[KeyVault] Add support for service version 2026-03-01-preview#59537
Merged
rohitsinghal4u merged 13 commits intoJun 3, 2026
Conversation
Adds the 2026-03-01-preview API version to Administration, Certificates, Keys, and Secrets packages, and exposes the new experimental PlatformManaged property on CertificatePolicy (Azure Key Vault internal usage only; any calls using this property will fail and it is not recommended to be used at this point). - Added V2026_03_01_Preview to ServiceVersion enums and bumped LatestVersion across Administration, Certificates, Keys, and Secrets client options (matches prior preview convention, e.g. PR #48675). - Added PlatformManaged model and CertificatePolicy.PlatformManaged property with JSON read/write support. - Extended test fixtures to run existing recorded tests under the new service version. - Added unit tests covering: roundtrip serialization, constructor argument validation, empty/null metadata handling, null platformManaged in JSON, lazy-init contract for Metadata, and CertificatePolicy without PlatformManaged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…keyvault-2026-03-01-preview # Conflicts: # sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for the 2026-03-01-preview Key Vault API version across the KeyVault data-plane libraries (Administration, Certificates, Keys, Secrets) and introduces a new CertificatePolicy.PlatformManaged model surface with JSON (de)serialization and unit tests.
Changes:
- Added
V2026_03_01_PreviewtoServiceVersionenums and updated default (LatestVersion) to the new preview version. - Introduced
PlatformManagedmodel +CertificatePolicy.PlatformManagedproperty, including serialization/deserialization and corresponding API baselines. - Expanded test fixtures to run existing recorded tests under the new service version and added new unit coverage for
PlatformManagedbehaviors.
Reviewed changes
Copilot reviewed 27 out of 28 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| sdk/keyvault/Azure.Security.KeyVault.Secrets/tests/SecretsTestBase.cs | Adds new service version to the Secrets test fixture matrix. |
| sdk/keyvault/Azure.Security.KeyVault.Secrets/src/SecretClientOptions.cs | Adds V2026_03_01_Preview and bumps LatestVersion; maps version string. |
| sdk/keyvault/Azure.Security.KeyVault.Secrets/api/Azure.Security.KeyVault.Secrets.netstandard2.0.cs | Updates public API baseline for new default and enum value. |
| sdk/keyvault/Azure.Security.KeyVault.Secrets/api/Azure.Security.KeyVault.Secrets.net8.0.cs | Updates public API baseline for new default and enum value. |
| sdk/keyvault/Azure.Security.KeyVault.Secrets/api/Azure.Security.KeyVault.Secrets.net10.0.cs | Updates public API baseline for new default and enum value. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/tests/ManagedHsmLiveTests.cs | Adds new service version to the Managed HSM live test fixture matrix. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/tests/ManagedHsmCryptographyClientLiveTests.cs | Adds new service version to the Managed HSM crypto live test fixture matrix. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/tests/KeysTestBase.cs | Adds new service version to the Keys test fixture matrix. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyClientOptions.cs | Adds V2026_03_01_Preview and bumps LatestVersion; maps version string. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/CryptographyClientOptions.cs | Adds V2026_03_01_Preview and bumps LatestVersion; maps version string. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs | Updates public API baseline for new defaults and enum values. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.net8.0.cs | Updates public API baseline for new defaults and enum values. |
| sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.net10.0.cs | Updates public API baseline for new defaults and enum values. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/tests/CertificatesTestBase.cs | Adds new service version to the Certificates test fixture matrix. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/tests/CertificatePolicyTests.cs | Adds unit tests for PlatformManaged (de)serialization and behavior. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/src/PlatformManaged.cs | Introduces the PlatformManaged model and JSON (de)serialization helpers. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificatePolicy.cs | Adds CertificatePolicy.PlatformManaged and wires it into JSON (de)serialization. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/src/CertificateClientOptions.cs | Adds V2026_03_01_Preview and bumps LatestVersion; maps version string. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md | Documents the new PlatformManaged surface and default service version bump. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/api/Azure.Security.KeyVault.Certificates.netstandard2.0.cs | Updates public API baseline for new defaults and added PlatformManaged. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/api/Azure.Security.KeyVault.Certificates.net8.0.cs | Updates public API baseline for new defaults and added PlatformManaged. |
| sdk/keyvault/Azure.Security.KeyVault.Certificates/api/Azure.Security.KeyVault.Certificates.net10.0.cs | Updates public API baseline for new defaults and added PlatformManaged. |
| sdk/keyvault/Azure.Security.KeyVault.Administration/tests/AdministrationTestBase.cs | Adds new service version to the Administration test fixture matrix. |
| sdk/keyvault/Azure.Security.KeyVault.Administration/src/KeyVaultAdministrationClientOptions.cs | Adds V2026_03_01_Preview, version string mapping, and config parsing support. |
| sdk/keyvault/Azure.Security.KeyVault.Administration/src/Generated/KeyVaultAdministrationClientOptions.cs | Bumps LatestVersion constant used by the public options ctor default. |
| sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.netstandard2.0.cs | Updates public API baseline for new default and enum value. |
| sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.net8.0.cs | Updates public API baseline for new default and enum value. |
| sdk/keyvault/Azure.Security.KeyVault.Administration/api/Azure.Security.KeyVault.Administration.net10.0.cs | Updates public API baseline for new default and enum value. |
Member
🔍 CI Failure Analysis for PR #59537SummaryAll 12
Root Cause: Stale Test Recordings (
|
| Package | Failed | Passed | Skipped | Total |
|---|---|---|---|---|
Azure.Security.KeyVault.Administration |
~42 | ~67 | ~439 | ~548 |
Azure.Security.KeyVault.Certificates |
~42 | ~varies | ~varies | ~1010 |
Azure.Security.KeyVault.Keys |
~150+ | ~varies | ~varies | ~5214 |
Azure.Security.KeyVault.Secrets |
~42 | ~67 | ~354 | ~463 |
(Counts from net9.0 job; all 12 jobs across Windows/Ubuntu/macOS × net8.0/net9.0/net10.0/net462 show the same failures)
282 unique test names fail, spanning: key CRUD, crypto sign/verify/encrypt/wrap, certificate create/download/import, secret CRUD, RBAC role assignments/definitions, backup/restore, and settings operations. The build itself succeeds — all failures are at test time.
How to Fix
The test recordings need to be re-recorded against the 2026-03-01-preview service version and pushed to the assets repo. For each affected package:
# 1. Set up for live recording
$env:AZURE_RECORD_MODE = "record"
# Ensure live test credentials are configured (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, plus KV-specific vars like AZURE_KEYVAULT_URL, AZURE_MANAGEDHSM_URL)
# 2. Run the live tests for each package
dotnet test sdk/keyvault/Azure.Security.KeyVault.Administration --filter "TestCategory!=Manually"
dotnet test sdk/keyvault/Azure.Security.KeyVault.Certificates --filter "TestCategory!=Manually"
dotnet test sdk/keyvault/Azure.Security.KeyVault.Keys --filter "TestCategory!=Manually"
dotnet test sdk/keyvault/Azure.Security.KeyVault.Secrets --filter "TestCategory!=Manually"
# 3. Push recordings to the assets repo (for each package)
test-proxy push -a sdk/keyvault/Azure.Security.KeyVault.Administration/assets.json
test-proxy push -a sdk/keyvault/Azure.Security.KeyVault.Certificates/assets.json
test-proxy push -a sdk/keyvault/Azure.Security.KeyVault.Keys/assets.json
test-proxy push -a sdk/keyvault/Azure.Security.KeyVault.Secrets/assets.json
# 4. Commit the updated assets.json files (they'll have new Tag values)
git add sdk/keyvault/*/assets.json
git commit -m "Update test recordings for 2026-03-01-preview"
⚠️ Watch out for the silent push trap: If you've locally committed changes in.assets/,test-proxy pushmay report nothing to push. In that case,git reset --soft <tag>inside the.assets/<hash>/directory before retrying. See live-test-recovery guidance for details.
Note
The unit tests (e.g., CertificatePolicyTests for PlatformManaged) all pass — only the recorded live tests fail because the recording playback URIs don't match the new API version string.
msftemployee
reviewed
Jun 1, 2026
msftemployee
left a comment
msftemployee
left a comment
There was a problem hiding this comment.
External courtesy review (not on the Key Vault team). 8 findings inline — two High blockers (no [Experimental] attribute despite Secrets' SCME0002 precedent; missing CHANGELOG entries for the default-version bump in Admin/Keys/Secrets), two Medium (deserialization invariants on PlatformManaged.CertificateUsage; default to preview ServiceVersion in the test fixture matrix with no refreshed recordings). Spot-checked against the TypeSpec at the API-version commit.
Prepared with assistance from an AI code-review tool; findings hand-verified against the head commit.
…d mode The VerifyCreateCertificateWithPlatformManaged test verifies the SDK can send a PlatformManaged certificate create request and that the returned policy round-trips correctly. We intentionally do not WaitForCompletionAsync because OneCert issuance is async service behavior outside of SDK scope. CertificatesTestBase: use AzureCliCredential in Record mode so re-recording works against vaults that the CI test principal cannot access. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
… CHANGELOG - Limit V2026_03_01_Preview to Certificates package; revert Keys/Secrets/ Administration default service version to V2025_07_01 and remove the unused V2026 enum members and parametrized fixtures from those packages. - PlatformManaged: throw InvalidOperationException when required 'certificateUsage' field is missing on deserialization, and when CertificateUsage is null on serialization (instead of silently dropping the required service property). - PlatformManaged: replace BinaryData.ToStream() with ToMemory() in WriteProperties metadata loop to avoid leaking a MemoryStream per metadata entry. - CertificatePolicy: qualify static PlatformManaged.FromJsonObject call with namespace to remove ambiguity between the property and the type. - CHANGELOG: align entry wording with the experimental Key Vault internal-usage feature statement. - Add three new unit tests covering the deserialize/serialize null guards. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The previous change added V2026_03_01_Preview to ClientTestFixture in CertificatesTestBase, which caused every existing test (DownloadECDsa*, StartCreate*, etc.) to also execute at V2026. Their recordings were captured at api-version=2025-07-01, so playback failed with URI mismatches (~50+ failures per platform). Fix: remove V2026 from the fixture so existing tests still run only at their original versions. Refactor VerifyCreateCertificateWithPlatformManaged to build its own V2026 CertificateClient instead of relying on the fixture-provided Client, so the V2026 recording is exercised exactly once. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace onecertdomain.contoso.com with sanitized.example.invalid (RFC 2606/6761 reserved) in test source and recordings to avoid committing externally-resolvable hostnames to public azure-sdk-assets history. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Updated the changelog to reflect the release date and added details about the experimental PlatformManaged property.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Added an experimental PlatformManaged property on CertificatePolicy for internal usage and upgraded to API service version 2026-03-01-preview.
…l, add experimental remarks - Bump version to 4.10.0-beta.2 and replace CHANGELOG entry with agreed experimental wording (date 2026-06-03) - Revert AzureCliCredential record-mode patch in CertificatesTestBase.cs and CertificateClientLiveTests.cs so production tests use TestEnvironment.Credential (recording patch was supposed to be temporary) - Remove unused ServiceVersion accessor on CertificatesTestBase - Add explicit <remarks> on PlatformManaged type and CertificatePolicy.PlatformManaged property marking them as experimental / Key Vault internal usage only Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Keeps the experimental remarks, credential-patch revert, and dead-code cleanup from the previous audit commit, but restores CHANGELOG.md and csproj <Version> to their state before that commit. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
tlupes
approved these changes
Jun 3, 2026
github-project-automation
Bot
moved this from Untriaged
to In Progress
in Azure SDK for Key Vault
Code review — PlatformManaged (2026-03-01-preview)Reviewed alongside the sibling PRs in Java, Go, and JS. Scoping down to Certificates-only is good, the implementation is clean, and test coverage is excellent. One item to confirm before merge. 🔴 Please verify before mergePreview API version becomes the client default. 🟡 Minor / consistency
✅ Strengths
|
github-project-automation
Bot
moved this from In Progress
to Done
in Azure SDK for Key Vault
rohitsinghal4u
deleted the
users/rohitsinghal4u/keyvault-2026-03-01-preview
branch
This was referenced Jun 6, 2026
Open
mcgallan
pushed a commit
to mcgallan/azure-sdk-for-net
that referenced
this pull request
Jun 11, 2026
…59537) * [KeyVault] Add support for service version 2026-03-01-preview Adds the 2026-03-01-preview API version to Administration, Certificates, Keys, and Secrets packages, and exposes the new experimental PlatformManaged property on CertificatePolicy (Azure Key Vault internal usage only; any calls using this property will fail and it is not recommended to be used at this point). - Added V2026_03_01_Preview to ServiceVersion enums and bumped LatestVersion across Administration, Certificates, Keys, and Secrets client options (matches prior preview convention, e.g. PR Azure#48675). - Added PlatformManaged model and CertificatePolicy.PlatformManaged property with JSON read/write support. - Extended test fixtures to run existing recorded tests under the new service version. - Added unit tests covering: roundtrip serialization, constructor argument validation, empty/null metadata handling, null platformManaged in JSON, lazy-init contract for Metadata, and CertificatePolicy without PlatformManaged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Record PlatformManaged live test and use AzureCliCredential for record mode The VerifyCreateCertificateWithPlatformManaged test verifies the SDK can send a PlatformManaged certificate create request and that the returned policy round-trips correctly. We intentionally do not WaitForCompletionAsync because OneCert issuance is async service behavior outside of SDK scope. CertificatesTestBase: use AzureCliCredential in Record mode so re-recording works against vaults that the CI test principal cannot access. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address review: scope to Certificates, harden PlatformManaged, update CHANGELOG - Limit V2026_03_01_Preview to Certificates package; revert Keys/Secrets/ Administration default service version to V2025_07_01 and remove the unused V2026 enum members and parametrized fixtures from those packages. - PlatformManaged: throw InvalidOperationException when required 'certificateUsage' field is missing on deserialization, and when CertificateUsage is null on serialization (instead of silently dropping the required service property). - PlatformManaged: replace BinaryData.ToStream() with ToMemory() in WriteProperties metadata loop to avoid leaking a MemoryStream per metadata entry. - CertificatePolicy: qualify static PlatformManaged.FromJsonObject call with namespace to remove ambiguity between the property and the type. - CHANGELOG: align entry wording with the experimental Key Vault internal-usage feature statement. - Add three new unit tests covering the deserialize/serialize null guards. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Fix CI: scope V2026 fixture to PlatformManaged test only The previous change added V2026_03_01_Preview to ClientTestFixture in CertificatesTestBase, which caused every existing test (DownloadECDsa*, StartCreate*, etc.) to also execute at V2026. Their recordings were captured at api-version=2025-07-01, so playback failed with URI mismatches (~50+ failures per platform). Fix: remove V2026 from the fixture so existing tests still run only at their original versions. Refactor VerifyCreateCertificateWithPlatformManaged to build its own V2026 CertificateClient instead of relying on the fixture-provided Client, so the V2026 recording is exercised exactly once. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Sanitize placeholder domain in PlatformManaged test fixtures Replace onecertdomain.contoso.com with sanitized.example.invalid (RFC 2606/6761 reserved) in test source and recordings to avoid committing externally-resolvable hostnames to public azure-sdk-assets history. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update CHANGELOG for version 4.10.0-beta.1 Updated the changelog to reflect the release date and added details about the experimental PlatformManaged property. * Fix Certificates changelog release entry Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Re-record Certificates tests against 2026-03-01-preview default Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Update CHANGELOG for 4.10.0-beta.1 features Added an experimental PlatformManaged property on CertificatePolicy for internal usage and upgraded to API service version 2026-03-01-preview. * Update CHANGELOG.md * Address review feedback: bump to beta.2, revert record-mode credential, add experimental remarks - Bump version to 4.10.0-beta.2 and replace CHANGELOG entry with agreed experimental wording (date 2026-06-03) - Revert AzureCliCredential record-mode patch in CertificatesTestBase.cs and CertificateClientLiveTests.cs so production tests use TestEnvironment.Credential (recording patch was supposed to be temporary) - Remove unused ServiceVersion accessor on CertificatesTestBase - Add explicit <remarks> on PlatformManaged type and CertificatePolicy.PlatformManaged property marking them as experimental / Key Vault internal usage only Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Restore CHANGELOG and version (do not change per instructions) Keeps the experimental remarks, credential-patch revert, and dead-code cleanup from the previous audit commit, but restores CHANGELOG.md and csproj <Version> to their state before that commit. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Rohit Singhal <singhalrohit@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Copilot <copilot@github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the
2026-03-01-previewKey Vault service version toAzure.Security.KeyVault.Certificatesand exposes the experimentalPlatformManagedwrapper onCertificatePolicy.Spec PR: Azure/azure-rest-api-specs@ea20c46
Scope
This PR is scoped to
sdk/keyvault/Azure.Security.KeyVault.Certificatesonly. The Keys / Secrets / Administration packages no longer take any change in this PR (no enum entry, no default flip, no CHANGELOG churn), per review feedback.Changes
CertificateClientOptions.ServiceVersion.V2026_03_01_Previewand bumpedLatestVersionaccordingly.PlatformManagedmodel andCertificatePolicy.PlatformManagedproperty with JSON serialization / deserialization.PlatformManagedis for Azure Key Vault internal usage only — any calls using this property will fail and is not recommended to be used at this point. This is called out in the type<remarks>, on the property, and in the CHANGELOG.ReadPropertiesthrowsInvalidOperationExceptionwhen the requiredcertificateUsageis missing from the wire payload (mirrors the public constructor invariant).WritePropertiesthrowsInvalidOperationExceptionwhenCertificateUsageis null instead of silently dropping the property.4.10.0-beta.1. CHANGELOG entry under4.10.0-beta.1documents the experimental PlatformManaged property and the API service version upgrade.CertificatePolicyTestscover round-trip serialization with metadata, constructor null/empty validation, empty/null metadata,platformManaged: nullJSON, omitting the key when not set, lazy-init ofMetadata, mutability ofCertificateUsage, and both deserialize-throws shapes.VerifyCreateCertificateWithPlatformManaged(recorded) builds its own dedicatedV2026_03_01_Previewclient rather than parametrizing the existing fixture, so existing recorded tests continue to play back unchanged.Recordings
Recordings refreshed; assets tag is
net/keyvault/Azure.Security.KeyVault.Certificates_ba7a54d206.Notes
AzureCliCredentialshim used to capture the new recording has been reverted; production tests resolve their credential throughTestEnvironment.Credential.[Experimental(...)]attribute on the wrapper will be added in a focused follow-up PR that also lands the diagnostic id + repo-wide suppression scope, rather than mixing it into this preview-version PR.