azure-keyvault-py
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.
Best use case
azure-keyvault-py is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.
Teams using azure-keyvault-py should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/azure-keyvault-py/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How azure-keyvault-py Compares
| Feature / Agent | azure-keyvault-py | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Azure Key Vault SDK for Python
Secure storage and management for secrets, cryptographic keys, and certificates.
## Installation
```bash
# Secrets
pip install azure-keyvault-secrets azure-identity
# Keys (cryptographic operations)
pip install azure-keyvault-keys azure-identity
# Certificates
pip install azure-keyvault-certificates azure-identity
# All
pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity
```
## Environment Variables
```bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/
```
## Secrets
### SecretClient Setup
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"
client = SecretClient(vault_url=vault_url, credential=credential)
```
### Secret Operations
```python
# Set secret
secret = client.set_secret("database-password", "super-secret-value")
print(f"Created: {secret.name}, version: {secret.properties.version}")
# Get secret
secret = client.get_secret("database-password")
print(f"Value: {secret.value}")
# Get specific version
secret = client.get_secret("database-password", version="abc123")
# List secrets (names only, not values)
for secret_properties in client.list_properties_of_secrets():
print(f"Secret: {secret_properties.name}")
# List versions
for version in client.list_properties_of_secret_versions("database-password"):
print(f"Version: {version.version}, Created: {version.created_on}")
# Delete secret (soft delete)
poller = client.begin_delete_secret("database-password")
deleted_secret = poller.result()
# Purge (permanent delete, if soft-delete enabled)
client.purge_deleted_secret("database-password")
# Recover deleted secret
client.begin_recover_deleted_secret("database-password").result()
```
## Keys
### KeyClient Setup
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"
client = KeyClient(vault_url=vault_url, credential=credential)
```
### Key Operations
```python
from azure.keyvault.keys import KeyType
# Create RSA key
rsa_key = client.create_rsa_key("rsa-key", size=2048)
# Create EC key
ec_key = client.create_ec_key("ec-key", curve="P-256")
# Get key
key = client.get_key("rsa-key")
print(f"Key type: {key.key_type}")
# List keys
for key_properties in client.list_properties_of_keys():
print(f"Key: {key_properties.name}")
# Delete key
poller = client.begin_delete_key("rsa-key")
deleted_key = poller.result()
```
### Cryptographic Operations
```python
from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm
# Get crypto client for a specific key
crypto_client = CryptographyClient(key, credential=credential)
# Or from key ID
crypto_client = CryptographyClient(
"https://<vault>.vault.azure.net/keys/<key-name>/<version>",
credential=credential
)
# Encrypt
plaintext = b"Hello, Key Vault!"
result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext)
ciphertext = result.ciphertext
# Decrypt
result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
decrypted = result.plaintext
# Sign
from azure.keyvault.keys.crypto import SignatureAlgorithm
import hashlib
digest = hashlib.sha256(b"data to sign").digest()
result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
signature = result.signature
# Verify
result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature)
print(f"Valid: {result.is_valid}")
```
## Certificates
### CertificateClient Setup
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy
credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"
client = CertificateClient(vault_url=vault_url, credential=credential)
```
### Certificate Operations
```python
# Create self-signed certificate
policy = CertificatePolicy.get_default()
poller = client.begin_create_certificate("my-cert", policy=policy)
certificate = poller.result()
# Get certificate
certificate = client.get_certificate("my-cert")
print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")
# Get certificate with private key (as secret)
from azure.keyvault.secrets import SecretClient
secret_client = SecretClient(vault_url=vault_url, credential=credential)
cert_secret = secret_client.get_secret("my-cert")
# cert_secret.value contains PEM or PKCS12
# List certificates
for cert in client.list_properties_of_certificates():
print(f"Certificate: {cert.name}")
# Delete certificate
poller = client.begin_delete_certificate("my-cert")
deleted = poller.result()
```
## Client Types Table
| Client | Package | Purpose |
|--------|---------|---------|
| `SecretClient` | `azure-keyvault-secrets` | Store/retrieve secrets |
| `KeyClient` | `azure-keyvault-keys` | Manage cryptographic keys |
| `CryptographyClient` | `azure-keyvault-keys` | Encrypt/decrypt/sign/verify |
| `CertificateClient` | `azure-keyvault-certificates` | Manage certificates |
## Async Clients
```python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient
async def get_secret():
credential = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=credential)
async with client:
secret = await client.get_secret("my-secret")
print(secret.value)
import asyncio
asyncio.run(get_secret())
```
## Error Handling
```python
from azure.core.exceptions import ResourceNotFoundError, HttpResponseError
try:
secret = client.get_secret("nonexistent")
except ResourceNotFoundError:
print("Secret not found")
except HttpResponseError as e:
if e.status_code == 403:
print("Access denied - check RBAC permissions")
raise
```
## Best Practices
1. **Use DefaultAzureCredential** for authentication
2. **Use managed identity** in Azure-hosted applications
3. **Enable soft-delete** for recovery (enabled by default)
4. **Use RBAC** over access policies for fine-grained control
5. **Rotate secrets** regularly using versioning
6. **Use Key Vault references** in App Service/Functions config
7. **Cache secrets** appropriately to reduce API calls
8. **Use async clients** for high-throughput scenarios
## When to Use
This skill is applicable to execute the workflow or actions described in the overview.Related Skills
deploying-on-azure
Design and implement Azure cloud architectures using best practices for compute, storage, databases, AI services, networking, and governance. Use when building applications on Microsoft Azure or migrating workloads to Azure cloud platform.
azure-storage-file-share-py
Azure Storage File Share SDK for Python. Use for SMB file shares, directories, and file operations in the cloud.
azure-storage-blob-rust
Azure Blob Storage SDK for Rust. Use for uploading, downloading, and managing blobs and containers.
azure-servicebus-py
Azure Service Bus SDK for Python messaging. Use for queues, topics, subscriptions, and enterprise messaging patterns.
azure-servicebus-dotnet
Azure Service Bus SDK for .NET. Enterprise messaging with queues, topics, subscriptions, and sessions.
azure-search-documents-py
Azure AI Search SDK for Python. Use for vector search, hybrid search, semantic ranking, indexing, and skillsets.
azure-search-documents-dotnet
Azure AI Search SDK for .NET (Azure.Search.Documents). Use for building search applications with full-text, vector, semantic, and hybrid search.
azure-resource-manager-durabletask-dotnet
Azure Resource Manager SDK for Durable Task Scheduler in .NET.
azure-prepare
Default entry point for Azure application development EXCEPT cross-cloud migration — use azure-cloud-migrate instead. Analyzes your project and prepares it for Azure deployment by generating infrastructure code (Bicep/Terraform), azure.yaml, and Dockerfiles. WHEN: "create an app", "build a web app", "create API", "create frontend", "create backend", "add a feature", "build a service", "develop a project", "modernize my code", "update my application", "add database", "add authentication", "add caching", "deploy to Azure", "host on Azure", "Azure with terraform", "Azure with azd", "generate azure.yaml", "generate Bicep", "generate Terraform", "create Azure Functions app", "create serverless HTTP API", "create function app", "create event-driven function", "create and deploy to Azure", "create Azure Functions and deploy", "create function app and deploy".
azure-pipelines
Use when validating Azure DevOps pipeline changes for the VS Code build. Covers queueing builds, checking build status, viewing logs, and iterating on pipeline YAML changes without waiting for full CI runs.
azure-pipelines-validator
Comprehensive toolkit for validating, linting, and securing Azure DevOps Pipeline configurations.
azure-pipelines-generator
Comprehensive toolkit for generating best practice Azure DevOps Pipelines following current standards and conventions. Use this skill when creating new Azure Pipelines, implementing CI/CD workflows, or building deployment pipelines.