azure-keyvault-py

Azure Key Vault SDK for Python

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "azure-keyvault-py" with this command: npx skills add claudedjale/skillset/claudedjale-skillset-azure-keyvault-py

Azure Key Vault SDK for Python

Secure storage and management for secrets, cryptographic keys, and certificates.

Installation

Secrets

pip install azure-keyvault-secrets azure-identity

Keys (cryptographic operations)

pip install azure-keyvault-keys azure-identity

Certificates

pip install azure-keyvault-certificates azure-identity

All

pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity

Environment Variables

AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/

Secrets

SecretClient Setup

from azure.identity import DefaultAzureCredential from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential() vault_url = "https://<vault-name>.vault.azure.net/"

client = SecretClient(vault_url=vault_url, credential=credential)

Secret Operations

Set secret

secret = client.set_secret("database-password", "super-secret-value") print(f"Created: {secret.name}, version: {secret.properties.version}")

Get secret

secret = client.get_secret("database-password") print(f"Value: {secret.value}")

Get specific version

secret = client.get_secret("database-password", version="abc123")

List secrets (names only, not values)

for secret_properties in client.list_properties_of_secrets(): print(f"Secret: {secret_properties.name}")

List versions

for version in client.list_properties_of_secret_versions("database-password"): print(f"Version: {version.version}, Created: {version.created_on}")

Delete secret (soft delete)

poller = client.begin_delete_secret("database-password") deleted_secret = poller.result()

Purge (permanent delete, if soft-delete enabled)

client.purge_deleted_secret("database-password")

Recover deleted secret

client.begin_recover_deleted_secret("database-password").result()

Keys

KeyClient Setup

from azure.identity import DefaultAzureCredential from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential() vault_url = "https://<vault-name>.vault.azure.net/"

client = KeyClient(vault_url=vault_url, credential=credential)

Key Operations

from azure.keyvault.keys import KeyType

Create RSA key

rsa_key = client.create_rsa_key("rsa-key", size=2048)

Create EC key

ec_key = client.create_ec_key("ec-key", curve="P-256")

Get key

key = client.get_key("rsa-key") print(f"Key type: {key.key_type}")

List keys

for key_properties in client.list_properties_of_keys(): print(f"Key: {key_properties.name}")

Delete key

poller = client.begin_delete_key("rsa-key") deleted_key = poller.result()

Cryptographic Operations

from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

Get crypto client for a specific key

crypto_client = CryptographyClient(key, credential=credential)

Or from key ID

crypto_client = CryptographyClient( "https://<vault>.vault.azure.net/keys/<key-name>/<version>", credential=credential )

Encrypt

plaintext = b"Hello, Key Vault!" result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) ciphertext = result.ciphertext

Decrypt

result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext) decrypted = result.plaintext

Sign

from azure.keyvault.keys.crypto import SignatureAlgorithm import hashlib

digest = hashlib.sha256(b"data to sign").digest() result = crypto_client.sign(SignatureAlgorithm.rs256, digest) signature = result.signature

Verify

result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature) print(f"Valid: {result.is_valid}")

Certificates

CertificateClient Setup

from azure.identity import DefaultAzureCredential from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential() vault_url = "https://<vault-name>.vault.azure.net/"

client = CertificateClient(vault_url=vault_url, credential=credential)

Certificate Operations

Create self-signed certificate

policy = CertificatePolicy.get_default() poller = client.begin_create_certificate("my-cert", policy=policy) certificate = poller.result()

Get certificate

certificate = client.get_certificate("my-cert") print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")

Get certificate with private key (as secret)

from azure.keyvault.secrets import SecretClient secret_client = SecretClient(vault_url=vault_url, credential=credential) cert_secret = secret_client.get_secret("my-cert")

cert_secret.value contains PEM or PKCS12

List certificates

for cert in client.list_properties_of_certificates(): print(f"Certificate: {cert.name}")

Delete certificate

poller = client.begin_delete_certificate("my-cert") deleted = poller.result()

Client Types Table

Client Package Purpose

SecretClient

azure-keyvault-secrets

Store/retrieve secrets

KeyClient

azure-keyvault-keys

Manage cryptographic keys

CryptographyClient

azure-keyvault-keys

Encrypt/decrypt/sign/verify

CertificateClient

azure-keyvault-certificates

Manage certificates

Async Clients

from azure.identity.aio import DefaultAzureCredential from azure.keyvault.secrets.aio import SecretClient

async def get_secret(): credential = DefaultAzureCredential() client = SecretClient(vault_url=vault_url, credential=credential)

async with client:
    secret = await client.get_secret("my-secret")
    print(secret.value)

import asyncio asyncio.run(get_secret())

Error Handling

from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try: secret = client.get_secret("nonexistent") except ResourceNotFoundError: print("Secret not found") except HttpResponseError as e: if e.status_code == 403: print("Access denied - check RBAC permissions") raise

Best Practices

  • Use DefaultAzureCredential for authentication

  • Use managed identity in Azure-hosted applications

  • Enable soft-delete for recovery (enabled by default)

  • Use RBAC over access policies for fine-grained control

  • Rotate secrets regularly using versioning

  • Use Key Vault references in App Service/Functions config

  • Cache secrets appropriately to reduce API calls

  • Use async clients for high-throughput scenarios

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

github-issue-creator

No summary provided by upstream source.

Repository SourceNeeds Review
5-claudedjale
General

azure-observability

No summary provided by upstream source.

Repository SourceNeeds Review
6-claudedjale
General

azure-appconfiguration-java

No summary provided by upstream source.

Repository SourceNeeds Review
5-claudedjale
General

wiki-architect

No summary provided by upstream source.

Repository SourceNeeds Review
5-claudedjale