[Key Vault] Add External Key Manager (EKM) support for Managed HSM (Preview)

[notyashhh]

Related command
az keyvault ekm-connection (create/update/show/check/delete + certificate show)
az keyvault key create --external-key-id

Description
Adds public-preview support for Managed HSM External Key Manager (EKM) to az keyvault.

What's added:

• New command group az keyvault ekm-connection to wire a Managed HSM to an external key
  manager proxy: create, update, show, check, delete, and certificate show.
• New --external-key-id flag on az keyvault key create to create EKM-backed external keys.

All new commands and the --external-key-id argument are marked preview (is_preview=True).

This builds on the private-preview implementation and moves it to the public preview SDKs:

• azure-keyvault-keys==4.12.0b2 — uses the new create_external_key() API and the public
  ExternalKey model.
• azure-keyvault-administration==4.8.0b1 — KeyVaultEkmClient / KeyVaultEkmConnection.

Both SDKs are published on PyPI and require Python >=3.10, which matches the CLI's floor
(python_requires>=3.10), so there is no dependency-resolution impact on CI.

Notes:

• External keys reject client-specified key type/size/curve/ops; the CLI routes them to the
  dedicated create_external_key() path and omits those attributes.
• --external-key-id is validated to the public SDK contract ([A-Za-z0-9-], max 64 chars).
• Removed private-preview artifacts (bundled SDK wheels, temp cert) that were used for the
  internal 1P drop.

Testing Guide
Unit (offline):

azdev test keyvault --tests "Ekm or external_key"

Live smoke (Managed HSM required):

MHSM_ID="https://<your-mhsm>.managedhsm.azure.net"
az keyvault ekm-connection create --id "$MHSM_ID" --host <ekm-proxy-fqdn[:port]> \
  --server-ca-certificate ./chain.pem [--path-prefix /api/v1] [--server-cn <cn>]
az keyvault ekm-connection show  --id "$MHSM_ID"
az keyvault ekm-connection check --id "$MHSM_ID"
az keyvault ekm-connection certificate show --id "$MHSM_ID"

# external (EKM-backed) key
az keyvault key create --id "$MHSM_ID/keys/ekm-key-1" --external-key-id "<ekm-key-id>"
az keyvault key show   --id "$MHSM_ID/keys/ekm-key-1"
az keyvault key delete --id "$MHSM_ID/keys/ekm-key-1"

# regression: normal key still works
az keyvault key create --id "$MHSM_ID/keys/normal-1" --kty RSA --size 2048 --protection hsm
az keyvault key delete --id "$MHSM_ID/keys/normal-1"

History Notes
[Key Vault] az keyvault ekm-connection: Add command group to manage External Key Manager (EKM) connections for Managed HSM (Preview).
[Key Vault] az keyvault key create: Add --external-key-id to create EKM-backed external keys on Managed HSM (Preview).

---

• The PR title and description has followed the guideline in Submitting Pull Requests.
• I adhere to the Command Guidelines.
• I adhere to the Error Handling Guidelines.

[azure-client-tools-bot-prd]

Validation for Azure CLI Full Test Starting...

Thanks for your contribution!

[azure-client-tools-bot-prd]

Hi @notyashhh,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

[azure-client-tools-bot-prd]

Validation for Breaking Change Starting...

Thanks for your contribution!

[Copilot]

Pull request overview

Adds public-preview Managed HSM External Key Manager (EKM) support to az keyvault, including new EKM connection management commands and the ability to create EKM-backed external keys, backed by newer (public preview) azure-keyvault-* SDKs.

Changes:

• Bumps Key Vault data-plane SDK dependencies to public-preview versions needed for EKM/external key APIs.
• Adds new preview command group az keyvault ekm-connection (create/update/show/check/delete + certificate show) backed by a new data-plane EKM client.
• Extends az keyvault key create with --external-key-id to create EKM-backed external keys, plus validation/output shaping and unit tests.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/azure-cli/setup.py	Pins Key Vault SDK deps to preview versions required for EKM/external key APIs.
src/azure-cli/requirements.py3.windows.txt	Mirrors the preview Key Vault SDK pins for Windows packaging.
src/azure-cli/requirements.py3.Linux.txt	Mirrors the preview Key Vault SDK pins for Linux packaging.
src/azure-cli/requirements.py3.Darwin.txt	Mirrors the preview Key Vault SDK pins for macOS packaging.
src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/test_keyvault_commands.py	Adds offline unit tests for external key id validation, EKM host/path validation, and certificate serialization behavior.
src/azure-cli/azure/cli/command_modules/keyvault/custom.py	Implements external-key creation path plus EKM connection/certificate operations.
src/azure-cli/azure/cli/command_modules/keyvault/commands.py	Registers new preview keyvault ekm-connection command groups and wires validators/client factory.
src/azure-cli/azure/cli/command_modules/keyvault/_validators.py	Adds --external-key-id validation and new EKM connection argument validation helpers.
src/azure-cli/azure/cli/command_modules/keyvault/_transformers.py	Fixes crypto output hex fields to be strings and surfaces externalKeyId when present.
src/azure-cli/azure/cli/command_modules/keyvault/_params.py	Adds --external-key-id and defines argument surface for new ekm-connection commands.
src/azure-cli/azure/cli/command_modules/keyvault/_help.py	Adds help entries for the new ekm-connection command group.
src/azure-cli/azure/cli/command_modules/keyvault/_client_factory.py	Adds data-plane KeyVaultEkmClient factory for the new commands.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[notyashhh]

STALE. New PR: #33651