Azure Key Vault Secret Client Library for Python

Azure Key Vault helps to solve Secrets management by securely storing and controlling access to tokens, passwords, certificates, API keys, and other secrets. When you use Key Vault to store secrets, you avoid storing secrets in your code, which increases the security of your app. What type of secrets can be stored in an Azure key vault? It can store three types of items namely: secrets, keys, and certificates.

In today’s post, you will learn how to get started with Azure Key Vault Secret Client Library for Python. Let’s get started by performing the following operations;

Step 1: Install the Packages

• Azure Identity

pip install azure-keyvault-secrets azure-identity

• Azure CLI (using the link)

Azure Keyvaults secret

pip install azure-keyvault-secrets

Afterward, we will proceed to our code and work with the library.

Step 2: Sign in to Azure

We’ll sign in to azure using the command below after we’ve installed the necessary libraries. This command was run majorly for authentication. After running the command, it will load an Azure sign-in page.

az login

Step 3: Create a resource group and key vault

From here, we then create our resource group and key vault. To do this your account must be able to perform this or you might rather do that manually by going to the Azure page and search for key vaults.

While at the Key Vault page, click on create and then fill in the necessary details. Navigate through each tab, while at the Access Policy tab, ensure to add the application you want to work with here.

To create our key vault using python without going to the Azure portal we can use the following code.

Use the az group create command to create a resource group:

az group create — name KeyVault-PythonQS-rg — location eastus

Use az kyvault create to create the key vault:

az keyvault create --name <your-unique-keyvault-name> --resource-group KeyVault-PythonQS-rg

Grant access to your key vault

az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --secret-permissions delete get list set

To proceed, we then ensure to set our environment variable, most especially for values we’ll be using inside our code; KeyVaultName, client_secret, client_id, tenant_id. We can set it using the following command.

export KEY_VAULT_NAME=<your-key-vault-name>

Sample code to Set our secret

The following code sample demonstrates how to create a client, set a secret, retrieve a secret

import os 
from azure.keyvault.secrets import SecretClient 
from azure.identity import ClientSecretCredential 
  
KeyVaultName = os.environ['KEY_VAULT_NAME'] 
client_id = os.environ['client_id'] 
client_secret = os.environ['client_secret'] 
tenant_id = os.environ['tenant_id'] 
  
KeyUri = (f"https://{KeyVaultName}.vault.azure.net") 
credentials = ClientSecretCredential(client_id=client_id, client_secret=client_secret,tenant_id=tenant_id) 
secrets = SecretClient(vault_url=KeyUri, credential=credentials) 
secretName="username" 
secretValue="1233567" 
new_secret = secrets.set_secret(secretName, secretValue) 
_sec= secrets.get_secret(secretName).value 
print(_sec)

Conclusion

That’s pretty much it. In this post, we have learned how to create Azure Key Vault, create a client, set a secret, and retrieve a secret. There’s a step-by-step video tutorial on this. Click here to watch. Thanks for reading this article. Stay tuned for more posts.

More content at plainenglish.io