Edit

Tutorial: Use Key Vault references in a Python app

In this tutorial, you learn how to implement Key Vault references in a Python application using App Configuration. It builds on the web app introduced in the quickstart. Before you continue, complete Create a Python app with App Configuration first.

In this tutorial, you learn how to:

  • Create an App Configuration key that references a value stored in Key Vault.
  • Access the value of this key from a Python application.

Prerequisites

Create a key vault

  1. Sign in to the Azure portal, and then select Create a resource.

  2. In the search box, enter Key Vault. In the result list, select Key Vault.

  3. On the Key Vault page, select Create.

  4. On the Create a key vault page, enter the following information:

    • For Subscription: Select a subscription.
    • For Resource group: Enter the name of an existing resource group or select Create new and enter a resource group name.
    • For Key vault name: Enter a unique name.
    • For Region: Select a location.
  5. For the other options, use the default values.

  6. Select Review + create.

  7. After the system validates and displays your inputs, select Create.

At this point, your Azure account is the only one authorized to access this new vault.

Add a secret to Key Vault

Add a secret to the vault to test Key Vault retrieval. The secret is called Message, and its value is "Hello from Key Vault."

  1. On the Key Vault resource menu, select Objects > Secrets.

  2. Select Generate/Import.

  3. In the Create a secret dialog, enter the following values:

    • For Upload options: Enter Manual.
    • For Name: Enter Message.
    • For Secret value: Enter Hello from Key Vault.
  4. For the other options, use the default values.

  5. Select Create.

Add a Key Vault reference to App Configuration

  1. Sign in to the Azure portal. Select All resources, and then select your App Configuration store.

  2. Select Configuration Explorer.

  3. Select + Create > Key vault reference, and then specify the following values:

    • Key: Enter TestApp:Settings:KeyVaultMessage.
    • Label: Leave this value blank.
    • Subscription, Resource group, and Key vault: Enter the values corresponding to the key vault you created in the previous section.
    • Secret: Select the secret named Message that you created in the previous section.

Grant your app access to Key Vault

Your application uses DefaultAzureCredential to authenticate to both App Configuration and Key Vault. This credential automatically works with managed identities in Azure, and with your developer credentials locally.

  1. Grant your identity access to Key Vault. Assign the Key Vault Secrets User role to your user account or managed identity:

    az role assignment create --role "Key Vault Secrets User" --scope /subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.KeyVault/vaults/<KeyVaultName> --assignee <AzureAdUserOrManagedIdentity>
    
  2. Grant your identity access to App Configuration. Assign the App Configuration Data Reader role:

    az role assignment create --role "App Configuration Data Reader" --scope /subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.AppConfiguration/configurationStores/<AppConfigurationStoreName> --assignee <AzureAdUserOrManagedIdentity>
    

Update your code to use a Key Vault reference

  1. Install the required packages by running the following command:

    pip install azure-appconfiguration-provider azure-identity
    
  2. Create an environment variable called AZURE_APPCONFIG_ENDPOINT. Set its value to the endpoint of your App Configuration store. You can find the endpoint on the Overview blade in the Azure portal.

    setx AZURE_APPCONFIG_ENDPOINT "endpoint-of-your-app-configuration-store"
    

    Restart the command prompt to allow the change to take effect.

  3. Update your Python application file to load Key Vault references. Create or update a file called app.py:

    from azure.appconfiguration.provider import load
    from azure.identity import DefaultAzureCredential
    import os
    
    endpoint = os.environ.get("AZURE_APPCONFIG_ENDPOINT")
    credential = DefaultAzureCredential()
    
    # Connect to Azure App Configuration and resolve Key Vault references.
    config = load(
        endpoint=endpoint,
        credential=credential,
        keyvault_credential=credential,
    )
    
    # Access configuration values, including resolved Key Vault references.
    print(config["TestApp:Settings:KeyVaultMessage"])
    

    The keyvault_credential parameter tells the provider to use the given credential when resolving Key Vault references. The same DefaultAzureCredential instance is used for both App Configuration and Key Vault authentication.

    Note

    If your Key Vault references point to multiple key vaults that require different credentials, you can use the keyvault_client_configs parameter instead to provide per-vault credentials. For more information, see the Python provider reference.

  4. Run the application:

    python app.py
    

    You see the message that you entered in App Configuration. You also see the message that you entered in Key Vault, resolved through the Key Vault reference.

Clean up resources

If you don't want to continue using the resources created in this article, delete the resource group you created here to avoid charges.

Important

Deleting a resource group is irreversible. The resource group and all the resources in it are permanently deleted. Ensure that you don't accidentally delete the wrong resource group or resources. If you created the resources for this article inside a resource group that contains other resources you want to keep, delete each resource individually from its respective pane instead of deleting the resource group.

  1. Sign in to the Azure portal, and select Resource groups.
  2. In the Filter by name box, enter the name of your resource group.
  3. In the result list, select the resource group name to see an overview.
  4. Select Delete resource group.
  5. You're asked to confirm the deletion of the resource group. Enter the name of your resource group to confirm, and select Delete.

After a few moments, the resource group and all its resources are deleted.

Next steps

In this tutorial, you created an App Configuration key that references a value stored in Key Vault. To learn more about the Python provider for Azure App Configuration, see the Python provider reference documentation.