16)
### Bugs Fixed
- Token requests made during AD FS authentication no longer specify an erroneous "adfs" tenant ID
([#29888](https://github.com/Azure/azure-sdk-for-python/issues/29888))
## 4.8.0 (2023-03-16)
### Features Added
- Added support for service API version `7.4`
- Clients each have a `send_request` method that can be used to send custom requests using the
client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172))
- (From 4.8.0b1) An attempt will be made to generate an IV if one isn't provided for local encryption
([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380))
### Breaking Changes
> These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected.
- Removed support for octet key pair (OKP) keys and operations
### Other Changes
- Key Vault API version `7.4` is now the default
- (From 4.8.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- (From 4.8.0b1) Updated minimum `azure-core` version to 1.24.0
- (From 4.8.0b1) Updated minimum `msrest` version to 0.7.1
- (From 4.8.0b2) Dropped `msrest` requirement
- (From 4.8.0b2) Dropped `six` requirement
- (From 4.8.0b2) Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`)
- (From 4.8.0b2) Added requirement for `typing-extensions>=4.0.1`
## 4.8.0b2 (2022-11-15)
### Features Added
- Added support for service API version `7.4-preview.1`
- `KeyClient` has a `create_okp_key` method to create an octet key pair (OKP) on Managed HSM
- Added `eddsa` to `SignatureAlgorithm` enum to support signing and verifying using an
Edwards-Curve Digital Signature Algorithm (EdDSA) on Managed HSM
- Added `okp` and `okp_hsm` to `KeyType` enum for octet key pairs
- Added `ed25519` to `KeyCurveName` enum to support use of the Ed25519 Edwards curve
### Other Changes
- Key Vault API version `7.4-preview.1` is now the default
- Dropped `msrest` requirement
- Dropped `six` requirement
- Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`)
- Added requirement for `typing-extensions>=4.0.1`
## 4.8.0b1 (2022-09-22)
### Features Added
- An attempt will be made to generate an IV if one isn't provided for local encryption
([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380))
### Other Changes
- Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- Updated minimum `azure-core` version to 1.24.0
- Updated minimum `msrest` version to 0.7.1
## 4.7.0 (2022-09-19)
### Breaking Changes
- Clients verify the challenge resource matches the vault domain. This should affect few customers,
who can provide `verify_challenge_resource=False` to client constructors to disable.
See https://aka.ms/azsdk/blog/vault-uri for more information.
### Other Changes
- Changes from version 4.7.0b1 have been reverted and will be included in version 4.8.0b1
## 4.7.0b1 (2022-08-12)
### Features Added
- An attempt will be made to generate an IV if one isn't provided for local encryption
([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380))
### Other Changes
- The most recent release was version 4.6.1 instead of the intended version, 4.5.2.
The next stable release is planned to be version 4.7.0.
- Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- Updated minimum `azure-core` version to 1.24.0
## 4.6.1 (2022-08-11)
### Other Changes
- Documentation improvements
([#25039](https://github.com/Azure/azure-sdk-for-python/issues/25039))
## 4.6.0b1 (2022-06-07)
### Bugs Fixed
- If a key's ID contains a port number, this port will now be preserved in the vault URL of a
`CryptographyClient` instance created from this key
([#24446](https://github.com/Azure/azure-sdk-for-python/issues/24446))
- Port numbers are now preserved in the `vault_url` property of a `KeyVaultKeyIdentifier`
## 4.5.1 (2022-04-18)
### Bugs Fixed
- Fixed error that could occur when fetching a key rotation policy that has no defined
`lifetime_actions`.
## 4.5.0 (2022-03-28)
### Features Added
- Key Vault API version 7.3 is now the default
- Added support for multi-tenant authentication when using `azure-identity`
1.8.0 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))
- (From 4.5.0b1) `KeyClient` has a `get_random_bytes` method for getting a requested number of
random bytes from a managed HSM
- (From 4.5.0b2) Added support for secure key release from a Managed HSM
([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588))
- Added `release_key` method to `KeyClient` for releasing the private component of a key
- Added `exportable` and `release_policy` keyword-only arguments to key creation and import
methods
- Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used
in key release
- (From 4.5.0b4) Added `KeyClient.get_cryptography_client`, which provides a simple way to
create a `CryptographyClient` for a key, given its name and optionally a version
([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621))
- (From 4.5.0b4) Added support for automated and on-demand key rotation in Azure Key Vault
([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840))
- Added `KeyClient.rotate_key` to rotate a key on-demand
- Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy
- (From 4.5.0b6) Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to
support immutable release policies. Once a release policy is marked as immutable, it can no
longer be modified.
### Breaking Changes
> These changes do not impact the API of stable versions such as 4.4.0.
> Only code written against a beta version such as 4.5.0b1 may be affected.
- `KeyClient.update_key_rotation_policy` accepts a required `policy` argument
([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
- The optional `version` parameter in `KeyClient.release_key` is now a keyword-only argument
([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
- Renamed the `name` parameter in `KeyClient.get_key_rotation_policy` and
`KeyClient.update_key_rotation_policy` to `key_name`
([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
- Enum values in `azure-keyvault-keys` are now uniformly lower-cased
([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))
### Bugs Fixed
- `KeyType` now ignores casing during declaration, which resolves a scenario where Key Vault
keys created with non-standard casing could not be fetched with the SDK
([#22797](https://github.com/Azure/azure-sdk-for-python/issues/22797))
### Other Changes
- (From 4.5.0b6) Python 2.7 is no longer supported. Please use Python version 3.6 or later.
- (From 4.5.0b6) Updated minimum `azure-core` version to 1.20.0
- (From 4.5.0b3) Updated type hints to fix mypy errors
([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158))
- (From 4.5.0b4) `CryptographyClient` no longer requires a key version when providing a key ID to its constructor
(though providing a version is still recommended)
- (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge
authentication requests now pass in a `tenant_id` keyword argument
([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)). See
https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate
this parameter if `get_token` is implemented by a custom credential.
- (From 4.5.0b6) Updated type hints for `KeyProperties` model's `managed`, `exportable`, and
`release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368))
## 4.5.0b6 (2022-02-08)
### Features Added
- Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable
release policies. Once a release policy is marked as immutable, it can no longer be modified.
### Breaking Changes
> These changes do not impact the API of stable versions such as 4.4.0.
> Only code written against a beta version such as 4.5.0b1 may be affected.
- Renamed the required argument `data` in `KeyReleasePolicy`'s constructor to
`encoded_policy`
### Other Changes
- Python 2.7 is no longer supported. Please use Python version 3.6 or later.
- Updated minimum `azure-core` version to 1.20.0
- Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy`
properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368))
- (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge
authentication requests now pass in a `tenant_id` keyword argument
([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))
## 4.5.0b5 (2021-11-11)
### Features Added
- Added support for multi-tenant authentication when using `azure-identity` 1.7.1 or newer
([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))
### Breaking Changes
> These changes do not impact the API of stable versions such as 4.4.0.
> Only code written against a beta version such as 4.5.0b1 may be affected.
- `KeyClient.get_random_bytes` now returns bytes instead of RandomBytes. The RandomBytes class
has been removed
- Renamed the `version` keyword-only argument in `KeyClient.get_cryptography_client` to
`key_version`
- Renamed `KeyReleasePolicy.data` to `KeyReleasePolicy.encoded_policy`
- Renamed the `target` parameter in `KeyClient.release_key` to `target_attestation_token`
### Other Changes
- Updated minimum `azure-core` version to 1.15.0
## 4.5.0b4 (2021-10-07)
### Features Added
- Added `KeyClient.get_cryptography_client`, which provides a simple way to create a
`CryptographyClient` for a key, given its name and optionally a version
([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621))
- Added support for automated and on-demand key rotation in Azure Key Vault
([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840))
- Added `KeyClient.rotate_key` to rotate a key on-demand
- Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy
### Other Changes
- `CryptographyClient` no longer requires a key version when providing a key ID to its constructor
(though providing a version is still recommended)
## 4.5.0b3 (2021-09-09)
### Other Changes
- Updated type hints to fix mypy errors
([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158))
## 4.5.0b2 (2021-08-10)
### Features Added
- Added support for secure key release from a Managed HSM
([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588))
- Added `release_key` method to `KeyClient` for releasing the private component of a key
- Added `exportable` and `release_policy` keyword-only arguments to key creation and import
methods
- Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used
in key release
### Breaking Changes
> These changes do not impact the API of stable versions such as 4.4.0.
> Only code written against a beta version such as 4.5.0b1 may be affected.
- `KeyClient.get_random_bytes` now returns a `RandomBytes` model with bytes in a `value`
property, rather than returning the bytes directly
([#19895](https://github.com/Azure/azure-sdk-for-python/issues/19895))
## 4.5.0b1 (2021-07-08)
Beginning with this release, this library requires Python 2.7 or 3.6+.
### Features Added
- Key Vault API version 7.3-preview is now the default
- `KeyClient` has a `get_random_bytes` method for getting a requested number of random
bytes from a managed HSM
## 4.4.0 (2021-06-22)
This is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+.
### Changed
- Key Vault API version 7.2 is now the default
- (From 4.4.0b1) Updated minimum `msrest` version to 0.6.21
### Added
- `KeyClient` has a `create_oct_key` method for creating symmetric keys
- `KeyClient`'s `create_key` and `create_rsa_key` methods now accept a `public_exponent`
keyword-only argument ([#18016](https://github.com/Azure/azure-sdk-for-python/issues/18016))
- (From 4.4.0b1) Added support for Key Vault API version 7.2
([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566))
- Added `oct_hsm` to `KeyType`
- Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption
algorithms to `EncryptionAlgorithm`
- Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm`
- `CryptographyClient`'s `encrypt` method accepts `iv` and
`additional_authenticated_data` keyword arguments
- `CryptographyClient`'s `decrypt` method accepts `iv`,
`additional_authenticated_data`, and `authentication_tag` keyword arguments
- Added `iv`, `aad`, and `tag` properties to `EncryptResult`
- (From 4.4.0b3) `CryptographyClient` will perform all operations locally if initialized with
the `.from_jwk` factory method
([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565))
- (From 4.4.0b3) Added requirement for `six`>=1.12.0
- (From 4.4.0b4) `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally
([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762))
### Breaking Changes
> These changes do not impact the API of stable versions such as 4.3.1.
> Only code written against a beta version such as 4.4.0b1 may be affected.
- `parse_key_vault_key_id` and `KeyVaultResourceId` have been replaced by a
`KeyVaultKeyIdentifier` class, which can be initialized with a key ID
## 4.4.0b4 (2021-04-06)
### Added
- `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally
([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762))
## 4.4.0b3 (2021-03-11)
### Added
- `CryptographyClient` will perform all operations locally if initialized with
the `.from_jwk` factory method
([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565))
- Added requirement for six>=1.12.0
## 4.4.0b2 (2021-02-10)
### Fixed
- API versions older than 7.2-preview no longer raise `ImportError` when
performing async operations ([#16680](https://github.com/Azure/azure-sdk-for-python/pull/16680))
## 4.4.0b1 (2021-02-10)
### Changed
- Key Vault API version 7.2-preview is now the default
- Updated msrest requirement to >=0.6.21
### Added
- Support for Key Vault API version 7.2-preview
([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566))
- Added `oct_hsm` to `KeyType`
- Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption
algorithms to `EncryptionAlgorithm`
- Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm`
- `CryptographyClient`'s `encrypt` method accepts `iv` and
`additional_authenticated_data` keyword arguments
- `CryptographyClient`'s `decrypt` method accepts `iv`,
`additional_authenticated_data`, and `authentication_tag` keyword arguments
- Added `iv`, `aad`, and `tag` properties to `EncryptResult`
- Added method `parse_key_vault_key_id` that parses out a full ID returned by
Key Vault, so users can easily access the key's `name`, `vault_url`, and `version`.
## 4.3.1 (2020-12-03)
### Fixed
- `CryptographyClient` operations no longer raise `AttributeError` when
the client was constructed with a key ID
([#15608](https://github.com/Azure/azure-sdk-for-python/issues/15608))
## 4.3.0 (2020-10-06)
### Changed
- `CryptographyClient` can perform decrypt and sign operations locally
([#9754](https://github.com/Azure/azure-sdk-for-python/issues/9754))
### Fixed
- Correct typing for async paging methods
## 4.2.0 (2020-08-11)
### Fixed
- Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers
are no longer redacted in logging output
- `CryptographyClient` will no longer perform encrypt or wrap operations when
its key has expired or is not yet valid
### Changed
- Key Vault API version 7.1 is now the default
- Updated minimum `azure-core` version to 1.7.0
### Added
- At construction, clients accept a `CustomHookPolicy` through the optional
keyword argument `custom_hook_policy`
- All client requests include a unique ID in the header `x-ms-client-request-id`
- Dependency on `azure-common` for multiapi support
## 4.2.0b1 (2020-03-10)
- Support for Key Vault API version 7.1-preview
([#10124](https://github.com/Azure/azure-sdk-for-python/pull/10124))
- Added `import_key` to `KeyOperation`
- Added `recoverable_days` to `CertificateProperties`
- Added `ApiVersion` enum identifying Key Vault versions supported by this package
## 4.1.0 (2020-03-10)
- `KeyClient` instances have a `close` method which closes opened sockets. Used
as a context manager, a `KeyClient` closes opened sockets on exit.
([#9906](https://github.com/Azure/azure-sdk-for-python/pull/9906))
- Pollers no longer sleep after operation completion
([#9991](https://github.com/Azure/azure-sdk-for-python/pull/9991))
## 4.0.1 (2020-02-11)
- `azure.keyvault.keys` defines `__version__`
- Challenge authentication policy preserves request options
([#8999](https://github.com/Azure/azure-sdk-for-python/pull/8999))
- Updated `msrest` requirement to >=0.6.0
- Challenge authentication policy requires TLS
([#9457](https://github.com/Azure/azure-sdk-for-python/pull/9457))
- Methods no longer raise the internal error `KeyVaultErrorException`
([#9690](https://github.com/Azure/azure-sdk-for-python/issues/9690))
- Fix `AttributeError` in async CryptographyClient when verifying signatures remotely
([#9734](https://github.com/Azure/azure-sdk-for-python/pull/9734))
## 4.0.0 (2019-10-31)
### Breaking changes:
- Removed `KeyClient.get_cryptography_client()` and `CryptographyClient.get_key()`
- Moved the optional parameters of several methods into kwargs (
[docs](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.0.0/index.html)
detail the new keyword arguments):
- `create_key` now has positional parameters `name` and `key_type`
- `create_ec_key` and `create_rsa_key` now have one positional parameter, `name`
- `update_key_properties` now has two positional parameters, `name` and
(optional) `version`
- `import_key` now has positional parameters `name` and `key`
- `CryptographyClient` operations return class instances instead of tuples and renamed the following
properties
- Renamed the `decrypted_bytes` property of `DecryptResult` to `plaintext`
- Renamed the `unwrapped_bytes` property of `UnwrapResult` to `key`
- Renamed the `result` property of `VerifyResult` to `is_valid`
- Renamed the `UnwrapKeyResult` and `WrapKeyResult` classes to `UnwrapResult` and `WrapResult`
- Renamed `list_keys` to `list_properties_of_keys`
- Renamed `list_key_versions` to `list_properties_of_key_versions`
- Renamed sync method `delete_key` to `begin_delete_key`
- The sync method `begin_delete_key` and async `delete_key` now return pollers that return a `DeletedKey`
- Renamed `Key` to `KeyVaultKey`
- `KeyVaultKey` properties `created`, `expires`, and `updated` renamed to `created_on`,
`expires_on`, and `updated_on`
- The `vault_endpoint` parameter of `KeyClient` has been renamed to `vault_url`
- The property `vault_endpoint` has been renamed to `vault_url` in all models
### New features:
- Now all `CryptographyClient` returns include `key_id` and `algorithm` properties
## 4.0.0b4 (2019-10-08)
- Enums `JsonWebKeyCurveName`, `JsonWebKeyOperation`, and `JsonWebKeyType` have
been renamed to `KeyCurveName`, `KeyOperation`, and `KeyType`, respectively.
- `Key` now has attribute `properties`, which holds certain properties of the
key, such as `version`. This changes the shape of the returned `Key` type,
as certain properties of `Key` (such as `version`) have to be accessed
through the `properties` property.
- `update_key` has been renamed to `update_key_properties`
- The `vault_url` parameter of `KeyClient` has been renamed to `vault_endpoint`
- The property `vault_url` has been renamed to `vault_endpoint` in all models
### Fixes and improvements:
- The `key` argument to `import_key` should be an instance of `azure.keyvault.keys.JsonWebKey`
([#7590](https://github.com/Azure/azure-sdk-for-python/pull/7590))
## 4.0.0b3 (2019-09-11)
### Breaking changes:
- `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and
`unwrap_key`, respectively.
### New features:
- `CryptographyClient` performs encrypt, verify and wrap operations locally
when its key's public material is available (i.e., when it has keys/get
permission).
## 4.0.0b2 (2019-08-06)
### Breaking changes:
- Removed `azure.core.Configuration` from the public API in preparation for a
revamped configuration API. Static `create_config` methods have been renamed
`_create_config`, and will be removed in a future release.
- Removed `wrap_key` and `unwrap_key` from `KeyClient`. These are now available
through `CryptographyClient`.
- This version of the library requires `azure-core` 1.0.0b2
- If you later want to revert to a version requiring azure-core 1.0.0b1,
of this or another Azure SDK library, you must explicitly install azure-core
1.0.0b1 as well. For example:
`pip install azure-core==1.0.0b1 azure-keyvault-keys==4.0.0b1`
### New features:
- Added `CryptographyClient`, a client for performing cryptographic operations
(encrypt/decrypt, wrap/unwrap, sign/verify) with a key.
- Distributed tracing framework OpenCensus is now supported
- Added support for HTTP challenge based authentication, allowing clients to
interact with vaults in sovereign clouds.
### Other changes:
- Async clients use [aiohttp](https://pypi.org/project/aiohttp/) for transport
by default. See
[azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md/#transport)
for more information about using other transports.
## 4.0.0b1 (2019-06-28)
Version 4.0.0b1 is the first preview of our efforts to create a user-friendly
and Pythonic client library for Azure Key Vault. For more information about
preview releases of other Azure SDK libraries, please visit
https://aka.ms/azure-sdk-preview1-python.
This library is not a direct replacement for `azure-keyvault`. Applications
using that library would require code changes to use `azure-keyvault-keys`.
This package's
[documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md)
and
[samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples)
demonstrate the new API.
### Major changes from `azure-keyvault`
- Packages scoped by functionality
- `azure-keyvault-keys` contains a client for key operations,
`azure-keyvault-secrets` contains a client for secret operations
- Client instances are scoped to vaults (an instance interacts with one vault
only)
- Asynchronous API supported on Python 3.5.3+
- the `azure.keyvault.keys.aio` namespace contains an async equivalent of
the synchronous client in `azure.keyvault.keys`
- Authentication using `azure-identity` credentials
- see this package's
[documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md)
, and the
[Azure Identity documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md)
for more information
### `azure-keyvault` features not implemented in this release
- Certificate management APIs
- Cryptographic operations, e.g. sign, un/wrap_key, verify, en- and
decrypt
- National cloud support. This release supports public global cloud vaults,
e.g. https://{vault-name}.vault.azure.net
Raw data
{
"_id": null,
"home_page": "https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys",
"name": "azure-keyvault-keys",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": "azure,azure sdk",
"author": "Microsoft Corporation",
"author_email": "azurekeyvault@microsoft.com",
"download_url": "https://files.pythonhosted.org/packages/12/ac/9a86f08659638ff2f07cb233a4f606bb765a72051a85c2622c0353eaa225/azure-keyvault-keys-4.9.0.tar.gz",
"platform": null,
"description": "# Azure Key Vault Keys client library for Python\nAzure Key Vault helps solve the following problems:\n- Cryptographic key management (this library) - create, store, and control\naccess to the keys used to encrypt your data\n- Secrets management\n([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) -\nsecurely store and control access to tokens, passwords, certificates, API keys,\nand other secrets\n- Certificate management\n([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) -\ncreate, manage, and deploy public and private SSL/TLS certificates\n- Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options\n\n[Source code][library_src]\n| [Package (PyPI)][pypi_package_keys]\n| [Package (Conda)](https://anaconda.org/microsoft/azure-keyvault/)\n| [API reference documentation][reference_docs]\n| [Product documentation][azure_keyvault]\n| [Samples][key_samples]\n\n## _Disclaimer_\n\n_Azure SDK Python packages support for Python 2.7 has ended 01 January 2022. For more information and questions, please refer to https://github.com/Azure/azure-sdk-for-python/issues/20691_.\n\n_Python 3.8 or later is required to use this package. For more details, please refer to [Azure SDK for Python version support policy](https://github.com/Azure/azure-sdk-for-python/wiki/Azure-SDKs-Python-version-support-policy)._\n\n## Getting started\n### Install the package\nInstall [azure-keyvault-keys][pypi_package_keys] and\n[azure-identity][azure_identity_pypi] with [pip][pip]:\n```Bash\npip install azure-keyvault-keys azure-identity\n```\n[azure-identity][azure_identity] is used for Azure Active Directory authentication as demonstrated below.\n\n### Prerequisites\n* An [Azure subscription][azure_sub]\n* Python 3.8 or later\n* An existing [Azure Key Vault][azure_keyvault]. If you need to create one, you can do so using the Azure CLI by following the steps in [this document][azure_keyvault_cli].\n* If using Managed HSM, an existing [Key Vault Managed HSM][managed_hsm]. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in [this document][managed_hsm_cli].\n\n### Authenticate the client\nIn order to interact with the Azure Key Vault service, you will need an instance of a [KeyClient][key_client_docs], as\nwell as a **vault URL** and a credential object. This document demonstrates using a\n[DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios. We recommend using a\n[managed identity][managed_identity] for authentication in production environments.\n\nSee [azure-identity][azure_identity] documentation for more information about other methods of authentication and their\ncorresponding credential types.\n\n#### Create a client\nAfter configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of\nauthentication, you can do the following to create a key client (replacing the value of `VAULT_URL` with your vault's\nURL):\n\n<!-- SNIPPET:hello_world.create_a_key_client -->\n\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\n\nVAULT_URL = os.environ[\"VAULT_URL\"]\ncredential = DefaultAzureCredential()\nclient = KeyClient(vault_url=VAULT_URL, credential=credential)\n```\n\n<!-- END SNIPPET -->\n\n> **NOTE:** For an asynchronous client, import `azure.keyvault.keys.aio`'s `KeyClient` instead.\n\n## Key concepts\n### Keys\nAzure Key Vault can create and store RSA and elliptic curve keys. Both can optionally be protected by hardware security\nmodules (HSMs). Azure Key Vault can also perform cryptographic operations with them. For more information about keys\nand supported operations and algorithms, see the\n[Key Vault documentation](https://docs.microsoft.com/azure/key-vault/keys/about-keys).\n\n[KeyClient][key_client_docs] can create keys in the vault, get existing keys\nfrom the vault, update key metadata, and delete keys, as shown in the\n[examples](#examples) below.\n\n## Examples\nThis section contains code snippets covering common tasks:\n* [Create a key](#create-a-key)\n* [Retrieve a key](#retrieve-a-key)\n* [Update an existing key](#update-an-existing-key)\n* [Delete a key](#delete-a-key)\n* [Configure automatic key rotation](#configure-automatic-key-rotation)\n* [List keys](#list-keys)\n* [Perform cryptographic operations](#cryptographic-operations)\n* [Async API](#async-api)\n* [Asynchronously create a key](#asynchronously-create-a-key)\n* [Asynchronously list keys](#asynchronously-list-keys)\n\n### Create a key\nThe [create_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_key) method can be\nused by a `KeyClient` to create a key of any type -- alternatively, specific helpers such as\n[create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_rsa_key) and\n[create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.create_ec_key)\ncreate RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new version\nof that key is created.\n\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\n\ncredential = DefaultAzureCredential()\n\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\n\n# Create an RSA key\nrsa_key = key_client.create_rsa_key(\"rsa-key-name\", size=2048)\nprint(rsa_key.name)\nprint(rsa_key.key_type)\n\n# Create an elliptic curve key\nec_key = key_client.create_ec_key(\"ec-key-name\", curve=\"P-256\")\nprint(ec_key.name)\nprint(ec_key.key_type)\n```\n\n### Retrieve a key\n[get_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.get_key) retrieves a key\npreviously stored in the Vault.\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\n\ncredential = DefaultAzureCredential()\n\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\nkey = key_client.get_key(\"key-name\")\nprint(key.name)\n```\n\n### Update an existing key\n[update_key_properties](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_properties)\nupdates the properties of a key previously stored in the Key Vault.\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\n\ncredential = DefaultAzureCredential()\n\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\n\n# we will now disable the key for further use\nupdated_key = key_client.update_key_properties(\"key-name\", enabled=False)\n\nprint(updated_key.name)\nprint(updated_key.properties.enabled)\n```\n\n### Delete a key\n[begin_delete_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.begin_delete_key)\nrequests Key Vault delete a key, returning a poller which allows you to wait for the deletion to finish. Waiting is\nhelpful when the vault has [soft-delete][soft_delete] enabled, and you want to purge (permanently delete) the key as\nsoon as possible. When [soft-delete][soft_delete] is disabled, `begin_delete_key` itself is permanent.\n\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\n\ncredential = DefaultAzureCredential()\n\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\ndeleted_key = key_client.begin_delete_key(\"key-name\").result()\n\nprint(deleted_key.name)\nprint(deleted_key.deleted_date)\n```\n\n### Configure automatic key rotation\n[update_key_rotation_policy](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.update_key_rotation_policy)\ncan be used by a `KeyClient` to configure automatic key rotation for a key by specifying a rotation policy.\n\n<!-- SNIPPET:key_rotation.update_a_rotation_policy -->\n\n```python\nfrom azure.keyvault.keys import KeyRotationLifetimeAction, KeyRotationPolicy, KeyRotationPolicyAction\n\n# Here we set the key's automated rotation policy to rotate the key two months after the key was created.\n# If you pass an empty KeyRotationPolicy() as the `policy` parameter, the rotation policy will be set to the\n# default policy. Any keyword arguments will update specified properties of the policy.\nactions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.rotate, time_after_create=\"P2M\")]\nupdated_policy = client.update_key_rotation_policy(\n \"rotation-sample-key\", policy=KeyRotationPolicy(), expires_in=\"P90D\", lifetime_actions=actions\n)\nassert updated_policy.expires_in == \"P90D\"\n```\n\n<!-- END SNIPPET -->\n\nIn addition,\n[rotate_key](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.rotate_key)\nallows you to rotate a key on-demand by creating a new version of the given key.\n\n<!-- SNIPPET:key_rotation.rotate_key -->\n\n```python\nrotated_key = client.rotate_key(\"rotation-sample-key\")\nprint(f\"Rotated the key on-demand; new version is {rotated_key.properties.version}\")\n```\n\n<!-- END SNIPPET -->\n\n### List keys\n[list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient.list_properties_of_keys)\nlists the properties of all of the keys in the client's vault.\n\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\n\ncredential = DefaultAzureCredential()\n\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\nkeys = key_client.list_properties_of_keys()\n\nfor key in keys:\n # the list doesn't include values or versions of the keys\n print(key.name)\n```\n\n### Cryptographic operations\n[CryptographyClient](https://aka.ms/azsdk/python/keyvault-keys/crypto/docs#azure.keyvault.keys.crypto.CryptographyClient)\nenables cryptographic operations (encrypt/decrypt, wrap/unwrap, sign/verify) using a particular key.\n\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\nfrom azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm\n\ncredential = DefaultAzureCredential()\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\n\nkey = key_client.get_key(\"key-name\")\ncrypto_client = CryptographyClient(key, credential=credential)\nplaintext = b\"plaintext\"\n\nresult = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)\ndecrypted = crypto_client.decrypt(result.algorithm, result.ciphertext)\n```\n\nSee the\n[package documentation][crypto_client_docs]\nfor more details of the cryptography API.\n\n### Async API\nThis library includes a complete set of async APIs. To use them, you must\nfirst install an async transport, such as [aiohttp](https://pypi.org/project/aiohttp/).\nSee\n[azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/CLIENT_LIBRARY_DEVELOPER.md#transport)\nfor more information.\n\nAsync clients and credentials should be closed when they're no longer needed. These\nobjects are async context managers and define async `close` methods. For\nexample:\n\n```python\nfrom azure.identity.aio import DefaultAzureCredential\nfrom azure.keyvault.keys.aio import KeyClient\n\ncredential = DefaultAzureCredential()\n\n# call close when the client and credential are no longer needed\nclient = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\n...\nawait client.close()\nawait credential.close()\n\n# alternatively, use them as async context managers (contextlib.AsyncExitStack can help)\nclient = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\nasync with client:\n async with credential:\n ...\n```\n\n### Asynchronously create a key\n[create_rsa_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_rsa_key) and\n[create_ec_key](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.create_ec_key)\ncreate RSA and elliptic curve keys in the vault, respectively. If a key with the same name already exists, a new\nversion of the key is created.\n\n```python\nfrom azure.identity.aio import DefaultAzureCredential\nfrom azure.keyvault.keys.aio import KeyClient\n\ncredential = DefaultAzureCredential()\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\n\n# Create an RSA key\nrsa_key = await key_client.create_rsa_key(\"rsa-key-name\", size=2048)\nprint(rsa_key.name)\nprint(rsa_key.key_type)\n\n# Create an elliptic curve key\nec_key = await key_client.create_ec_key(\"ec-key-name\", curve=\"P-256\")\nprint(ec_key.name)\nprint(ec_key.key_type)\n```\n\n### Asynchronously list keys\n[list_properties_of_keys](https://aka.ms/azsdk/python/keyvault-keys/aio/docs#azure.keyvault.keys.aio.KeyClient.list_properties_of_keys)\nlists the properties of all of the keys in the client's vault.\n\n```python\nfrom azure.identity.aio import DefaultAzureCredential\nfrom azure.keyvault.keys.aio import KeyClient\n\ncredential = DefaultAzureCredential()\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\nkeys = key_client.list_properties_of_keys()\n\nasync for key in keys:\n print(key.name)\n```\n\n## Troubleshooting\n\nSee the `azure-keyvault-keys`\n[troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/TROUBLESHOOTING.md)\nfor details on how to diagnose various failure scenarios.\n\n### General\nKey Vault clients raise exceptions defined in [azure-core][azure_core_exceptions].\nFor example, if you try to get a key that doesn't exist in the vault, [KeyClient][key_client_docs]\nraises [ResourceNotFoundError](https://aka.ms/azsdk-python-core-exceptions-resource-not-found-error):\n\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\nfrom azure.core.exceptions import ResourceNotFoundError\n\ncredential = DefaultAzureCredential()\nkey_client = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential)\n\ntry:\n key_client.get_key(\"which-does-not-exist\")\nexcept ResourceNotFoundError as e:\n print(e.message)\n```\n\n### Logging\nThis library uses the standard\n[logging](https://docs.python.org/3/library/logging.html) library for logging.\nBasic information about HTTP sessions (URLs, headers, etc.) is logged at INFO\nlevel.\n\nDetailed DEBUG level logging, including request/response bodies and unredacted\nheaders, can be enabled on a client with the `logging_enable` argument:\n```python\nfrom azure.identity import DefaultAzureCredential\nfrom azure.keyvault.keys import KeyClient\nimport sys\nimport logging\n\n# Create a logger for the 'azure' SDK\nlogger = logging.getLogger('azure')\nlogger.setLevel(logging.DEBUG)\n\n# Configure a console output\nhandler = logging.StreamHandler(stream=sys.stdout)\nlogger.addHandler(handler)\n\ncredential = DefaultAzureCredential()\n\n# This client will log detailed information about its HTTP sessions, at DEBUG level\nclient = KeyClient(vault_url=\"https://my-key-vault.vault.azure.net/\", credential=credential, logging_enable=True)\n```\n\nSimilarly, `logging_enable` can enable detailed logging for a single operation,\neven when it isn't enabled for the client:\n```python\nclient.get_key(\"my-key\", logging_enable=True)\n```\n\n## Next steps\nSeveral samples are available in the Azure SDK for Python GitHub repository.\nThese provide example code for additional Key Vault scenarios:\n\n- [Create/get/update/delete keys][hello_world_sample] ([async version][hello_world_async_sample])\n- [Basic list operations for keys][list_operations_sample] ([async version][list_operations_async_sample])\n- [Back up and recover keys][backup_operations_sample] ([async version][backup_operations_async_sample])\n- [Recover and purge keys][recover_purge_sample] ([async version][recover_purge_async_sample])\n- [Create/update key rotation policies and rotate keys on-demand][key_rotation_sample] ([async version][key_rotation_async_sample])\n- [Use the `send_request` client method][send_request_sample]\n\n### Additional documentation\nFor more extensive documentation on Azure Key Vault, see the\n[API reference documentation][reference_docs].\n\n## Contributing\nThis project welcomes contributions and suggestions. Most contributions require\nyou to agree to a Contributor License Agreement (CLA) declaring that you have\nthe right to, and actually do, grant us the rights to use your contribution.\nFor details, visit https://cla.microsoft.com.\n\nWhen you submit a pull request, a CLA-bot will automatically determine whether\nyou need to provide a CLA and decorate the PR appropriately (e.g., label,\ncomment). Simply follow the instructions provided by the bot. You will only\nneed to do this once across all repos using our CLA.\n\nThis project has adopted the [Microsoft Open Source Code of Conduct][code_of_conduct].\nFor more information, see the\n[Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or\ncontact opencode@microsoft.com with any additional questions or comments.\n\n\n<!-- LINKS -->\n[azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions\n[azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity\n[azure_identity_pypi]: https://pypi.org/project/azure-identity/\n[azure_keyvault]: https://docs.microsoft.com/azure/key-vault/\n[azure_keyvault_cli]: https://docs.microsoft.com/azure/key-vault/general/quick-create-cli\n[azure_sub]: https://azure.microsoft.com/free/\n\n[backup_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py\n[backup_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py\n\n[code_of_conduct]: https://opensource.microsoft.com/codeofconduct/\n[crypto_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/crypto/docs\n\n[default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential\n\n[hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py\n[hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py\n\n[key_client_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs#azure.keyvault.keys.KeyClient\n[key_rotation_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py\n[key_rotation_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py\n[key_samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples\n\n[library_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys\n[list_operations_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py\n[list_operations_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py\n\n[managed_hsm]: https://docs.microsoft.com/azure/key-vault/managed-hsm/overview\n[managed_hsm_cli]: https://docs.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli\n[managed_identity]: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview\n\n[pip]: https://pypi.org/project/pip/\n[pypi_package_keys]: https://pypi.org/project/azure-keyvault-keys/\n\n[recover_purge_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py\n[recover_purge_async_sample]: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py\n[reference_docs]: https://aka.ms/azsdk/python/keyvault-keys/docs\n\n[send_request_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples/send_request.py\n[soft_delete]: https://docs.microsoft.com/azure/key-vault/general/soft-delete-overview\n\n\n\n\n# Release History\n\n## 4.9.0 (2024-02-22)\n\n### Features Added\n- Added support for service API version `7.5`\n- (From 4.9.0b2) The `cryptography` library's `RSAPrivateKey` and `RSAPublicKey` interfaces are now implemented by\n `KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey` classes that can use keys managed by Key Vault\n- (From 4.9.0b2) `CryptographyClient` has `create_rsa_private_key` and `create_rsa_public_key` methods that return a\n `KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey`, respectively\n- (From 4.9.0b3) Added `KeyProperties.hsm_platform` to get the underlying HSM platform\n\n### Bugs Fixed\n- (From 4.9.0b1) Token requests made during AD FS authentication no longer specify an erroneous \"adfs\" tenant ID\n ([#29888](https://github.com/Azure/azure-sdk-for-python/issues/29888))\n\n### Other Changes\n- Python 3.7 is no longer supported. Please use Python version 3.8 or later.\n- `asyncio` is no longer directly referenced by the library\n ([#33819](https://github.com/Azure/azure-sdk-for-python/pull/33819))\n- Updated minimum `azure-core` version to 1.29.5\n- Dropped `azure-common` requirement\n\n## 4.9.0b3 (2023-11-03)\n\n### Features Added\n- Added support for service API version `7.5-preview.1`\n- Added `KeyProperties.hsm_platform` to get the underlying HSM platform\n\n### Other Changes\n- Key Vault API version `7.5-preview.1` is now the default\n\n## 4.9.0b2 (2023-10-12)\n\n### Features Added\n- The `cryptography` library's `RSAPrivateKey` and `RSAPublicKey` interfaces are now implemented by\n `KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey` classes that can use keys managed by Key Vault\n- `CryptographyClient` has `create_rsa_private_key` and `create_rsa_public_key` methods that return a\n `KeyVaultRSAPrivateKey` and `KeyVaultRSAPublicKey`, respectively\n\n## 4.9.0b1 (2023-05-16)\n\n### Bugs Fixed\n- Token requests made during AD FS authentication no longer specify an erroneous \"adfs\" tenant ID\n ([#29888](https://github.com/Azure/azure-sdk-for-python/issues/29888))\n\n## 4.8.0 (2023-03-16)\n\n### Features Added\n- Added support for service API version `7.4`\n- Clients each have a `send_request` method that can be used to send custom requests using the\n client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172))\n- (From 4.8.0b1) An attempt will be made to generate an IV if one isn't provided for local encryption\n ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380))\n\n### Breaking Changes\n> These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected.\n- Removed support for octet key pair (OKP) keys and operations\n\n### Other Changes\n- Key Vault API version `7.4` is now the default\n- (From 4.8.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later.\n- (From 4.8.0b1) Updated minimum `azure-core` version to 1.24.0\n- (From 4.8.0b1) Updated minimum `msrest` version to 0.7.1\n- (From 4.8.0b2) Dropped `msrest` requirement\n- (From 4.8.0b2) Dropped `six` requirement\n- (From 4.8.0b2) Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`)\n- (From 4.8.0b2) Added requirement for `typing-extensions>=4.0.1`\n\n## 4.8.0b2 (2022-11-15)\n\n### Features Added\n- Added support for service API version `7.4-preview.1`\n- `KeyClient` has a `create_okp_key` method to create an octet key pair (OKP) on Managed HSM\n- Added `eddsa` to `SignatureAlgorithm` enum to support signing and verifying using an\n Edwards-Curve Digital Signature Algorithm (EdDSA) on Managed HSM\n- Added `okp` and `okp_hsm` to `KeyType` enum for octet key pairs\n- Added `ed25519` to `KeyCurveName` enum to support use of the Ed25519 Edwards curve\n\n### Other Changes\n- Key Vault API version `7.4-preview.1` is now the default\n- Dropped `msrest` requirement\n- Dropped `six` requirement\n- Added requirement for `isodate>=0.6.1` (`isodate` was required by `msrest`)\n- Added requirement for `typing-extensions>=4.0.1`\n\n## 4.8.0b1 (2022-09-22)\n\n### Features Added\n- An attempt will be made to generate an IV if one isn't provided for local encryption\n ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380))\n\n### Other Changes\n- Python 3.6 is no longer supported. Please use Python version 3.7 or later.\n- Updated minimum `azure-core` version to 1.24.0\n- Updated minimum `msrest` version to 0.7.1\n\n## 4.7.0 (2022-09-19)\n\n### Breaking Changes\n- Clients verify the challenge resource matches the vault domain. This should affect few customers,\n who can provide `verify_challenge_resource=False` to client constructors to disable.\n See https://aka.ms/azsdk/blog/vault-uri for more information.\n\n### Other Changes\n- Changes from version 4.7.0b1 have been reverted and will be included in version 4.8.0b1\n\n## 4.7.0b1 (2022-08-12)\n\n### Features Added\n- An attempt will be made to generate an IV if one isn't provided for local encryption\n ([#25380](https://github.com/Azure/azure-sdk-for-python/pull/25380))\n\n### Other Changes\n- The most recent release was version 4.6.1 instead of the intended version, 4.5.2.\n The next stable release is planned to be version 4.7.0.\n- Python 3.6 is no longer supported. Please use Python version 3.7 or later.\n- Updated minimum `azure-core` version to 1.24.0\n\n## 4.6.1 (2022-08-11)\n\n### Other Changes\n- Documentation improvements \n ([#25039](https://github.com/Azure/azure-sdk-for-python/issues/25039))\n\n## 4.6.0b1 (2022-06-07)\n\n### Bugs Fixed\n- If a key's ID contains a port number, this port will now be preserved in the vault URL of a\n `CryptographyClient` instance created from this key\n ([#24446](https://github.com/Azure/azure-sdk-for-python/issues/24446))\n - Port numbers are now preserved in the `vault_url` property of a `KeyVaultKeyIdentifier`\n\n## 4.5.1 (2022-04-18)\n\n### Bugs Fixed\n- Fixed error that could occur when fetching a key rotation policy that has no defined\n `lifetime_actions`.\n\n## 4.5.0 (2022-03-28)\n\n### Features Added\n- Key Vault API version 7.3 is now the default\n- Added support for multi-tenant authentication when using `azure-identity`\n 1.8.0 or newer ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))\n- (From 4.5.0b1) `KeyClient` has a `get_random_bytes` method for getting a requested number of\n random bytes from a managed HSM\n- (From 4.5.0b2) Added support for secure key release from a Managed HSM\n ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588))\n - Added `release_key` method to `KeyClient` for releasing the private component of a key\n - Added `exportable` and `release_policy` keyword-only arguments to key creation and import\n methods\n - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used\n in key release\n- (From 4.5.0b4) Added `KeyClient.get_cryptography_client`, which provides a simple way to\n create a `CryptographyClient` for a key, given its name and optionally a version\n ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621))\n- (From 4.5.0b4) Added support for automated and on-demand key rotation in Azure Key Vault\n ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840))\n - Added `KeyClient.rotate_key` to rotate a key on-demand\n - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy\n- (From 4.5.0b6) Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to\n support immutable release policies. Once a release policy is marked as immutable, it can no\n longer be modified.\n\n### Breaking Changes\n> These changes do not impact the API of stable versions such as 4.4.0.\n> Only code written against a beta version such as 4.5.0b1 may be affected.\n- `KeyClient.update_key_rotation_policy` accepts a required `policy` argument\n ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))\n- The optional `version` parameter in `KeyClient.release_key` is now a keyword-only argument\n ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))\n- Renamed the `name` parameter in `KeyClient.get_key_rotation_policy` and\n `KeyClient.update_key_rotation_policy` to `key_name`\n ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))\n- Enum values in `azure-keyvault-keys` are now uniformly lower-cased\n ([#22981](https://github.com/Azure/azure-sdk-for-python/issues/22981))\n\n### Bugs Fixed\n- `KeyType` now ignores casing during declaration, which resolves a scenario where Key Vault\n keys created with non-standard casing could not be fetched with the SDK\n ([#22797](https://github.com/Azure/azure-sdk-for-python/issues/22797))\n\n### Other Changes\n- (From 4.5.0b6) Python 2.7 is no longer supported. Please use Python version 3.6 or later.\n- (From 4.5.0b6) Updated minimum `azure-core` version to 1.20.0\n- (From 4.5.0b3) Updated type hints to fix mypy errors\n ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158))\n- (From 4.5.0b4) `CryptographyClient` no longer requires a key version when providing a key ID to its constructor\n (though providing a version is still recommended)\n- (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge\n authentication requests now pass in a `tenant_id` keyword argument\n ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698)). See\n https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate\n this parameter if `get_token` is implemented by a custom credential.\n- (From 4.5.0b6) Updated type hints for `KeyProperties` model's `managed`, `exportable`, and\n `release_policy` properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368))\n\n## 4.5.0b6 (2022-02-08)\n\n### Features Added\n- Added `immutable` keyword-only argument and property to `KeyReleasePolicy` to support immutable\n release policies. Once a release policy is marked as immutable, it can no longer be modified.\n\n### Breaking Changes\n> These changes do not impact the API of stable versions such as 4.4.0.\n> Only code written against a beta version such as 4.5.0b1 may be affected.\n- Renamed the required argument `data` in `KeyReleasePolicy`'s constructor to\n `encoded_policy`\n\n### Other Changes\n- Python 2.7 is no longer supported. Please use Python version 3.6 or later.\n- Updated minimum `azure-core` version to 1.20.0\n- Updated type hints for `KeyProperties` model's `managed`, `exportable`, and `release_policy`\n properties ([#22368](https://github.com/Azure/azure-sdk-for-python/pull/22368))\n- (From 4.5.0b5) To support multi-tenant authentication, `get_token` calls during challenge\n authentication requests now pass in a `tenant_id` keyword argument\n ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))\n\n## 4.5.0b5 (2021-11-11)\n\n### Features Added\n- Added support for multi-tenant authentication when using `azure-identity` 1.7.1 or newer\n ([#20698](https://github.com/Azure/azure-sdk-for-python/issues/20698))\n\n### Breaking Changes\n> These changes do not impact the API of stable versions such as 4.4.0.\n> Only code written against a beta version such as 4.5.0b1 may be affected.\n- `KeyClient.get_random_bytes` now returns bytes instead of RandomBytes. The RandomBytes class\n has been removed\n- Renamed the `version` keyword-only argument in `KeyClient.get_cryptography_client` to\n `key_version`\n- Renamed `KeyReleasePolicy.data` to `KeyReleasePolicy.encoded_policy`\n- Renamed the `target` parameter in `KeyClient.release_key` to `target_attestation_token`\n\n### Other Changes\n- Updated minimum `azure-core` version to 1.15.0\n\n## 4.5.0b4 (2021-10-07)\n\n### Features Added\n- Added `KeyClient.get_cryptography_client`, which provides a simple way to create a\n `CryptographyClient` for a key, given its name and optionally a version\n ([#20621](https://github.com/Azure/azure-sdk-for-python/issues/20621))\n- Added support for automated and on-demand key rotation in Azure Key Vault\n ([#19840](https://github.com/Azure/azure-sdk-for-python/issues/19840))\n - Added `KeyClient.rotate_key` to rotate a key on-demand\n - Added `KeyClient.update_key_rotation_policy` to update a key's automated rotation policy\n\n### Other Changes\n- `CryptographyClient` no longer requires a key version when providing a key ID to its constructor\n (though providing a version is still recommended)\n\n## 4.5.0b3 (2021-09-09)\n\n### Other Changes\n- Updated type hints to fix mypy errors\n ([#19158](https://github.com/Azure/azure-sdk-for-python/issues/19158))\n\n## 4.5.0b2 (2021-08-10)\n\n### Features Added\n- Added support for secure key release from a Managed HSM\n ([#19588](https://github.com/Azure/azure-sdk-for-python/issues/19588))\n - Added `release_key` method to `KeyClient` for releasing the private component of a key\n - Added `exportable` and `release_policy` keyword-only arguments to key creation and import\n methods\n - Added `KeyExportEncryptionAlgorithm` enum for specifying an encryption algorithm to be used\n in key release\n\n### Breaking Changes\n> These changes do not impact the API of stable versions such as 4.4.0.\n> Only code written against a beta version such as 4.5.0b1 may be affected.\n- `KeyClient.get_random_bytes` now returns a `RandomBytes` model with bytes in a `value`\n property, rather than returning the bytes directly\n ([#19895](https://github.com/Azure/azure-sdk-for-python/issues/19895))\n\n## 4.5.0b1 (2021-07-08)\nBeginning with this release, this library requires Python 2.7 or 3.6+.\n\n### Features Added\n- Key Vault API version 7.3-preview is now the default\n- `KeyClient` has a `get_random_bytes` method for getting a requested number of random\n bytes from a managed HSM\n\n## 4.4.0 (2021-06-22)\nThis is the last version to support Python 3.5. The next version will require Python 2.7 or 3.6+.\n### Changed\n- Key Vault API version 7.2 is now the default\n- (From 4.4.0b1) Updated minimum `msrest` version to 0.6.21\n\n### Added\n- `KeyClient` has a `create_oct_key` method for creating symmetric keys\n- `KeyClient`'s `create_key` and `create_rsa_key` methods now accept a `public_exponent`\n keyword-only argument ([#18016](https://github.com/Azure/azure-sdk-for-python/issues/18016))\n- (From 4.4.0b1) Added support for Key Vault API version 7.2\n ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566))\n - Added `oct_hsm` to `KeyType`\n - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption\n algorithms to `EncryptionAlgorithm`\n - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm`\n - `CryptographyClient`'s `encrypt` method accepts `iv` and\n `additional_authenticated_data` keyword arguments\n - `CryptographyClient`'s `decrypt` method accepts `iv`,\n `additional_authenticated_data`, and `authentication_tag` keyword arguments\n - Added `iv`, `aad`, and `tag` properties to `EncryptResult`\n- (From 4.4.0b3) `CryptographyClient` will perform all operations locally if initialized with\n the `.from_jwk` factory method\n ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565))\n- (From 4.4.0b3) Added requirement for `six`>=1.12.0\n- (From 4.4.0b4) `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally\n ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762))\n\n### Breaking Changes\n> These changes do not impact the API of stable versions such as 4.3.1.\n> Only code written against a beta version such as 4.4.0b1 may be affected.\n- `parse_key_vault_key_id` and `KeyVaultResourceId` have been replaced by a\n `KeyVaultKeyIdentifier` class, which can be initialized with a key ID\n\n## 4.4.0b4 (2021-04-06)\n### Added\n- `CryptographyClient` can perform AES-CBCPAD encryption and decryption locally\n ([#17762](https://github.com/Azure/azure-sdk-for-python/pull/17762))\n\n## 4.4.0b3 (2021-03-11)\n### Added\n- `CryptographyClient` will perform all operations locally if initialized with\n the `.from_jwk` factory method\n ([#16565](https://github.com/Azure/azure-sdk-for-python/pull/16565))\n- Added requirement for six>=1.12.0\n\n## 4.4.0b2 (2021-02-10)\n### Fixed\n- API versions older than 7.2-preview no longer raise `ImportError` when\n performing async operations ([#16680](https://github.com/Azure/azure-sdk-for-python/pull/16680))\n\n## 4.4.0b1 (2021-02-10)\n### Changed\n- Key Vault API version 7.2-preview is now the default\n- Updated msrest requirement to >=0.6.21\n\n### Added\n- Support for Key Vault API version 7.2-preview\n ([#16566](https://github.com/Azure/azure-sdk-for-python/pull/16566))\n - Added `oct_hsm` to `KeyType`\n - Added 128-, 192-, and 256-bit AES-GCM, AES-CBC, and AES-CBCPAD encryption\n algorithms to `EncryptionAlgorithm`\n - Added 128- and 192-bit AES-KW key wrapping algorithms to `KeyWrapAlgorithm`\n - `CryptographyClient`'s `encrypt` method accepts `iv` and\n `additional_authenticated_data` keyword arguments\n - `CryptographyClient`'s `decrypt` method accepts `iv`,\n `additional_authenticated_data`, and `authentication_tag` keyword arguments\n - Added `iv`, `aad`, and `tag` properties to `EncryptResult`\n- Added method `parse_key_vault_key_id` that parses out a full ID returned by\nKey Vault, so users can easily access the key's `name`, `vault_url`, and `version`.\n\n## 4.3.1 (2020-12-03)\n### Fixed\n- `CryptographyClient` operations no longer raise `AttributeError` when\n the client was constructed with a key ID\n ([#15608](https://github.com/Azure/azure-sdk-for-python/issues/15608))\n\n## 4.3.0 (2020-10-06)\n### Changed\n- `CryptographyClient` can perform decrypt and sign operations locally\n ([#9754](https://github.com/Azure/azure-sdk-for-python/issues/9754))\n\n### Fixed\n- Correct typing for async paging methods\n\n## 4.2.0 (2020-08-11)\n### Fixed\n- Values of `x-ms-keyvault-region` and `x-ms-keyvault-service-version` headers\n are no longer redacted in logging output\n- `CryptographyClient` will no longer perform encrypt or wrap operations when\n its key has expired or is not yet valid\n\n### Changed\n- Key Vault API version 7.1 is now the default\n- Updated minimum `azure-core` version to 1.7.0\n\n### Added\n- At construction, clients accept a `CustomHookPolicy` through the optional\n keyword argument `custom_hook_policy`\n- All client requests include a unique ID in the header `x-ms-client-request-id`\n- Dependency on `azure-common` for multiapi support\n\n## 4.2.0b1 (2020-03-10)\n- Support for Key Vault API version 7.1-preview\n([#10124](https://github.com/Azure/azure-sdk-for-python/pull/10124))\n - Added `import_key` to `KeyOperation`\n - Added `recoverable_days` to `CertificateProperties`\n - Added `ApiVersion` enum identifying Key Vault versions supported by this package\n\n## 4.1.0 (2020-03-10)\n- `KeyClient` instances have a `close` method which closes opened sockets. Used\nas a context manager, a `KeyClient` closes opened sockets on exit.\n([#9906](https://github.com/Azure/azure-sdk-for-python/pull/9906))\n- Pollers no longer sleep after operation completion\n([#9991](https://github.com/Azure/azure-sdk-for-python/pull/9991))\n\n## 4.0.1 (2020-02-11)\n- `azure.keyvault.keys` defines `__version__`\n- Challenge authentication policy preserves request options\n([#8999](https://github.com/Azure/azure-sdk-for-python/pull/8999))\n- Updated `msrest` requirement to >=0.6.0\n- Challenge authentication policy requires TLS\n([#9457](https://github.com/Azure/azure-sdk-for-python/pull/9457))\n- Methods no longer raise the internal error `KeyVaultErrorException`\n([#9690](https://github.com/Azure/azure-sdk-for-python/issues/9690))\n- Fix `AttributeError` in async CryptographyClient when verifying signatures remotely\n([#9734](https://github.com/Azure/azure-sdk-for-python/pull/9734))\n\n## 4.0.0 (2019-10-31)\n### Breaking changes:\n- Removed `KeyClient.get_cryptography_client()` and `CryptographyClient.get_key()`\n- Moved the optional parameters of several methods into kwargs (\n[docs](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-keyvault-keys/4.0.0/index.html)\ndetail the new keyword arguments):\n - `create_key` now has positional parameters `name` and `key_type`\n - `create_ec_key` and `create_rsa_key` now have one positional parameter, `name`\n - `update_key_properties` now has two positional parameters, `name` and\n (optional) `version`\n - `import_key` now has positional parameters `name` and `key`\n- `CryptographyClient` operations return class instances instead of tuples and renamed the following\nproperties\n - Renamed the `decrypted_bytes` property of `DecryptResult` to `plaintext`\n - Renamed the `unwrapped_bytes` property of `UnwrapResult` to `key`\n - Renamed the `result` property of `VerifyResult` to `is_valid`\n- Renamed the `UnwrapKeyResult` and `WrapKeyResult` classes to `UnwrapResult` and `WrapResult`\n- Renamed `list_keys` to `list_properties_of_keys`\n- Renamed `list_key_versions` to `list_properties_of_key_versions`\n- Renamed sync method `delete_key` to `begin_delete_key`\n- The sync method `begin_delete_key` and async `delete_key` now return pollers that return a `DeletedKey`\n- Renamed `Key` to `KeyVaultKey`\n- `KeyVaultKey` properties `created`, `expires`, and `updated` renamed to `created_on`,\n`expires_on`, and `updated_on`\n- The `vault_endpoint` parameter of `KeyClient` has been renamed to `vault_url`\n- The property `vault_endpoint` has been renamed to `vault_url` in all models\n\n### New features:\n- Now all `CryptographyClient` returns include `key_id` and `algorithm` properties\n\n\n## 4.0.0b4 (2019-10-08)\n- Enums `JsonWebKeyCurveName`, `JsonWebKeyOperation`, and `JsonWebKeyType` have\nbeen renamed to `KeyCurveName`, `KeyOperation`, and `KeyType`, respectively.\n- `Key` now has attribute `properties`, which holds certain properties of the\nkey, such as `version`. This changes the shape of the returned `Key` type,\nas certain properties of `Key` (such as `version`) have to be accessed\nthrough the `properties` property.\n\n- `update_key` has been renamed to `update_key_properties`\n- The `vault_url` parameter of `KeyClient` has been renamed to `vault_endpoint`\n- The property `vault_url` has been renamed to `vault_endpoint` in all models\n\n### Fixes and improvements:\n- The `key` argument to `import_key` should be an instance of `azure.keyvault.keys.JsonWebKey`\n([#7590](https://github.com/Azure/azure-sdk-for-python/pull/7590))\n\n\n## 4.0.0b3 (2019-09-11)\n### Breaking changes:\n- `CryptographyClient` methods `wrap` and `unwrap` are renamed `wrap_key` and\n`unwrap_key`, respectively.\n\n### New features:\n- `CryptographyClient` performs encrypt, verify and wrap operations locally\nwhen its key's public material is available (i.e., when it has keys/get\npermission).\n\n## 4.0.0b2 (2019-08-06)\n### Breaking changes:\n- Removed `azure.core.Configuration` from the public API in preparation for a\nrevamped configuration API. Static `create_config` methods have been renamed\n`_create_config`, and will be removed in a future release.\n- Removed `wrap_key` and `unwrap_key` from `KeyClient`. These are now available\nthrough `CryptographyClient`.\n- This version of the library requires `azure-core` 1.0.0b2\n - If you later want to revert to a version requiring azure-core 1.0.0b1,\n of this or another Azure SDK library, you must explicitly install azure-core\n 1.0.0b1 as well. For example:\n `pip install azure-core==1.0.0b1 azure-keyvault-keys==4.0.0b1`\n\n### New features:\n- Added `CryptographyClient`, a client for performing cryptographic operations\n(encrypt/decrypt, wrap/unwrap, sign/verify) with a key.\n- Distributed tracing framework OpenCensus is now supported\n- Added support for HTTP challenge based authentication, allowing clients to\ninteract with vaults in sovereign clouds.\n\n### Other changes:\n- Async clients use [aiohttp](https://pypi.org/project/aiohttp/) for transport\nby default. See\n[azure-core documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/core/azure-core/README.md/#transport)\nfor more information about using other transports.\n\n## 4.0.0b1 (2019-06-28)\nVersion 4.0.0b1 is the first preview of our efforts to create a user-friendly\nand Pythonic client library for Azure Key Vault. For more information about\npreview releases of other Azure SDK libraries, please visit\nhttps://aka.ms/azure-sdk-preview1-python.\n\nThis library is not a direct replacement for `azure-keyvault`. Applications\nusing that library would require code changes to use `azure-keyvault-keys`.\nThis package's\n[documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md)\nand\n[samples](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/samples)\ndemonstrate the new API.\n\n### Major changes from `azure-keyvault`\n- Packages scoped by functionality\n - `azure-keyvault-keys` contains a client for key operations,\n `azure-keyvault-secrets` contains a client for secret operations\n- Client instances are scoped to vaults (an instance interacts with one vault\nonly)\n- Asynchronous API supported on Python 3.5.3+\n - the `azure.keyvault.keys.aio` namespace contains an async equivalent of\n the synchronous client in `azure.keyvault.keys`\n- Authentication using `azure-identity` credentials\n - see this package's\n [documentation](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys/README.md)\n , and the\n [Azure Identity documentation](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md)\n for more information\n\n### `azure-keyvault` features not implemented in this release\n- Certificate management APIs\n- Cryptographic operations, e.g. sign, un/wrap_key, verify, en- and\ndecrypt\n- National cloud support. This release supports public global cloud vaults,\n e.g. https://{vault-name}.vault.azure.net\n",
"bugtrack_url": null,
"license": "MIT License",
"summary": "Microsoft Azure Key Vault Keys Client Library for Python",
"version": "4.9.0",
"project_urls": {
"Homepage": "https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys"
},
"split_keywords": [
"azure",
"azure sdk"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "adce2414b3cdc9cd2a2f09fb048eb2d5b7677dfce8ef89c0eb7efaec78f079fe",
"md5": "6ebf329f4fae2ce9ed3402c5b9520838",
"sha256": "05eff85600f2f288a38e5c818ff77c5121840d327e66188cfa7ad333defb545b"
},
"downloads": -1,
"filename": "azure_keyvault_keys-4.9.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "6ebf329f4fae2ce9ed3402c5b9520838",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 149459,
"upload_time": "2024-02-23T01:27:16",
"upload_time_iso_8601": "2024-02-23T01:27:16.404339Z",
"url": "https://files.pythonhosted.org/packages/ad/ce/2414b3cdc9cd2a2f09fb048eb2d5b7677dfce8ef89c0eb7efaec78f079fe/azure_keyvault_keys-4.9.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "12ac9a86f08659638ff2f07cb233a4f606bb765a72051a85c2622c0353eaa225",
"md5": "4d2a70bb61ff6982d8866ce452a120eb",
"sha256": "08632dcd6ece28657204e9a256ad64369fe2b0e385ed43349f932f007d89f774"
},
"downloads": -1,
"filename": "azure-keyvault-keys-4.9.0.tar.gz",
"has_sig": false,
"md5_digest": "4d2a70bb61ff6982d8866ce452a120eb",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 208810,
"upload_time": "2024-02-23T01:27:12",
"upload_time_iso_8601": "2024-02-23T01:27:12.786257Z",
"url": "https://files.pythonhosted.org/packages/12/ac/9a86f08659638ff2f07cb233a4f606bb765a72051a85c2622c0353eaa225/azure-keyvault-keys-4.9.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-23 01:27:12",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "Azure",
"github_project": "azure-sdk-for-python",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"lcname": "azure-keyvault-keys"
}
JSON
