Download the public key in .PEM format from Azure Key Vault.

Kesar, Raghav 31 Reputation points
2022-10-06T21:11:03.523+00:00

Is there a python sdk call to download the publickey in .pem format from the azure keyvault.

Yes, we can download the publickey using the Az CLI "az keyvault key download " and directly using the azure portal, but we are looking for the python sdk call

Looking forward to the azure team.

248230-screenshot-from-2022-10-06-17-08-27.png

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,452 questions
{count} votes

Accepted answer
  1. Fabian Gonzalez 501 Reputation points Microsoft Employee
    2022-10-10T22:07:28.917+00:00

    @Kesar, Raghav Unfortunately, there's no easy or straightforward way to fetch this with azure-keyvault-keys, but like Jack points out you can use a key's JsonWebKey or JWK class (A fetched key's .key property) to construct a PEM of the public key. The Python's cryptography library may help you with that.

    The following sample shows how to do this with an RSA key, but explains how you can adjust it for EC keys as well:

    key_pem.py Python

    from base64 import urlsafe_b64encode  
    from cryptography.hazmat.primitives import serialization  
    import jwt  
      
    from azure.identity import DefaultAzureCredential  
    from azure.keyvault.keys import KeyClient  
      
      
    vault_url= "https://{vault-name}.vault.azure.net"  
    credential = DefaultAzureCredential()  
    client = KeyClient(vault_url, credential)  
      
    key = client.get_key("{key-name}")  
      
    # The JsonWebKey in `key.key` is correct, but may contain fields with None values  
      
    usable_jwk = {}  
    for k in vars(key.key):  
        value = vars(key.key)[k]  
        if value:  
            usable_jwk[k] = urlsafe_b64encode(value) if isinstance(value, bytes) else value  
      
    # The following code is meant for RSA keys  
    # For EC keys, use `jwt.algorithms.ECAlgorithm.from_jwk(usable_jwk)`  
      
    public_key = jwt.algorithms.RSAAlgorithm.from_jwk(usable_jwk)  
    public_pem = public_key.public_bytes(  
        encoding=serialization.Encoding.PEM,  
        format=serialization.PublicFormat.SubjectPublicKeyInfo  
    )  
    print(public_pem)  
    
    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Jack Lichwa 11 Reputation points Microsoft Employee
    2022-10-10T20:53:58.443+00:00

    Key Vault Python SDK can retrieve JSONWebKey only:
    https://learn.microsoft.com/en-us/python/api/azure-keyvault-keys/azure.keyvault.keys.keyvaultkey?view=azure-python#azure-keyvault-keys-keyvaultkey-key.

    You will need to use your own code or openssl to convert it to PEM.

    1 person found this answer helpful.

  2. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2022-10-06T23:05:43.047+00:00

    @Kesar, Raghav
    Thank you for your post!

    When it comes to downloading the public key in .pem format from the Azure Key Vault, have you looked into our Azure Key Vault Keys client library for Python documentation? You should be able to do this by using get_key.

    Retrieve a Key:
    get_key retrieves a key previously stored in the Vault.

    from azure.identity import DefaultAzureCredential  
    from azure.keyvault.keys import KeyClient  
      
    credential = DefaultAzureCredential()  
      
    key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)  
    key = key_client.get_key("key-name")  
    print(key.name)  
    

    Additional Link:
    Azure Key Vault Certificates client library for Python
    Azure Key Vault Secrets client library for Python

    If you have any other questions or if these aren't the correct Python SDK calls, please let me know.
    Thank you for your time and patience throughout this issue.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.