Skip to content

[KeyVault] Add samples for new certificate SANs (IP/URI) and secret secret_encoding/previous_version features #46164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rohitsinghal4u wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[KeyVault] Add samples for new certificate SANs (IP/URI) and secret secret_encoding/previous_version features #46164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d062ca
[KeyVault] Add samples for new certificate SANs (IP/URI) and secret s…
singhalrohit4u Apr 6, 2026
c2aa0a3
[KeyVault] Fix secrets sample: use out_content_type (not secret_encod…
singhalrohit4u Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions sdk/keyvault/azure-keyvault-certificates/samples/hello_world.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@
issuer_name=WellKnownIssuerNames.self,
subject="CN=*.microsoft.com",
san_dns_names=["sdk.azure-int.net"],
san_ip_addresses=["10.0.0.1", "2001:db8::1"],
san_uris=["https://mydomain.com"],
exportable=True,
key_type="RSA",
key_size=2048,
Expand Down
52 changes: 50 additions & 2 deletions sdk/keyvault/azure-keyvault-secrets/samples/hello_world.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,13 @@
import datetime
import os

from azure.keyvault.secrets import SecretClient
from azure.keyvault.secrets import SecretClient, ContentType
from azure.keyvault.certificates import (
CertificateClient,
CertificatePolicy,
CertificateContentType,
WellKnownIssuerNames,
)
from azure.identity import DefaultAzureCredential

# ----------------------------------------------------------------------------------------------------------
Expand All @@ -30,6 +36,10 @@
#
# 4. Delete a secret (begin_delete_secret)
#
# 5. Get a certificate-backed secret with out_content_type (get_secret with out_content_type)
#
# 6. Check previous_version on a secret with multiple versions
#
# ----------------------------------------------------------------------------------------------------------

# Instantiate a secret client that will be used to call the service.
Expand All @@ -43,7 +53,7 @@
# Let's create a secret holding bank account credentials valid for 1 year.
# if the secret already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
expires = datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=365)
secret = client.set_secret("helloWorldSecretName", "helloWorldSecretValue", expires_on=expires)
assert secret.name
print(f"Secret with name '{secret.name}' created with value '{secret.value}'")
Expand All @@ -70,7 +80,45 @@
new_secret = client.set_secret(secret.name, "newSecretValue")
print(f"Secret with name '{new_secret.name}' created with value '{new_secret.value}'")

# When a new version of a secret is created, the service may return `previous_version` to track
# version history. This is especially useful for certificate-backed secrets.
print(f"Secret's previous version: {new_secret.properties.previous_version}")

# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Deleting Secret...")
client.begin_delete_secret(secret.name)
print(f"Secret with name '{secret.name}' was deleted.")

# --------------------------------------------------------------------------------------------------------
# Demonstrate out_content_type: retrieve a certificate-backed secret in a different encoding format.
# When a certificate is stored in PFX (PKCS#12) format, you can retrieve its secret value as PEM.
# --------------------------------------------------------------------------------------------------------
print("\n.. Create a PFX certificate to demonstrate out_content_type")
cert_client = CertificateClient(vault_url=VAULT_URL, credential=credential)
cert_name = "outContentTypeSampleCert"
cert_policy = CertificatePolicy(
issuer_name=WellKnownIssuerNames.self,
subject="CN=outContentTypeDemo",
content_type=CertificateContentType.pkcs12,
)
cert = cert_client.begin_create_certificate(certificate_name=cert_name, policy=cert_policy).result()
print(f"Certificate '{cert.name}' created (PFX format)")

# Get the certificate-backed secret in its default format (PFX/base64)
# [START get_secret_with_out_content_type]
pfx_secret = client.get_secret(cert_name)
print(f"Default secret content type: {pfx_secret.properties.content_type}")

# Now retrieve the same secret as PEM using out_content_type
pem_secret = client.get_secret(cert_name, out_content_type=ContentType.PEM)
print(f"PEM secret content type: {pem_secret.properties.content_type}")
assert pem_secret.value and "-----BEGIN" in pem_secret.value
print("Successfully retrieved certificate secret in PEM format")
# [END get_secret_with_out_content_type]

# Clean up the certificate
print("\n.. Deleting certificate...")
cert_client.begin_delete_certificate(cert_name).result()
print(f"Certificate '{cert_name}' was deleted.")

print("\nrun_sample done")
Loading