Quickstart: Azure Key Vault secret client library for Python

Get started with the Azure Key Vault secret client library for Python. Follow these steps to install the package and try out example code for basic tasks. By using Key Vault to store secrets, you avoid storing secrets in your code, which increases the security of your app.

API reference documentation | Library source code | Package (Python Package Index)


This quickstart assumes you're running Azure CLI or Azure PowerShell in a Linux terminal window.

Set up your local environment

This quickstart is using Azure Identity library with Azure CLI or Azure PowerShell to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls, for more information, see Authenticate the client with Azure Identity client library.

Sign in to Azure

  1. Run the az login command.

    az login

    If the CLI can open your default browser, it will do so and load an Azure sign-in page.

    Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

  2. Sign in with your account credentials in the browser.

Install the packages

  1. In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on Use Python virtual environments.

  2. Install the Azure Active Directory identity library:

    pip install azure-identity
  3. Install the Key Vault secrets library:

    pip install azure-keyvault-secrets

Create a resource group and key vault

  1. Use the az group create command to create a resource group:

    az group create --name myResourceGroup --location eastus

    You can change "eastus" to a location nearer to you, if you prefer.

  2. Use az keyvault create to create the key vault:

    az keyvault create --name <your-unique-keyvault-name> --resource-group myResourceGroup

    Replace <your-unique-keyvault-name> with a name that's unique across all of Azure. You typically use your personal or company name along with other numbers and identifiers.

Set the KEY_VAULT_NAME environmental variable

Our script will use the value assigned to the KEY_VAULT_NAME environment variable as the name of the key vault. You must therefore set this value using the following command:

export KEY_VAULT_NAME=<your-unique-keyvault-name>

Grant access to your key vault

Create an access policy for your key vault that grants secret permission to your user account.

az keyvault set-policy --name <your-unique-keyvault-name> --upn user@domain.com --secret-permissions delete get list set

Create the sample code

The Azure Key Vault secret client library for Python allows you to manage secrets. The following code sample demonstrates how to create a client, set a secret, retrieve a secret, and delete a secret.

Create a file named kv_secrets.py that contains this code.

import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

keyVaultName = os.environ["KEY_VAULT_NAME"]
KVUri = f"https://{keyVaultName}.vault.azure.net"

credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)

secretName = input("Input a name for your secret > ")
secretValue = input("Input a value for your secret > ")

print(f"Creating a secret in {keyVaultName} called '{secretName}' with the value '{secretValue}' ...")

client.set_secret(secretName, secretValue)

print(" done.")

print(f"Retrieving your secret from {keyVaultName}.")

retrieved_secret = client.get_secret(secretName)

print(f"Your secret is '{retrieved_secret.value}'.")
print(f"Deleting your secret from {keyVaultName} ...")

poller = client.begin_delete_secret(secretName)
deleted_secret = poller.result()

print(" done.")

Run the code

Make sure the code in the previous section is in a file named kv_secrets.py. Then run the code with the following command:

python kv_secrets.py

Code details

Authenticate and create a client

In this quickstart, the logged in user is used to authenticate to key vault, which is the preferred method for local development. For applications deployed to Azure, a managed identity should be assigned to App Service or Virtual Machine, for more information, see Managed Identity Overview.

In this example, the name of your key vault is expanded using the value of the "KVUri" variable, in the format: "https://<your-key-vault-name>.vault.azure.net". This example is using 'DefaultAzureCredential()' class, which allows to use the same code across different environments with different options to provide identity. For more information, see Default Azure Credential Authentication.

credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)

Save a secret

Once you've obtained the client object for the key vault, you can store a secret using the set_secret method:

client.set_secret(secretName, secretValue)

Calling set_secret generates a call to the Azure REST API for the key vault.

When handling the request, Azure authenticates the caller's identity (the service principal) using the credential object you provided to the client.

Retrieve a secret

To read a secret from Key Vault, use the get_secret method:

retrieved_secret = client.get_secret(secretName)

The secret value is contained in retrieved_secret.value.

You can also retrieve a secret with the Azure CLI command az keyvault secret show or the Azure PowerShell command Get-AzKeyVaultSecret.

Delete a secret

To delete a secret, use the begin_delete_secret method:

poller = client.begin_delete_secret(secretName)
deleted_secret = poller.result()

The begin_delete_secret method is asynchronous and returns a poller object. Calling the poller's result method waits for its completion.

You can verify that the secret had been removed with the Azure CLI command az keyvault secret show or the Azure PowerShell command Get-AzKeyVaultSecret.

Once deleted, a secret remains in a deleted but recoverable state for a time. If you run the code again, use a different secret name.

Clean up resources

If you want to also experiment with certificates and keys, you can reuse the Key Vault created in this article.

Otherwise, when you're finished with the resources created in this article, use the following command to delete the resource group and all its contained resources:

az group delete --resource-group myResourceGroup

Next steps