Quickstart: Azure Key Vault keys client library for Python
Get started with the Azure Key Vault client library for Python. Follow these steps to install the package and try out example code for basic tasks. By using Key Vault to store cryptographic keys, you avoid storing such keys in your code, which increases the security of your app.
API reference documentation | Library source code | Package (Python Package Index)
Prerequisites
- An Azure subscription - Create a trial subscription.
- Python 3.7+
- Azure CLI
This quickstart assumes you're running Azure CLI or Azure PowerShell in a Linux terminal window.
Set up your local environment
This quickstart is using the Azure Identity library with Azure CLI or Azure PowerShell to authenticate the user to Azure services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls. For more information, see Authenticate the client with Azure Identity client library.
Sign in to Azure
Run the
login
command.az cloud set -n AzureChinaCloud az login # az cloud set -n AzureCloud //means return to Public Azure.
If the CLI can open your default browser, it will do so and load an Azure sign-in page.
Otherwise, open a browser page at https://login.partner.microsoftonline.cn/common/oauth2/deviceauth and enter the authorization code displayed in your terminal.
Sign in with your account credentials in the browser.
Install the packages
In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on Use Python virtual environments.
Install the Microsoft Entra identity library:
pip install azure-identity
Install the Key Vault key client library:
pip install azure-keyvault-keys
Create a resource group and key vault
Use the
az group create
command to create a resource group:az group create --name myResourceGroup --location chinaeast
You can change "chinaeast" to a location nearer to you, if you prefer.
Use
az keyvault create
to create the key vault:az keyvault create --name <your-unique-keyvault-name> --resource-group myResourceGroup
Replace
<your-unique-keyvault-name>
with a name that's unique across all of Azure. You typically use your personal or company name along with other numbers and identifiers.
Set the KEY_VAULT_NAME environmental variable
Our script will use the value assigned to the KEY_VAULT_NAME
environment variable as the name of the key vault. You must therefore set this value using the following command:
export KEY_VAULT_NAME=<your-unique-keyvault-name>
Grant access to your key vault
To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command az role assignment create.
az role assignment create --role "Key Vault Secrets User" --assignee "<app-id>" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
Replace <app-id>
, <subscription-id>
, <resource-group-name>
and <your-unique-keyvault-name>
with your actual values. <app-id>
is the Application (client) ID of your registered application in Azure Entra.
Create the sample code
The Azure Key Vault key client library for Python allows you to manage cryptographic keys. The following code sample demonstrates how to create a client, set a key, retrieve a key, and delete a key.
Create a file named kv_keys.py that contains this code.
import os
from azure.keyvault.keys import KeyClient
from azure.identity import DefaultAzureCredential
keyVaultName = os.environ["KEY_VAULT_NAME"]
KVUri = "https://" + keyVaultName + ".vault.azure.cn"
credential = DefaultAzureCredential()
client = KeyClient(vault_url=KVUri, credential=credential)
keyName = input("Input a name for your key > ")
print(f"Creating a key in {keyVaultName} called '{keyName}' ...")
rsa_key = client.create_rsa_key(keyName, size=2048)
print(" done.")
print(f"Retrieving your key from {keyVaultName}.")
retrieved_key = client.get_key(keyName)
print(f"Key with name '{retrieved_key.name}' was found.")
print(f"Deleting your key from {keyVaultName} ...")
poller = client.begin_delete_key(keyName)
deleted_key = poller.result()
print(" done.")
Run the code
Make sure the code in the previous section is in a file named kv_keys.py. Then run the code with the following command:
python kv_keys.py
Rerunning the code with the same key name may produce the error, "(Conflict) Key <name> is currently in a deleted but recoverable state." Use a different key name.
Code details
Authenticate and create a client
Application requests to most Azure services must be authorized. Using the DefaultAzureCredential class provided by the Azure Identity client library is the recommended approach for implementing passwordless connections to Azure services in your code. DefaultAzureCredential
supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.
In this quickstart, DefaultAzureCredential
authenticates to key vault using the credentials of the local development user logged into the Azure CLI. When the application is deployed to Azure, the same DefaultAzureCredential
code can automatically discover and use a managed identity that is assigned to an App Service, Virtual Machine, or other services. For more information, see Managed Identity Overview.
In the example code, the name of your key vault is expanded using the value of the KVUri
variable, in the format: "https://<your-key-vault-name>.vault.azure.cn".
credential = DefaultAzureCredential()
client = KeyClient(vault_url=KVUri, credential=credential)
Save a key
Once you've obtained the client object for the key vault, you can store a key using the create_rsa_key method:
rsa_key = client.create_rsa_key(keyName, size=2048)
You can also use create_key or create_ec_key.
Calling a create
method generates a call to the Azure REST API for the key vault.
When Azure handles the request, it authenticates the caller's identity (the service principal) using the credential object you provided to the client.
Retrieve a key
To read a key from Key Vault, use the get_key method:
retrieved_key = client.get_key(keyName)
You can also verify that the key has been set with the Azure CLI command az keyvault key show or the Azure PowerShell cmdlet Get-AzKeyVaultKey.
Delete a key
To delete a key, use the begin_delete_key method:
poller = client.begin_delete_key(keyName)
deleted_key = poller.result()
The begin_delete_key
method is asynchronous and returns a poller object. Calling the poller's result
method waits for its completion.
You can verify that the key is deleted with the Azure CLI command az keyvault key show or the Azure PowerShell cmdlet Get-AzKeyVaultKey.
Once deleted, a key remains in a deleted but recoverable state for a time. If you run the code again, use a different key name.
Clean up resources
If you want to also experiment with certificates and secrets, you can reuse the Key Vault created in this article.
Otherwise, when you're finished with the resources created in this article, use the following command to delete the resource group and all its contained resources:
az group delete --resource-group myResourceGroup