Skill

azure-keyvault-py

Manages Azure Key Vault secrets, keys, and certificates in Python apps with SDK examples for setup, CRUD operations, versioning, deletion, and recovery.

Python

Azure

security

backend

npx claudepluginhub microsoft/skills --plugin azure-sdk-python

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Secure storage and management for secrets, cryptographic keys, and certificates.

SKILL.md

Similar Skills

azure-keyvault-py

36.7k

Manages Azure Key Vault secrets, keys, and certificates using Python SDK. Handles CRUD operations, listing, deletion/recovery, and cryptographic functions for secure storage.

antigravity-awesome-skills

azure-keyvault-secrets-ts

2.0k

Manages Azure Key Vault secrets and keys using @azure/keyvault-secrets SDK in TypeScript. Handles create, get, list, delete, and recovery for secure app secret storage.

azure-sdk-typescript

azure-security-keyvault-keys-dotnet

2.0k

Manages cryptographic keys in Azure Key Vault using .NET SDK: create/rotate RSA/EC keys, encrypt/decrypt, sign/verify via KeyClient and CryptographyClient.

azure-sdk-dotnet

Stats

Parent Repo Stars1964

Parent Repo Forks219

Last CommitApr 2, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Azure Key Vault SDK for Python

Secure storage and management for secrets, cryptographic keys, and certificates.

Installation

# Secrets
pip install azure-keyvault-secrets azure-identity

# Keys (cryptographic operations)
pip install azure-keyvault-keys azure-identity

# Certificates
pip install azure-keyvault-certificates azure-identity

# All
pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity

Environment Variables

AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/

Secrets

SecretClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = SecretClient(vault_url=vault_url, credential=credential)

Secret Operations

# Set secret
secret = client.set_secret("database-password", "super-secret-value")
print(f"Created: {secret.name}, version: {secret.properties.version}")

# Get secret
secret = client.get_secret("database-password")
print(f"Value: {secret.value}")

# Get specific version
secret = client.get_secret("database-password", version="abc123")

# List secrets (names only, not values)
for secret_properties in client.list_properties_of_secrets():
    print(f"Secret: {secret_properties.name}")

# List versions
for version in client.list_properties_of_secret_versions("database-password"):
    print(f"Version: {version.version}, Created: {version.created_on}")

# Delete secret (soft delete)
poller = client.begin_delete_secret("database-password")
deleted_secret = poller.result()

# Purge (permanent delete, if soft-delete enabled)
client.purge_deleted_secret("database-password")

# Recover deleted secret
client.begin_recover_deleted_secret("database-password").result()

Keys

KeyClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = KeyClient(vault_url=vault_url, credential=credential)

Key Operations

from azure.keyvault.keys import KeyType

# Create RSA key
rsa_key = client.create_rsa_key("rsa-key", size=2048)

# Create EC key
ec_key = client.create_ec_key("ec-key", curve="P-256")

# Get key
key = client.get_key("rsa-key")
print(f"Key type: {key.key_type}")

# List keys
for key_properties in client.list_properties_of_keys():
    print(f"Key: {key_properties.name}")

# Delete key
poller = client.begin_delete_key("rsa-key")
deleted_key = poller.result()

Cryptographic Operations

from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

# Get crypto client for a specific key
crypto_client = CryptographyClient(key, credential=credential)
# Or from key ID
crypto_client = CryptographyClient(
    "https://<vault>.vault.azure.net/keys/<key-name>/<version>",
    credential=credential
)

# Encrypt
plaintext = b"Hello, Key Vault!"
result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
ciphertext = result.ciphertext

# Decrypt
result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
decrypted = result.plaintext

# Sign
from azure.keyvault.keys.crypto import SignatureAlgorithm
import hashlib

digest = hashlib.sha256(b"data to sign").digest()
result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
signature = result.signature

# Verify
result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature)
print(f"Valid: {result.is_valid}")

Certificates

CertificateClient Setup

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = CertificateClient(vault_url=vault_url, credential=credential)

Certificate Operations

# Create self-signed certificate
policy = CertificatePolicy.get_default()
poller = client.begin_create_certificate("my-cert", policy=policy)
certificate = poller.result()

# Get certificate
certificate = client.get_certificate("my-cert")
print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")

# Get certificate with private key (as secret)
from azure.keyvault.secrets import SecretClient
secret_client = SecretClient(vault_url=vault_url, credential=credential)
cert_secret = secret_client.get_secret("my-cert")
# cert_secret.value contains PEM or PKCS12

# List certificates
for cert in client.list_properties_of_certificates():
    print(f"Certificate: {cert.name}")

# Delete certificate
poller = client.begin_delete_certificate("my-cert")
deleted = poller.result()

Client Types Table

Client	Package	Purpose
`SecretClient`	`azure-keyvault-secrets`	Store/retrieve secrets
`KeyClient`	`azure-keyvault-keys`	Manage cryptographic keys
`CryptographyClient`	`azure-keyvault-keys`	Encrypt/decrypt/sign/verify
`CertificateClient`	`azure-keyvault-certificates`	Manage certificates

Async Clients

from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient

async def get_secret():
    credential = DefaultAzureCredential()
    client = SecretClient(vault_url=vault_url, credential=credential)
    
    async with client:
        secret = await client.get_secret("my-secret")
        print(secret.value)

import asyncio
asyncio.run(get_secret())

Error Handling

from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try:
    secret = client.get_secret("nonexistent")
except ResourceNotFoundError:
    print("Secret not found")
except HttpResponseError as e:
    if e.status_code == 403:
        print("Access denied - check RBAC permissions")
    raise

Best Practices

Use DefaultAzureCredential for authentication
Use managed identity in Azure-hosted applications
Enable soft-delete for recovery (enabled by default)
Use RBAC over access policies for fine-grained control
Rotate secrets regularly using versioning
Use Key Vault references in App Service/Functions config
Cache secrets appropriately to reduce API calls
Use async clients for high-throughput scenarios