azure.keyvault.secrets SecretClient returns Certificates togather with Secrets from the Azure Key Vault

[oleksandrmeleshchuk-epm]

• Package Name: azure.keyvault.secrets
• Package Version: latest (4.9.0)
• Operating System: Windows 11 x64 Pro
• Python Version: Python 3.9.6

Describe the bug
`def get_secrets(key_vault_uri, credentials):
secret_client = SecretClient(vault_url=key_vault_uri, credential=credentials)
items = {
"secrets": []
}

try:
    secret_list = secret_client.list_properties_of_secrets()
    for secret in secret_list:
        secret_data = secret_client.get_secret(secret.name)
        expires_on = secret_data.properties.expires_on
        if expires_on and expires_on.tzinfo is None:
            expires_on = expires_on.replace(tzinfo=timezone.utc)

        secret_info = {
            'Name': secret.name,
            'Enabled': secret_data.properties.enabled,
            'ExpiresOn': expires_on.isoformat() if expires_on else None,
            'Status': "Active" if secret_data.properties.enabled else "Disabled"
        }
        items["secrets"].append(secret_info)

except HttpResponseError as e:
    print(f"Error fetching secrets for KeyVault {key_vault_uri}: {e}")
    return []

return items`

Returns secrets and certificates instead of secretes only

To Reproduce
Steps to reproduce the behavior:

1. use this script:
   `import os
   from azure.keyvault.secrets import SecretClient
   from azure.identity import DefaultAzureCredential

KVUri = f"https://xxxxxxxxxxxxxxxxxxxxxxxx.vault.azure.net/"

credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)

print(f"Retrieving your secret from KV_NAME.")
secret_list = client.list_properties_of_secrets()
for secret in secret_list:
secret_data = client.get_secret(secret.name)
print(f"{secret_data.properties}")
`
2. Prepare Azure Key Vault with:

• some secrets
• some certificates

Expected behavior
SecretClient should return only secrets

Screenshots
n/a

Additional context
n/a

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[mccoyp]

Hi @oleksandrmeleshchuk-epm, thank you for opening an issue! Apologies for the delayed response; I was out of office.

This behavior is actually expected -- when a Key Vault certificate is created, a key and secret with the same name are also created by the service. To quote the service's conceptual documentation:

When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations, and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public X.509 certificate metadata.

I'll mark this issue as resolved since I don't believe there are any SDK changes to be made here, but please let me know if you have any other questions or concerns. Thanks again!

[github-actions]

Hi @oleksandrmeleshchuk-epm. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[oleksandrmeleshchuk-epm]

Hi @mccoyp, thx for an update and corresponding link to the docs. If so, maybe you have some hints on how to filter out output from the mentioned in the ticket description functions?

[mccoyp]

Hi @oleksandrmeleshchuk-epm, good question; you can use the SecretProperties.managed attribute to determine if a secret corresponds to a certificate. If the secret backs a certificate, managed will be True.