Bibliothèques Azure Key Vault pour PythonAzure Key Vault libraries for Python

Azure Key Vault est le système de stockage et de gestion d’Azure pour les clés de chiffrement, les secrets et la gestion des certificats.Azure Key Vault is Azure's storage and management system for cryptographic keys, secrets, and certificate management. L’API du SDK Python pour Key Vault est partagée entre les bibliothèques clientes et les bibliothèques de gestion.The Python SDK API for Key Vault is split between client libraries and management libraries.

Utilisez la bibliothèque cliente pour :Use the client library to:

• Accéder, mettre à jour ou supprimer des éléments stockés dans un coffre de clés AzureAccess, update, or delete items stored in an Azure Key Vault
• Obtenir des métadonnées pour les certificats stockésGet metadata for stored certificates
• Vérifier les signatures sur les clés symétriques dans Key VaultVerify signatures against symmetric keys in Key Vault

Utilisez la bibliothèque de gestion pour :Use the management library to:

• Créer, mettre à jour ou supprimer des magasins Key VaultCreate, update, or delete new Key Vault stores
• Contrôler les stratégies d’accès au coffreControl vault access policies
• Lister les coffres par abonnement ou groupe de ressourcesList vaults by subscription or resource group
• Vérifier la disponibilité des noms de coffreCheck for vault name availability

Installer les bibliothèquesInstall the libraries

Bibliothèque clienteClient library

pip install azure-keyvault

ExemplesExamples

Les exemples suivants utilisent l’authentification de principal de service, méthode de connexion recommandée pour les applications qui se connectent à Azure.The following examples use service principal authentication, which is the recommended sign in method for applications that connect to Azure. Pour en savoir plus sur l’authentification de principal de service, consultez S’authentifier avec le SDK Azure pour PythonTo learn about service principal authentication, see Authenticate with the Azure SDK for Python

Récupérez la partie publique d’une clé asymétrique dans un coffre :Retrieve the public portion of an asymmetric key from a vault:

from azure.keyvault import KeyVaultClient
from azure.common.credentials import ServicePrincipalCredentials

credentials = ServicePrincipalCredentials(
    client_id = '...',
    secret = '...',
    tenant = '...'
)

client = KeyVaultClient(credentials)

# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# KEY_VERSION is required, and can be obtained with the KeyVaultClient.get_key_versions(self, vault_url, key_name) API
key_bundle = client.get_key(VAULT_URL, KEY_NAME, KEY_VERSION)
key = key_bundle.key

Récupérez un secret dans un coffre :Retrieve a secret from a vault:

from azure.keyvault import KeyVaultClient
from azure.common.credentials import ServicePrincipalCredentials

credentials = ServicePrincipalCredentials(
    client_id = '...',
    secret = '...',
    tenant = '...'
)

client = KeyVaultClient(credentials)

# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# SECRET_VERSION is required, and can be obtained with the KeyVaultClient.get_secret_versions(self, vault_url, secret_id) API
secret_bundle = client.get_secret(VAULT_URL, SECRET_ID, SECRET_VERSION)
secret = secret_bundle.value

Explorer les API clientesExplore the Client APIs

Bibliothèque de gestionManagement library

pip install azure-mgmt-keyvault

ExemplesExample

L’exemple suivant montre comment créer un coffre Azure Key Vault.The following example shows how to create an Azure Key Vault.

from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.common.credentials import ServicePrincipalCredentials


credentials = ServicePrincipalCredentials(
    client_id = '...',
    secret = '...',
    tenant = '...'
)

# Even when using service principal credentials, a subscription ID is required. For service principals,
# this should be the subscription used to create the service principal. Storing a token like a valid
# subscription ID in code is not recommended and only shown here for example purposes.
SUBSCRIPTION_ID = '...'
client = KeyVaultManagementClient(credentials, SUBSCRIPTION_ID)

# The object ID and organization ID (tenant) of the user, application, or service principal for access policies.
# These values can be found through the Azure CLI or the Portal.
ALLOW_OBJECT_ID = '...'
ALLOW_TENANT_ID = '...'

RESOURCE_GROUP = '...'
VAULT_NAME = '...'

# Vault properties may also be created by using the azure.mgmt.keyvault.models.VaultCreateOrUpdateParameters
# class, rather than a map. 
operation = client.vaults.create_or_update(
    RESOURCE_GROUP,
    VAULT_NAME,
    {
        'location': 'eastus',
        'properties': {
            'sku': {
                'name': 'standard'
            },
            'tenant_id': TENANT_ID,
            'access_policies': [{
                'object_id': OBJECT_ID,
                'tenant_id': ALLOW_TENANT_ID,
                'permissions': {
                    'keys': ['all'],
                    'secrets': ['all']
                }
            }]
        }
    }
)

vault = operation.result()
print(f'New vault URI: {vault.properties.vault_uri}')

Explorer les API de gestionExplore the Management APIs

ExemplesSamples

• Gérer les coffres de clés AzureManage Azure Key Vaults
• Récupération d’un coffre de clés AzureAzure Key Vault recovery

Affichez la liste complète des exemples de coffres Azure Key Vault.View the complete list of Azure Key Vault samples.