Posts Access an Azure Key Vault Secret from Python
Post
Cancel

Access an Azure Key Vault Secret from Python

Digital security is very important. It has long been understood that we should not be storing secret data in code or any other insecure storage. This data should be stored in a secure key management system and retrieved only when needed, and not persisted. This solution in Azure is Azure Key Vault.

This requirement is no different for our Python scripts or applications. But how can we access Azure Key Vault secrets from our Python code? This blog post will show you how to do that!

Key Vault setup

Before we can get the secrets from Azure Key Vault, we need to first set it up. First we will create the Key Vault:

1
2
3
4
$ az keyvault create \
    --resource-group rg1 \
    --name keyvault1 \
    --enable-rbac-authorization

By specifying --enable-rbac-authorization we are using Azure RBAC to control access to this Key Vault.

Now let’s create a test secret:

1
2
3
4
$ az keyvault secret set \
    --vault-name keyvault1 \
    --name secret1 \
    --value 'MyTestSecret'

Installing Python dependencies

Before we can access this secret from our Python code, we have to install a couple of dependencies. I like to keep all of my dependencies contained in a virtual environment:

1
2
$ python3 -m venv venv
$ . venv/bin/activate

Then I need to install two different dependencies:

  • azure-identity for the auth component
  • azure-keyvault-secrets for Key Vault secret access
1
2
3
$ pip install \
    azure-identity \
    azure-keyvault-secrets

Access a Key Vault secret from Python

Now that we have everything setup, let’s see the code that can access this Key Vault secret.

First we need to create a DefaultAzureCredential. I talked about this in a blog post explaining how to authenticate to Azure from Python, but in short this is a great helper class that tries multiple different ways to authenticate that translate from a development machine that is logged into the Azure CLI to using a managed identity which is a great production-ready way to access Azure resources.

1
2
3
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

Now we need to create the SecretClient, which will allow us to access the secrets in the Key Vault. But before we do that, we need to get the Key Vault URI (I used the Azure CLI):

1
2
3
$ az keyvault show \
    --name keyvault1 \
    --query "properties.vaultUri" -o tsv

This should be in the format of https://<key_vault_name>.vault.azure.net/.

Taking that Key Vault URI, we can create the client:

1
2
3
4
5
6
from azure.keyvault.secrets import SecretClient

client = SecretClient(
    vault_url="https://KEY_VAULT_NAME.vault.azure.net/",
    credential=credential
)

Then you can access the secret with a call to get_secret:

1
secret = client.get_secret("secret1")

And the value of the secret can get accessed by value:

1
print(f"Secret value is {secret.value}")

The full code for this example is below:

1
2
3
4
5
6
7
8
9
10
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
client = SecretClient(
    vault_url="https://KEY_VAULT_NAME.vault.azure.net/",
    credential=credential
)
secret = client.get_secret("secret1")
print(f"Secret value is {secret.value}")

And the expected output is Secret value is MyTestSecret.

Summary

Hopefully this blog post has shown how easy it is to securely store your secrets in Azure Key Vault and access them from your Python code!

This post is licensed under CC BY 4.0 by the author.