- Added support for service API version
7.6-preview.1
- Typing errors from using Key Vault clients as context managers have been fixed (#34744)
- Key Vault API version
7.6-preview.1
is now the default
- Added support for service API version
7.5
- (From 4.4.0b2)
KeyVaultBackupClient.begin_backup
andKeyVaultBackupClient.begin_restore
now accept ause_managed_identity
keyword-only argument to enable authentication via Managed Identity
- (From 4.4.0b1) Token requests made during AD FS authentication no longer specify an erroneous "adfs" tenant ID (#29888)
- Python 3.7 is no longer supported. Please use Python version 3.8 or later.
- Key Vault API version
7.5
is now the default - Updated minimum
azure-core
version to 1.29.5 - Dropped
azure-common
requirement
- Added support for service API version
7.5-preview.1
KeyVaultBackupClient.begin_backup
andKeyVaultBackupClient.begin_restore
now accept ause_managed_identity
keyword-only argument to enable authentication via Managed Identity
- Key Vault API version
7.5-preview.1
is now the default
- Token requests made during AD FS authentication no longer specify an erroneous "adfs" tenant ID (#29888)
- Added support for service API version
7.4
- Clients each have a
send_request
method that can be used to send custom requests using the client's existing pipeline (#25172) - (From 4.3.0b1) Added sync and async
KeyVaultSettingsClient
s for getting and updating Managed HSM settings - The
KeyVaultSetting
class has agetboolean
method that will return the setting'svalue
as abool
, if possible, and raise aValueError
otherwise
These changes do not impact the API of stable versions such as 4.2.0. Only code written against a beta version such as 4.3.0b1 may be affected.
KeyVaultSettingsClient.update_setting
now accepts a singlesetting
argument (aKeyVaultSetting
instance) instead of aname
andvalue
- The
KeyVaultSetting
model'stype
parameter and attribute have been renamed tosetting_type
- The
SettingType
enum has been renamed toKeyVaultSettingType
- Key Vault API version
7.4
is now the default - (From 4.3.0b1) Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- (From 4.3.0b1) Updated minimum
azure-core
version to 1.24.0 - (From 4.3.0b1) Dropped
msrest
requirement - (From 4.3.0b1) Dropped
six
requirement - (From 4.3.0b1) Added requirement for
isodate>=0.6.1
(isodate
was required bymsrest
) - (From 4.3.0b1) Added requirement for
typing-extensions>=4.0.1
- Added sync and async
KeyVaultSettingsClient
s for getting and updating Managed HSM settings. - Added support for service API version
7.4-preview.1
- Python 3.6 is no longer supported. Please use Python version 3.7 or later.
- Key Vault API version
7.4-preview.1
is now the default - Updated minimum
azure-core
version to 1.24.0 - Dropped
msrest
requirement - Dropped
six
requirement - Added requirement for
isodate>=0.6.1
(isodate
was required bymsrest
) - Added requirement for
typing-extensions>=4.0.1
- Clients verify the challenge resource matches the vault domain. This should affect few customers,
who can provide
verify_challenge_resource=False
to client constructors to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.
- Documentation improvements (#25039)
- Key Vault API version 7.3 is now the default
- Added support for multi-tenant authentication when using
azure-identity
1.8.0 or newer (#20698)
- (From 4.1.0b3) Python 2.7 is no longer supported. Please use Python version 3.6 or later.
- (From 4.1.0b3) Updated minimum
azure-core
version to 1.20.0 - (From 4.1.0b2) To support multi-tenant authentication,
get_token
calls during challenge authentication requests now pass in atenant_id
keyword argument (#20698). See https://aka.ms/azsdk/python/identity/tokencredential for more details on how to integrate this parameter ifget_token
is implemented by a custom credential.
- Python 2.7 is no longer supported. Please use Python version 3.6 or later.
- Updated minimum
azure-core
version to 1.20.0 - (From 4.1.0b2) To support multi-tenant authentication,
get_token
calls during challenge authentication requests now pass in atenant_id
keyword argument (#20698)
- Added support for multi-tenant authentication when using
azure-identity
1.7.1 or newer (#20698)
- Updated minimum
azure-core
version to 1.15.0
- Key Vault API version 7.3-preview is now the default
- Key Vault API version 7.2 is now the default
KeyVaultAccessControlClient.delete_role_assignment
and.delete_role_definition
no longer raise an error when the resource to be deleted is not found- Raised minimum azure-core version to 1.11.0
KeyVaultAccessControlClient.set_role_definition
accepts an optionalassignable_scopes
keyword-only argument
KeyVaultAccessControlClient.delete_role_assignment
and.delete_role_definition
return None- Changed parameter order in
KeyVaultAccessControlClient.set_role_definition
.permissions
is now an optional keyword-only argument - Renamed
BackupOperation
toKeyVaultBackupResult
, and removed all but itsfolder_url
property - Removed
RestoreOperation
andSelectiveKeyRestoreOperation
classes - Removed
KeyVaultBackupClient.begin_selective_restore
. To restore a single key, pass the key's name toKeyVaultBackupClient.begin_restore
:# before (4.0.0b3): client.begin_selective_restore(folder_url, sas_token, key_name) # after: client.begin_restore(folder_url, sas_token, key_name=key_name)
- Removed
KeyVaultBackupClient.get_backup_status
and.get_restore_status
. Use the pollers returned byKeyVaultBackupClient.begin_backup
and.begin_restore
to check whether an operation has completed KeyVaultRoleAssignment
'sprincipal_id
,role_definition_id
, andscope
are now properties of aproperties
property# before (4.0.0b3): print(KeyVaultRoleAssignment.scope) # after: print(KeyVaultRoleAssignment.properties.scope)
- Renamed
KeyVaultPermission
properties:allowed_actions
->actions
denied_actions
->not_actions
allowed_data_actions
->data_actions
denied_data_actions
->denied_data_actions
- Renamed argument
role_assignment_name
toname
inKeyVaultAccessControlClient.create_role_assignment
,.delete_role_assignment
, and.get_role_assignment
- Renamed argument
role_definition_name
toname
inKeyVaultAccessControlClient.delete_role_definition
and.get_role_definition
- Renamed argument
role_scope
toscope
inKeyVaultAccessControlClient
methods
KeyVaultAccessControlClient
supports managing custom role definitions
- Renamed
KeyVaultBackupClient.begin_full_backup()
to.begin_backup()
- Renamed
KeyVaultBackupClient.begin_full_restore()
to.begin_restore()
- Renamed
BackupOperation.azure_storage_blob_container_uri
to.folder_url
- Renamed
id
property ofBackupOperation
,RestoreOperation
, andSelectiveKeyRestoreOperation
tojob_id
- Renamed
blob_storage_uri
parameters ofKeyVaultBackupClient.begin_restore()
and.begin_selective_restore()
tofolder_url
- Removed redundant
folder_name
parameter fromKeyVaultBackupClient.begin_restore()
and.begin_selective_restore()
(thefolder_url
parameter contains the folder name) - Renamed
KeyVaultPermission
attributes:actions
->allowed_actions
data_actions
->allowed_data_actions
not_actions
->denied_actions
not_data_actions
->denied_data_actions
- Renamed
KeyVaultRoleAssignment.assignment_id
to.role_assignment_id
- Renamed
KeyVaultRoleScope
enum values:global_value
->GLOBAL
keys_value
->KEYS
KeyVaultBackupClient.get_backup_status
and.get_restore_status
enable checking the status of a pending operation by its job ID (#13718)
- The
role_assignment_name
parameter ofKeyVaultAccessControlClient.create_role_assignment
is now an optional keyword-only argument. When this argument isn't passed, the client will generate a name for the role assignment. (#13512)
KeyVaultAccessControlClient
performs role-based access control operationsKeyVaultBackupClient
performs full vault backup and full and selective restore operations