Azure Keyvault Py

1---
2name: azure-keyvault-py
3description: |
4  Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.
5  Triggers: "key vault", "SecretClient", "KeyClient", "CertificateClient", "secrets", "encryption keys".
6package: azure-keyvault-secrets, azure-keyvault-keys, azure-keyvault-certificates
7---
8 
9# Azure Key Vault SDK for Python
10 
11Secure storage and management for secrets, cryptographic keys, and certificates.
12 
13## Installation
14 
15```bash
16# Secrets
17pip install azure-keyvault-secrets azure-identity
18 
19# Keys (cryptographic operations)
20pip install azure-keyvault-keys azure-identity
21 
22# Certificates
23pip install azure-keyvault-certificates azure-identity
24 
25# All
26pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity
27```
28 
29## Environment Variables
30 
31```bash
32AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/
33```
34 
35## Secrets
36 
37### SecretClient Setup
38 
39```python
40from azure.identity import DefaultAzureCredential
41from azure.keyvault.secrets import SecretClient
42 
43credential = DefaultAzureCredential()
44vault_url = "https://<vault-name>.vault.azure.net/"
45 
46client = SecretClient(vault_url=vault_url, credential=credential)
47```
48 
49### Secret Operations
50 
51```python
52# Set secret
53secret = client.set_secret("database-password", "super-secret-value")
54print(f"Created: {secret.name}, version: {secret.properties.version}")
55 
56# Get secret
57secret = client.get_secret("database-password")
58print(f"Value: {secret.value}")
59 
60# Get specific version
61secret = client.get_secret("database-password", version="abc123")
62 
63# List secrets (names only, not values)
64for secret_properties in client.list_properties_of_secrets():
65    print(f"Secret: {secret_properties.name}")
66 
67# List versions
68for version in client.list_properties_of_secret_versions("database-password"):
69    print(f"Version: {version.version}, Created: {version.created_on}")
70 
71# Delete secret (soft delete)
72poller = client.begin_delete_secret("database-password")
73deleted_secret = poller.result()
74 
75# Purge (permanent delete, if soft-delete enabled)
76client.purge_deleted_secret("database-password")
77 
78# Recover deleted secret
79client.begin_recover_deleted_secret("database-password").result()
80```
81 
82## Keys
83 
84### KeyClient Setup
85 
86```python
87from azure.identity import DefaultAzureCredential
88from azure.keyvault.keys import KeyClient
89 
90credential = DefaultAzureCredential()
91vault_url = "https://<vault-name>.vault.azure.net/"
92 
93client = KeyClient(vault_url=vault_url, credential=credential)
94```
95 
96### Key Operations
97 
98```python
99from azure.keyvault.keys import KeyType
100 
101# Create RSA key
102rsa_key = client.create_rsa_key("rsa-key", size=2048)
103 
104# Create EC key
105ec_key = client.create_ec_key("ec-key", curve="P-256")
106 
107# Get key
108key = client.get_key("rsa-key")
109print(f"Key type: {key.key_type}")
110 
111# List keys
112for key_properties in client.list_properties_of_keys():
113    print(f"Key: {key_properties.name}")
114 
115# Delete key
116poller = client.begin_delete_key("rsa-key")
117deleted_key = poller.result()
118```
119 
120### Cryptographic Operations
121 
122```python
123from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm
124 
125# Get crypto client for a specific key
126crypto_client = CryptographyClient(key, credential=credential)
127# Or from key ID
128crypto_client = CryptographyClient(
129    "https://<vault>.vault.azure.net/keys/<key-name>/<version>",
130    credential=credential
131)
132 
133# Encrypt
134plaintext = b"Hello, Key Vault!"
135result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
136ciphertext = result.ciphertext
137 
138# Decrypt
139result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
140decrypted = result.plaintext
141 
142# Sign
143from azure.keyvault.keys.crypto import SignatureAlgorithm
144import hashlib
145 
146digest = hashlib.sha256(b"data to sign").digest()
147result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
148signature = result.signature
149 
150# Verify
151result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature)
152print(f"Valid: {result.is_valid}")
153```
154 
155## Certificates
156 
157### CertificateClient Setup
158 
159```python
160from azure.identity import DefaultAzureCredential
161from azure.keyvault.certificates import CertificateClient, CertificatePolicy
162 
163credential = DefaultAzureCredential()
164vault_url = "https://<vault-name>.vault.azure.net/"
165 
166client = CertificateClient(vault_url=vault_url, credential=credential)
167```
168 
169### Certificate Operations
170 
171```python
172# Create self-signed certificate
173policy = CertificatePolicy.get_default()
174poller = client.begin_create_certificate("my-cert", policy=policy)
175certificate = poller.result()
176 
177# Get certificate
178certificate = client.get_certificate("my-cert")
179print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")
180 
181# Get certificate with private key (as secret)
182from azure.keyvault.secrets import SecretClient
183secret_client = SecretClient(vault_url=vault_url, credential=credential)
184cert_secret = secret_client.get_secret("my-cert")
185# cert_secret.value contains PEM or PKCS12
186 
187# List certificates
188for cert in client.list_properties_of_certificates():
189    print(f"Certificate: {cert.name}")
190 
191# Delete certificate
192poller = client.begin_delete_certificate("my-cert")
193deleted = poller.result()
194```
195 
196## Client Types Table
197 
198| Client | Package | Purpose |
199|--------|---------|---------|
200| `SecretClient` | `azure-keyvault-secrets` | Store/retrieve secrets |
201| `KeyClient` | `azure-keyvault-keys` | Manage cryptographic keys |
202| `CryptographyClient` | `azure-keyvault-keys` | Encrypt/decrypt/sign/verify |
203| `CertificateClient` | `azure-keyvault-certificates` | Manage certificates |
204 
205## Async Clients
206 
207```python
208from azure.identity.aio import DefaultAzureCredential
209from azure.keyvault.secrets.aio import SecretClient
210 
211async def get_secret():
212    credential = DefaultAzureCredential()
213    client = SecretClient(vault_url=vault_url, credential=credential)
214    
215    async with client:
216        secret = await client.get_secret("my-secret")
217        print(secret.value)
218 
219import asyncio
220asyncio.run(get_secret())
221```
222 
223## Error Handling
224 
225```python
226from azure.core.exceptions import ResourceNotFoundError, HttpResponseError
227 
228try:
229    secret = client.get_secret("nonexistent")
230except ResourceNotFoundError:
231    print("Secret not found")
232except HttpResponseError as e:
233    if e.status_code == 403:
234        print("Access denied - check RBAC permissions")
235    raise
236```
237 
238## Best Practices
239 
2401. **Use DefaultAzureCredential** for authentication
2412. **Use managed identity** in Azure-hosted applications
2423. **Enable soft-delete** for recovery (enabled by default)
2434. **Use RBAC** over access policies for fine-grained control
2445. **Rotate secrets** regularly using versioning
2456. **Use Key Vault references** in App Service/Functions config
2467. **Cache secrets** appropriately to reduce API calls
2478. **Use async clients** for high-throughput scenarios
248