Tutorial: Use Azure Key Vault with a virtual machine in Python
Azure Key Vault helps you to protect keys, secrets, and certificates, such as API keys and database connection strings.
In this tutorial, you set up a Python application to read information from Azure Key Vault by using managed identities for Azure resources. You learn how to:
- Create a key vault
- Store a secret in Key Vault
- Create an Azure Linux virtual machine
- Enable a managed identity for the virtual machine
- Grant the required permissions for the console application to read data from Key Vault
- Retrieve a secret from Key Vault
Before you begin, read Key Vault basic concepts.
If you don't have an Azure subscription, create a free account.
Prerequisites
For Windows, Mac, and Linux:
- Git
- This tutorial requires that you run the Azure CLI locally. You must have the Azure CLI version 2.0.4 or later installed. Run
az --version
to find the version. If you need to install or upgrade the CLI, see Install Azure CLI 2.0.
Log in to Azure
To log in to Azure by using the Azure CLI, enter:
az login
Create a resource group and key vault
This quickstart uses a precreated Azure key vault. You can create a key vault by following the steps in the Azure CLI quickstart, Azure PowerShell quickstart, or Azure portal quickstart.
Alternatively, you can run these Azure CLI or Azure PowerShell commands.
Important
Each key vault must have a unique name. Replace <your-unique-keyvault-name> with the name of your key vault in the following examples.
az group create --name "myResourceGroup" -l "EastUS"
az keyvault create --name "<your-unique-keyvault-name>" -g "myResourceGroup" --enable-rbac-authorization
Populate your key vault with a secret
Let's create a secret called mySecret, with a value of Success!. A secret might be a password, a SQL connection string, or any other information that you need to keep both secure and available to your application.
To add a secret to your newly created key vault, use the following command:
az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "mySecret" --value "Success!"
Create a virtual machine
Create a VM called myVM using one of the following methods:
Linux | Windows |
---|---|
Azure CLI | Azure CLI |
PowerShell | PowerShell |
Azure portal | The Azure portal |
To create a Linux VM using the Azure CLI, use the az vm create command. The following example adds a user account named azureuser. The --generate-ssh-keys
parameter is used to automatically generate an SSH key, and put it in the default key location (~/.ssh).
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image Ubuntu2204 \
--admin-username azureuser \
--generate-ssh-keys
Note the value of publicIpAddress
in the output.
Assign an identity to the VM
Create a system-assigned identity for the virtual machine by using the Azure CLI az vm identity assign command:
az vm identity assign --name "myVM" --resource-group "myResourceGroup"
Note the system-assigned identity that's displayed in the following code. The output of the preceding command would be:
{
"systemAssignedIdentity": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"userAssignedIdentities": {}
}
Assign permissions to the VM identity
To grant your application permissions to your key vault through Role-Based Access Control (RBAC), assign a role using the Azure CLI command az role assignment create.
az role assignment create --role "Key Vault Secrets User" --assignee "<app-id>" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name>"
Replace <app-id>
, <subscription-id>
, <resource-group-name>
and <your-unique-keyvault-name>
with your actual values. <app-id>
is the Application (client) ID of your registered application in Microsoft Entra.
Log in to the VM
To sign in to the virtual machine, follow the instructions in Connect and sign in to an Azure virtual machine running Linux or Connect and sign in to an Azure virtual machine running Windows.
To log into a Linux VM, you can use the ssh command with the <publicIpAddress> given in the Create a virtual machine step:
ssh azureuser@<PublicIpAddress>
Install Python libraries on the VM
On the virtual machine, install the two Python libraries we'll be using in our Python script: azure-keyvault-secrets
and azure.identity
.
On a Linux VM, for instance, you can install these using pip3
:
pip3 install azure-keyvault-secrets
pip3 install azure.identity
Create and edit the sample Python script
On the virtual machine, create a Python file called sample.py. Edit the file to contain the following code, replacing <your-unique-keyvault-name> with the name of your key vault:
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
key_vault_name = "<your-unique-keyvault-name>"
key_vault_uri = f"https://{key_vault_name}.vault.azure.net"
secret_name = "mySecret"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=key_vault_uri, credential=credential)
retrieved_secret = client.get_secret(secret_name)
print(f"The value of secret '{secret_name}' in '{key_vault_name}' is: '{retrieved_secret.value}'")
Run the sample Python app
Lastly, run sample.py. If all has gone well, it should return the value of your secret:
python3 sample.py
The value of secret 'mySecret' in '<your-unique-keyvault-name>' is: 'Success!'
Clean up resources
When they're no longer needed, delete the virtual machine and your key vault. You can be done quickly by deleting the resource group to which they belong:
az group delete -g myResourceGroup