exec.azurerm.keyvault.secret¶

Azure Resource Manager (ARM) Key Vault Secret Execution Module

New in version 2.4.0.

Changed in version 4.0.0.

maintainer:

configuration:

This module requires Azure Resource Manager credentials to be passed as keyword arguments to every function or via acct in order to work properly.

Required provider parameters:

if using username and password:

subscription_id
username
password

if using a service principal:

subscription_id
tenant
client_id
secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

AZURE_PUBLIC_CLOUD (default)

AZURE_CHINA_CLOUD

AZURE_US_GOV_CLOUD

AZURE_GERMAN_CLOUD

idem_azurerm.exec.azurerm.keyvault.secret.backup_secret(hub, ctx, name, vault_url, **kwargs)¶

New in version 2.4.0.

Back up a secret in a protected form useable only by Azure Key Vault. Requires secrets/backup permission. This is intended to allow copying a secret from one vault to another. Both vaults must be owned by the same Azure subscription. Also, backup/restore cannot be performed across geopolitical boundaries. For example, a backup from a vault in a US region cannot be restored to a vault in an EU region.

Parameters:	name – The name of the secret to back up. vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.backup_secret secretname https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.delete_secret(hub, ctx, name, vault_url, wait=False, **kwargs)¶

New in version 2.4.0.

Delete all versions of a secret. Requires secrets/delete permission.

Parameters:	name – The name of the secret to delete. vault_url – The URL of the vault that the client will access. wait – When this method returns, Key Vault has begun deleting the secret. Deletion may take several seconds in a vault with soft-delete enabled. Setting this parameter to `True` enables you to wait for deletion to complete.

CLI Example:

azurerm.keyvault.secret.delete_secret secretname https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.get_deleted_secret(hub, ctx, name, vault_url, **kwargs)¶

New in version 2.4.0.

Get a deleted secret. Possible only in vaults with soft-delete enabled. Requires secrets/get permission.

Parameters:	name – The name of the deleted secret. vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.get_deleted_secret secretname https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.get_secret(hub, ctx, name, vault_url, version=None, **kwargs)¶

New in version 2.4.0.

Get a secret. Requires the secrets/get permission.

Parameters:	name – The name of the secret to get. vault_url – The URL of the vault that the client will access. version – An optional parameter used to specify the version of the secret to get. If not specified, gets the latest version of the secret.

CLI Example:

azurerm.keyvault.secret.get_secret secretname https://myvault.vault.azure.net/ test_version

idem_azurerm.exec.azurerm.keyvault.secret.get_secret_client(hub, ctx, vault_url, **kwargs)¶

New in version 2.4.0.

Load the secret client and return a SecretClient object.

Parameters:	vault_url – The URL of the vault that the client will access.

idem_azurerm.exec.azurerm.keyvault.secret.list_deleted_secrets(hub, ctx, vault_url, **kwargs)¶

New in version 2.4.0.

Lists all deleted secrets. Possible only in vaults with soft-delete enabled. Requires secrets/list permission.

Parameters:	vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.list_deleted_secrets https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.list_properties_of_secret_versions(hub, ctx, name, vault_url, **kwargs)¶

New in version 2.4.0.

List properties of all versions of a secret, excluding their values. Requires secrets/list permission.

List items don’t include secret values. Use get_secret to get a secret’s value.

Parameters:	name – The name of the secret. vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.list_properties_of_secret_versions secretname https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.list_properties_of_secrets(hub, ctx, vault_url, **kwargs)¶

New in version 2.4.0.

List identifiers and attributes of all secrets in the vault. Requires secrets/list permission.

List items don’t include secret values. Use get_secret to get a secret’s value.

Parameters:	vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.list_properties_of_secrets https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.purge_deleted_secret(hub, ctx, name, vault_url, **kwargs)¶

New in version 2.4.0.

Permanently deletes a deleted secret. Possible only in vaults with soft-delete enabled.

Performs an irreversible deletion of the specified secret, without possibility for recovery. The operation is not available if the recovery_level does not specify ‘Purgeable’. This method is only necessary for purging a secret before its scheduled_purge_date.

Requires secrets/purge permission.

Parameters:	name – The name of the deleted secret to purge. vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.purge_deleted_secret secretname https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.recover_deleted_secret(hub, ctx, name, vault_url, wait=False, **kwargs)¶

New in version 2.4.0.

Recover a deleted secret to its latest version. Possible only in a vault with soft-delete enabled. If the vault does not have soft-delete enabled, delete_secret is permanent, and this method will return an error. Attempting to recover a non-deleted secret will also return an error.

Requires the secrets/recover permission.

Parameters:	name – The name of the deleted secret to recover. vault_url – The URL of the vault that the client will access. wait – When this method returns, Key Vault has begun recovering the secret. Recovery may take several seconds. Setting this parameter to `True` enables you to wait for recovery to complete.

CLI Example:

azurerm.keyvault.secret.recover_deleted_secret secretname https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.restore_secret_backup(hub, ctx, backup, vault_url, **kwargs)¶

New in version 2.4.0.

Restore a backed up secret. Requires the secrets/restore permission. If the secret’s name is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure subscription as the source vault.

Parameters:	backup – A secret backup as returned by the `backup_secret` execution module. vault_url – The URL of the vault that the client will access.

CLI Example:

azurerm.keyvault.secret.restore_secret_backup secretbackup https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.set_secret(hub, ctx, name, value, vault_url, content_type=None, enabled=None, expires_on=None, not_before=None, tags=None, **kwargs)¶

New in version 2.4.0.

Changed in version 4.0.0.

Set a secret value. If name is in use, create a new version of the secret. If not, create a new secret. Requires secrets/set permission.

Parameters:

name – The name of the secret to set.
value – The value of the secret to set.
vault_url – The URL of the vault that the client will access.
content_type – An arbitrary string indicating the type of the secret.
enabled – Whether the secret is enabled for use.
expires_on – When the secret will expire, in UTC. This parameter should be a string representation of a Datetime object in ISO-8601 format.
not_before – The time before which the secret cannot be used, in UTC. This parameter should be a string representation of a Datetime object in ISO-8601 format.
tags – A dictionary of strings can be passed as tag metadata to the secret.

CLI Example:

azurerm.keyvault.secret.set_secret test_name test_secret https://myvault.vault.azure.net/

idem_azurerm.exec.azurerm.keyvault.secret.update_secret_properties(hub, ctx, name, vault_url, version=None, content_type=None, enabled=None, expires_on=None, not_before=None, tags=None, **kwargs)¶

New in version 2.4.0.

Update properties of a secret other than its value. Requires secrets/set permission. This method updates properties of the secret, such as whether it’s enabled, but can’t change the secret’s value. Use set_secret to change the secret’s value.

Parameters:

name – The name of the secret.
vault_url – The URL of the vault that the client will access.
version – An optional parameter used to specify the version of the secret to update. If no version is specified, the latest version of the secret will be updated.
content_type – An arbitrary string indicating the type of the secret.
enabled – Whether the secret is enabled for use.
expires_on – When the secret will expire, in UTC. This parameter must be a string representation of a Datetime object in ISO-8601 format.
not_before – The time before which the secret can not be used, in UTC. This parameter must be a string representation of a Datetime object in ISO-8601 format.
tags – Application specific metadata in the form of key-value pairs.

CLI Example:

azurerm.keyvault.secret.update_secret_properties secretname https://myvault.vault.azure.net/ enabled=False

exec.azurerm.keyvault.secret¶

idem-azurerm

Navigation

Related Topics