Is there a python sdk call to download the publickey in .pem format from the azure keyvault.

Yes, we can download the publickey using the Az CLI "az keyvault key download " and directly using the azure portal, but we are looking for the python sdk call

Looking forward to the azure team.

@JamesTran-MSFT By any chance you find out the correct pyhton SDK call for retrieving the publickey from the keyvault. ?

key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)
key = key_client.get_key("key-name") >> gives the key name stored in the keyvault not the actual public key

we are looking for

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkA+yiEvKHY5SbCcwwY376BZHowPTeDpLzKuAAd5N0QMjCu8GS8OVDnkhu1NxZl30OqvTTVTdd756TOAtALy3/dVVJbe/rB7K0ry/+mkZoWz922KgqXb+BeF+TMficf+zOgkd1PIkzuiiI4OMbIDnLqEd5Hka1RQFwKCzrHHA+V29LJWH0geHe7FlichTk0AHyFBRnhThyT2tS1Q/REaAI/eq5yiIIXcudwpNlZpsUmnEKmiqZA7yo9eyj1u7JD3ngAKvgDYnX+J0R7fwie1DzzZfdC4sBZfeOthI4aFIfSCAKejnDeLAS3PcQUfh61b6xj+5rZts0zISx7Dz3RQFQIDAQAB
-----END PUBLIC KEY-----

Please anyone who is aware of this issue, can bring some light into it.

Thanks

@Kesar, Raghav
Thank you for following up on this and for sharing more details!

I've reached out to our Key Vault engineering team to see if they have any documentation or resources for downloading the public key in .pem format from the Azure Key Vault using the Python SDK. In the meantime, were you able to look through our Azure Key Vault Keys client library for Python documentation?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Thanks James for your response, I have thoroughly looked into this document Azure Key Vault Keys client library for Python
There we have all the functionalities of keyvault other than downloading of the public key in .pem format

Below is the code to retrieve the key version, name and url but no option to retrieve or download the complete key in .pem format

get the latest version of a key

key = key_client.get_key(key_name)

alternatively, specify a version

key_version = key.properties.version
key = key_client.get_key(key_name, key_version)
print(key.id)
print(key.name)
print(key.properties.version)
print(key.key_type)
print(key.properties.vault_url)

I hope and certainly very positive that "Azure Key Vault engineering team " will have a concrete response to this query,
Waiting to hear it back from the team and again thanks for your follow up, appreciate and thanks.

@Kesar, Raghav Unfortunately, there's no easy or straightforward way to fetch this with azure-keyvault-keys, but like Jack points out you can use a key's JsonWebKey or JWK class (A fetched key's .key property) to construct a PEM of the public key. The Python's cryptography library may help you with that.

The following sample shows how to do this with an RSA key, but explains how you can adjust it for EC keys as well:

key_pem.py Python

from base64 import urlsafe_b64encode  
from cryptography.hazmat.primitives import serialization  
import jwt  
  
from azure.identity import DefaultAzureCredential  
from azure.keyvault.keys import KeyClient  
  
  
vault_url= "https://{vault-name}.vault.azure.net"  
credential = DefaultAzureCredential()  
client = KeyClient(vault_url, credential)  
  
key = client.get_key("{key-name}")  
  
# The JsonWebKey in `key.key` is correct, but may contain fields with None values  
  
usable_jwk = {}  
for k in vars(key.key):  
    value = vars(key.key)[k]  
    if value:  
        usable_jwk[k] = urlsafe_b64encode(value) if isinstance(value, bytes) else value  
  
# The following code is meant for RSA keys  
# For EC keys, use `jwt.algorithms.ECAlgorithm.from_jwk(usable_jwk)`  
  
public_key = jwt.algorithms.RSAAlgorithm.from_jwk(usable_jwk)  
public_pem = public_key.public_bytes(  
    encoding=serialization.Encoding.PEM,  
    format=serialization.PublicFormat.SubjectPublicKeyInfo  
)  
print(public_pem)  

Dear FabianGonzalez-MSFT and JackLichwa-7558

Thanks for your follow up and providing the exact solution to this problem, It is working perfectly fine for me
You can close this thread and thanks to @azure team for helping in this matter. :)

I am happy to hear this has helped you!! The code came from one of our best Software Engineers on the Azure SDK - Python side, McCoy Patiño. :)

Hi, Im using this method and azure batch to execute the python code, the python version is 3.8, however ot throws me this error message: TypeError: the JSON object must be str, bytes or bytearray, not 'dict' in azure key to pem format for the line public_key = jwt.algorithms.RSAAlgorithm.from_jwk(usable_jwk). Could you please help me?

Key Vault Python SDK can retrieve JSONWebKey only:
https://learn.microsoft.com/en-us/python/api/azure-keyvault-keys/azure.keyvault.keys.keyvaultkey?view=azure-python#azure-keyvault-keys-keyvaultkey-key.

You will need to use your own code or openssl to convert it to PEM.

@Kesar, Raghav
Thank you for the quick follow up on this!

Adding onto what was shared by @Jack Lichwa who also shared an answer on a related Stack Overflow thread:

Because the Azure CLI is written in Python using the management libraries, anything you can do with Azure CLI commands, you can also do from a Python script. Using the below AzCLI command az keyvault key download, you can retrieve the PEM format of a Key. For more info - Azure libraries (SDK) for Python.

az keyvault key download --vault-name ContosoVault  -n ContosoKey -e PEM -f mykey.pem   

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

@Kesar, Raghav
Thank you for your post!

When it comes to downloading the public key in .pem format from the Azure Key Vault, have you looked into our Azure Key Vault Keys client library for Python documentation? You should be able to do this by using get_key.

Retrieve a Key:
get_key retrieves a key previously stored in the Vault.

from azure.identity import DefaultAzureCredential  
from azure.keyvault.keys import KeyClient  
  
credential = DefaultAzureCredential()  
  
key_client = KeyClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)  
key = key_client.get_key("key-name")  
print(key.name)  

Additional Link:
Azure Key Vault Certificates client library for Python
Azure Key Vault Secrets client library for Python

If you have any other questions or if these aren't the correct Python SDK calls, please let me know.
Thank you for your time and patience throughout this issue.

Hi, Im using this method and azure batch to execute the python code, the python version is 3.8, however ot throws me this error message: TypeError: the JSON object must be str, bytes or bytearray, not 'dict' in azure key to pem format for the line public_key = jwt.algorithms.RSAAlgorithm.from_jwk(usable_jwk). Could you please help me?