Implementation:Microsoft Semantic kernel Concepts OpenAPI Resource
| Knowledge Sources | |
|---|---|
| Domains | OpenAPI, Azure_Key_Vault |
| Last Updated | 2026-02-11 00:00 GMT |
Overview
Concrete Swagger 2.0 OpenAPI specification for the Azure Key Vault REST API used as a sample connector resource in the Semantic Kernel Concepts samples.
Description
This file is a Swagger 2.0 JSON specification that describes a sample connector for the Azure Key Vault service. It defines endpoints for managing cryptographic keys and secrets via the Key Vault REST API (version 7.0). The specification includes the following operations:
- Keys: ListKey (GET /keys), GetKey (GET /keys/{key-name}), CreateKey (POST /keys/{key-name}/create), Decrypt (POST /keys/{key-name}/decrypt), Encrypt (POST /keys/{key-name}/encrypt)
- Secrets: ListSecret (GET /secrets), GetSecret (GET /secrets/{secret-name}), SetSecret (PUT /secrets/{secret-name}), ListSecretVersions (GET /secrets/{secret-name}/versions), GetSecretVersion (GET /secrets/{secret-name}/{secret-version})
The specification uses OAuth2 access code flow for security (oauth2_auth) with Azure AD authorization endpoints at login.windows.net. The host is set to my-key-vault.vault.azure.net as a placeholder.
Usage
This file is referenced in the Concepts sample project (sample number 22) to demonstrate how Semantic Kernel can import and use OpenAPI specifications as plugins. Developers use it to learn how to integrate external REST APIs (like Azure Key Vault) into Semantic Kernel pipelines via the OpenAPI plugin import mechanism.
Code Reference
Source Location
- Repository: Microsoft_Semantic_kernel
- File: dotnet/samples/Concepts/Resources/22-openapi.json
- Lines: 1-867
Signature
{
"basePath": "/",
"host": "my-key-vault.vault.azure.net",
"info": {
"description": "A sample connector for the Azure Key Vault service.",
"title": "Azure Key Vault [Sample]",
"version": "1.0"
},
"paths": {
"/keys": { "get": { "operationId": "ListKey", "summary": "List keys" } },
"/keys/{key-name}": { "get": { "operationId": "GetKey", "summary": "Get key" } },
"/keys/{key-name}/create": { "post": { "operationId": "CreateKey", "summary": "Create key" } },
"/keys/{key-name}/decrypt": { "post": { "operationId": "Decrypt", "summary": "Decrypt data" } },
"/keys/{key-name}/encrypt": { "post": { "operationId": "Encrypt", "summary": "Encrypt data" } },
"/secrets": { "get": { "operationId": "ListSecret", "summary": "List secrets" } },
"/secrets/{secret-name}": {
"get": { "operationId": "GetSecret", "summary": "Get secret" },
"put": { "operationId": "SetSecret", "summary": "Create or update secret value" }
}
},
"swagger": "2.0",
"schemes": ["https"]
}
Import
// In Concepts sample 22, the spec is loaded as an embedded resource:
using var stream = typeof(Concepts).Assembly
.GetManifestResourceStream("Resources.22-openapi.json");
// Or loaded from disk:
await kernel.ImportPluginFromOpenApiAsync("AzureKeyVault",
Path.Combine("Resources", "22-openapi.json"));
I/O Contract
Inputs
| Name | Type | Required | Description |
|---|---|---|---|
| key-name | string (path) | yes | Name of the cryptographic key in the vault (for key operations). |
| secret-name | string (path) | yes | Name of the secret in the vault (for secret operations). |
| secret-version | string (path) | yes | Version identifier of a secret (for GetSecretVersion). |
| api-version | string (query) | yes | API version, defaults to "7.0". Marked as internal visibility. |
| maxresults | string/integer (query) | no | Maximum number of results to return per page. |
| kty | string (body) | yes | Key type for CreateKey: EC, EC-HSM, RSA, RSA-HSM, or oct. |
| alg | string (body) | yes | Encryption algorithm for Encrypt/Decrypt: RSA-OAEP, RSA-OAEP-256, or RSA1_5. |
| value | string (body) | yes | Data payload for encrypt/decrypt operations or secret value for SetSecret. |
Outputs
| Name | Type | Description |
|---|---|---|
| key | object | Key material including kid (key identifier), kty (key type), key_ops (operations), e (exponent), n (modulus). |
| attributes | object | Key/secret attributes: created, updated, enabled, recoverylevel timestamps. |
| value | string | Decrypted data, encrypted data, or secret value depending on the operation. |
| nextLink | string | Pagination link for list operations. |
Usage Examples
Importing the Azure Key Vault Plugin
var kernel = Kernel.CreateBuilder()
.AddAzureOpenAIChatCompletion(deploymentName, endpoint, apiKey)
.Build();
await kernel.ImportPluginFromOpenApiAsync(
"AzureKeyVault",
Path.Combine("Resources", "22-openapi.json"),
new OpenApiFunctionExecutionParameters
{
ServerUrlOverride = new Uri("https://my-vault.vault.azure.net")
});
// Now the kernel can call Key Vault operations as functions:
var result = await kernel.InvokeAsync("AzureKeyVault", "ListKey");
Related Pages
Page Connections
Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment