Azure Key Vault Secret Client Library for Python SDK

Introduction

This module speaks about accessing Key Vault secrets through Python code. Key Vault is a service offered by Azure to store secrets, such as passwords, certificates, keys, etc, in a safe and secure manner. By using Key Vault to store secrets, you avoid storing secrets in your code, which increases the security of your app.

To work on this module, you will need to install the below prerequisites.

  • Azure subscription: Create one for free here.
  • Python 3.7 +: You can install it from here.
  • Azure CLI: You can install it from here.

Create a resource group and key vault

Log in to the Azure portal at https://portal.azure.com using the credentials provided while creating the free Azure subscription.

In the service blade, search for “Key Vaults” as shown in the below figure, and click on Key Vaults. This will open the Key Vaults service screen.

In the Key Vaults service page, click on Create. Azure will take you to the Key vault details screen

Provide the following information and click on “Next” as shown below.

Create Key Vault

In the “Access Policy” tab, you can define policies with which you can maintain the access levels of the secrets for each user principle. In this example, I am providing full access to my ID. I am also allowing Azure Resource Manager to access this Key vault since we will be interacting with this Key vault through SDK. Once done, click on “Review + Create”

Azure Key Vault Review+Create

Python code for Interaction with Key Vault

For this module, you will need to install the azure-identity and azure-key vault-secrets modules in your system. To install Python modules, execute the below commands in the command prompt.

pip install azure-identity
pip install azure-keyvault-secrets

Open Visual Studio Code (Or Visual Studio) and point it to Python.

Open a new terminal window and execute the below command.

az login

This will open the portal in the browser, where you will need to provide your free credentials and authenticate.

In Visual Studio Code, open a new file and save it as kvpy.py

In the source file, import the below 2 classes.

from azure.keyvault.secrets import SecretClient
from azure.identity import AzureCliCredential

The SecretClient class is to initialize the object for KeyVault, and AzureCliCredential is for authorizing our connection using the credentials we provided in the Azure CLI.

You will then need to provide the Key Vault details, which is achieved by adding the below codes.

keyVaultName = "chfinvault"
KVUri = f"https://chfinvault.vault.azure.net"

The next step is to get the secrets that we want to store. This we are getting from the user during runtime through the below codes.

secretName = input("Input a name for your secret > ")
secretValue = input("Input a value for your secret > ")

We are then storing this secret in Azure Key Vault through the below step.

client.set_secret(secretName, secretValue)

Now execute the source code from Visual Studio Code using CTRL+F5, and you can see the program asking for the inputs from the user, as shown in the picture below.

Open folder

Once the inputs are provided, the program stores the credential in Key Vault and prints the success message on the screen, as shown below.

Python Code

We can validate the same by logging into the Azure portal and logging in to the Key Vault. Under the Objects tab, click on Secrets, where you will find the admin1 secret stored, as shown below.

Secrets

To retrieve the secret from the Key vault, you can use the codes below.

retrieved_secret = client.get_secret(secretName)

print(f"Your secret is '{retrieved_secret.value}'.")

To delete the secrets, you can use the following codes.

bollard = client.begin_delete_secret(secretName)
deleted_secret = poller.result()

Conclusion 

In this article, we have learned about the implementation of the key vault using the Python library, and I hope you enjoyed reading this article.

Happy Learning!!!