Quickstart: Azure Key Vault certificate client library for Python

Get started with the Azure Key Vault certificate client library for Python. Follow the steps below to install the package and try out example code for basic tasks. By using Key Vault to store certificates, you avoid storing certificates in your code, which increases the security of your app.

API reference documentation | Library source code | Package (Python Package Index)

Prerequisites

• An Azure subscription - create one for free.
• Python 2.7+ or 3.6+
• Azure CLI

This quickstart assumes you are running Azure CLI in a Linux terminal window.

Set up your local environment

This quickstart is using Azure Identity library with Azure CLI to authenticate user to Azure Services. Developers can also use Visual Studio or Visual Studio Code to authenticate their calls, for more information, see Authenticate the client with Azure Identity client library

Sign in to Azure

1. Run the login command.

   az login
   

   If the CLI can open your default browser, it will do so and load an Azure sign-in page.

   Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

2. Sign in with your account credentials in the browser.

Install the packages

1. In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on Use Python virtual environments

2. Install the Azure Active Directory identity library:

   pip install azure.identity
   

3. Install the Key Vault certificate client library:

   pip install azure-keyvault-certificates
   

Create a resource group and key vault

1. Use the az group create command to create a resource group:

   az group create --name KeyVault-PythonQS-rg --location eastus
   

   You can change "eastus" to a location nearer to you, if you prefer.

2. Use az keyvault create to create the key vault:

   az keyvault create --name <your-unique-keyvault-name> --resource-group KeyVault-PythonQS-rg
   

   Replace <your-unique-keyvault-name> with a name that's unique across all of Azure. You typically use your personal or company name along with other numbers and identifiers.

3. Create an environment variable that supplies the name of the Key Vault to the code:

   export KEY_VAULT_NAME=<your-unique-keyvault-name>
   

Grant access to your key vault

Create an access policy for your key vault that grants certificate permission to your user account

az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --certificate-permissions delete get list create

Set environment variables

This application is using key vault name as an environment variable called KEY_VAULT_NAME.

Windows

set KEY_VAULT_NAME=<your-key-vault-name>

Windows PowerShell

$Env:KEY_VAULT_NAME="<your-key-vault-name>"

macOS or Linux

export KEY_VAULT_NAME=<your-key-vault-name>

Create the sample code

The Azure Key Vault certificate client library for Python allows you to manage certificates. The following code sample demonstrates how to create a client, set a certificate, retrieve a certificate, and delete a certificate.

Create a file named kv_certificates.py that contains this code.

import os
from azure.keyvault.certificates import CertificateClient, CertificatePolicy,CertificateContentType, WellKnownIssuerNames 
from azure.identity import DefaultAzureCredential

keyVaultName = os.environ["KEY_VAULT_NAME"]
KVUri = "https://" + keyVaultName + ".vault.azure.net"

credential = DefaultAzureCredential()
client = CertificateClient(vault_url=KVUri, credential=credential)

certificateName = input("Input a name for your certificate > ")

print(f"Creating a certificate in {keyVaultName} called '{certificateName}' ...")

policy = CertificatePolicy.get_default()
poller = client.begin_create_certificate(certificate_name=certificateName, policy=policy)
certificate = poller.result()

print(" done.")

print(f"Retrieving your certificate from {keyVaultName}.")

retrieved_certificate = client.get_certificate(certificateName)

print(f"Certificate with name '{retrieved_certificate.name}' was found'.")
print(f"Deleting your certificate from {keyVaultName} ...")

poller = client.begin_delete_certificate(certificateName)
deleted_certificate = poller.result()

print(" done.")

Run the code

Make sure the code in the previous section is in a file named kv_certificates.py. Then run the code with the following command:

python kv_certificates.py

• If you encounter permissions errors, make sure you ran the az keyvault set-policy command.
• Re-running the code with the same key name may produce the error, "(Conflict) Certificate <name> is currently in a deleted but recoverable state." Use a different key name.

Code details

Authenticate and create a client

In this quickstart, logged in user is used to authenticate to key vault, which is preferred method for local development. For applications deployed to Azure, managed identity should be assigned to App Service or Virtual Machine, for more information, see Managed Identity Overview.

In below example, the name of your key vault is expanded to the key vault URI, in the format https://\<your-key-vault-name\>.vault.azure.net. This example is using 'DefaultAzureCredential()' class, which allows to use the same code across different environments with different options to provide identity. For more information, see Default Azure Credential Authentication.

credential = DefaultAzureCredential()
client = CertificateClient(vault_url=KVUri, credential=credential)

Save a certificate

Once you've obtained the client object for the key vault, you can create a certificate using the begin_create_certificate method:

policy = CertificatePolicy.get_default()
poller = client.begin_create_certificate(certificate_name=certificateName, policy=policy)
certificate = poller.result()

Here, the certificate requires a policy obtained with the CertificatePolicy.get_default method.

Calling a begin_create_certificate method generates an asynchronous call to the Azure REST API for the key vault. The asynchronous call returns a poller object. To wait for the result of the operation, call the poller's result method.

When handling the request, Azure authenticates the caller's identity (the service principal) using the credential object you provided to the client.

Retrieve a certificate

To read a certificate from Key Vault, use the get_certificate method:

retrieved_certificate = client.get_certificate(certificateName)

You can also verify that the certificate has been set with the Azure CLI command az keyvault certificate show.

Delete a certificate

To delete a certificate, use the begin_delete_certificate method:

poller = client.begin_delete_certificate(certificateName)
deleted_certificate = poller.result()

The begin_delete_certificate method is asynchronous and returns a poller object. Calling the poller's result method waits for its completion.

You can verify that the certificate is deleted with the Azure CLI command az keyvault certificate show.

Once deleted, a certificate remains in a deleted but recoverable state for a time. If you run the code again, use a different certificate name.

Clean up resources

If you want to also experiment with secrets and keys, you can reuse the Key Vault created in this article.

Otherwise, when you're finished with the resources created in this article, use the following command to delete the resource group and all its contained resources:

az group delete --resource-group KeyVault-PythonQS-rg

Next steps

• Overview of Azure Key Vault
• Secure access to a key vault
• Azure Key Vault developer's guide
• Key Vault security overview
• Authenticate with Key Vault