The Azure Key Vault service provides secure storage of secrets, keys, and certificates. Below are practical Python snippets demonstrating common operations using the azure-keyvault-secrets and azure-keyvault-keys packages.
Setup
pip install
pip install azure-identity azure-keyvault-secrets azure-keyvault-keysAuthentication
Python – DefaultAzureCredential
from azure.identity import DefaultAzureCredential
# Uses environment variables, managed identity, Azure CLI, etc.
credential = DefaultAzureCredential()Create / Set a Secret
Python – Set Secret
from azure.keyvault.secrets import SecretClient
vault_url = "https://my-keyvault.vault.azure.net/"
client = SecretClient(vault_url=vault_url, credential=credential)
# Set a secret
secret_name = "DatabasePassword"
secret_value = "S3cr3tP@ssw0rd!"
client.set_secret(secret_name, secret_value)Retrieve a Secret
Python – Get Secret
retrieved = client.get_secret(secret_name)
print(f"Secret value: {retrieved.value}")Delete a Secret
Python – Delete Secret
deleted_secret = client.begin_delete_secret(secret_name).result()
print(f"Deleted secret: {deleted_secret.name}")Create a Key
Python – Create RSA Key
from azure.keyvault.keys import KeyClient
from azure.keyvault.keys import KeyType
key_client = KeyClient(vault_url=vault_url, credential=credential)
key_name = "my-rsa-key"
key = key_client.create_rsa_key(key_name, size=2048)
print(f"Created key: {key.name}")Sign Data with a Key
Python – Sign with RSA
from azure.core.exceptions import ResourceNotFoundError
from azure.keyvault.keys.crypto import CryptographyClient, SignatureAlgorithm
import hashlib
crypto_client = CryptographyClient(key, credential=credential)
message = b"Important message"
digest = hashlib.sha256(message).digest()
sign_result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
print(f"Signature: {sign_result.signature.hex()}")Next Steps
- Explore Key Vault concepts.
- Integrate with Azure Managed Identities for zero‑code credential management.
- Use
azure-keyvault-certificatesto store and rotate certificates.