@Kesar, Raghav Unfortunately, there's no easy or straightforward way to fetch this with azure-keyvault-keys, but like Jack points out you can use a key's JsonWebKey or JWK class (A fetched key's .key property) to construct a PEM of the public key. The Python's cryptography library may help you with that.
The following sample shows how to do this with an RSA key, but explains how you can adjust it for EC keys as well:
key_pem.py Python
from base64 import urlsafe_b64encode
from cryptography.hazmat.primitives import serialization
import jwt
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
vault_url= "https://{vault-name}.vault.azure.net"
credential = DefaultAzureCredential()
client = KeyClient(vault_url, credential)
key = client.get_key("{key-name}")
# The JsonWebKey in `key.key` is correct, but may contain fields with None values
usable_jwk = {}
for k in vars(key.key):
value = vars(key.key)[k]
if value:
usable_jwk[k] = urlsafe_b64encode(value) if isinstance(value, bytes) else value
# The following code is meant for RSA keys
# For EC keys, use `jwt.algorithms.ECAlgorithm.from_jwk(usable_jwk)`
public_key = jwt.algorithms.RSAAlgorithm.from_jwk(usable_jwk)
public_pem = public_key.public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo
)
print(public_pem)