{"id":1350,"library":"azure-keyvault","title":"Azure Key Vault Client Libraries for Python","description":"The `azure-keyvault` library provides client access to Azure Key Vault, a cloud service for securely storing and accessing secrets, keys, and certificates. It offers distinct clients for managing each resource type within the unified `azure-keyvault` umbrella package. As part of the Azure SDK for Python (Track 2), it integrates with `azure-identity` for authentication. The current stable version is 4.2.0, with minor updates typically released on a bi-annual basis.","status":"active","version":"4.2.0","language":"en","source_language":"en","source_url":"https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault","tags":["azure","cloud","security","keyvault","secrets","certificates","keys"],"install":[{"cmd":"pip install azure-keyvault","lang":"bash","label":"Install the meta-package"},{"cmd":"pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity","lang":"bash","label":"Install individual components (equivalent)"}],"dependencies":[{"reason":"Required for authenticating with Azure services, following the standard Azure SDK for Python authentication pattern.","package":"azure-identity"}],"imports":[{"note":"Clients are modularized into `secrets`, `keys`, and `certificates` sub-packages in Track 2 SDKs.","wrong":"from azure.keyvault import SecretClient","symbol":"SecretClient","correct":"from azure.keyvault.secrets import SecretClient"},{"note":"Clients are modularized into `secrets`, `keys`, and `certificates` sub-packages in Track 2 SDKs.","wrong":"from azure.keyvault import KeyClient","symbol":"KeyClient","correct":"from azure.keyvault.keys import KeyClient"},{"note":"Clients are modularized into `secrets`, `keys`, and `certificates` sub-packages in Track 2 SDKs.","wrong":"from azure.keyvault import CertificateClient","symbol":"CertificateClient","correct":"from azure.keyvault.certificates import CertificateClient"},{"symbol":"DefaultAzureCredential","correct":"from azure.identity import DefaultAzureCredential"}],"quickstart":{"code":"import os\nfrom azure.keyvault.secrets import SecretClient\nfrom azure.identity import DefaultAzureCredential\n\n# For authentication, ensure you have set up environment variables or Azure CLI login.\n# For local development, DefaultAzureCredential will try:\n# 1. Environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET)\n# 2. Managed Identity\n# 3. Azure CLI (e.g., `az login`)\n# 4. Azure Developer CLI\n# 5. Visual Studio Code\n\n# Get your Key Vault URL from environment variable or replace with your actual URL\nkey_vault_url = os.environ.get(\"AZURE_KEYVAULT_URL\", \"https://your-key-vault-name.vault.azure.net/\")\nif not key_vault_url:\n    raise ValueError(\"AZURE_KEYVAULT_URL environment variable or explicit URL is required.\")\n\n# Authenticate using DefaultAzureCredential\ncredential = DefaultAzureCredential()\n\n# Create a SecretClient\nsecret_client = SecretClient(vault_url=key_vault_url, credential=credential)\n\nsecret_name = \"MyTestSecret\"\nsecret_value = \"HelloFromPythonSDK\"\n\ntry:\n    print(f\"Setting secret '{secret_name}'...\")\n    set_secret = secret_client.set_secret(secret_name, secret_value)\n    print(f\"Secret set: Name={set_secret.name}, Value={set_secret.value}\")\n\n    print(f\"Getting secret '{secret_name}'...\")\n    retrieved_secret = secret_client.get_secret(secret_name)\n    print(f\"Secret retrieved: Name={retrieved_secret.name}, Value={retrieved_secret.value}\")\n\n    print(f\"Deleting secret '{secret_name}'...\")\n    # Poller for long-running operation, often involved in deletion\n    poller = secret_client.begin_delete_secret(secret_name)\n    deleted_secret = poller.result() # Wait for deletion to complete\n    print(f\"Secret deleted: Name={deleted_secret.name}\")\n\nexcept Exception as e:\n    print(f\"An error occurred: {e}\")\n    print(\"Ensure you have set AZURE_KEYVAULT_URL and authenticated (e.g., via `az login`).\")\n    print(\"Also ensure the authenticated principal has 'Get', 'Set', and 'Delete' secret permissions on the Key Vault.\")\n","lang":"python","description":"This quickstart demonstrates how to authenticate with Azure Key Vault using `DefaultAzureCredential` and perform basic secret operations: setting, getting, and deleting a secret. Ensure your environment is configured for Azure authentication and you have sufficient permissions on the Key Vault."},"warnings":[{"fix":"Refer to the official Azure SDK documentation for migration guides. Update import statements, client instantiation, and method calls to the new Track 2 patterns. For example, `VaultClient` is replaced by `SecretClient`, `KeyClient`, `CertificateClient`.","message":"The `azure-keyvault` library (version 4.x) is part of the 'Track 2' Azure SDK for Python. This introduced a complete redesign of the API surface compared to older 'Track 1' libraries (e.g., `azure-keyvault-secrets` < 4.0). Client constructors, method names, and return types are fundamentally different.","severity":"breaking","affected_versions":"<4.0.0"},{"fix":"Always import clients from their specific sub-modules: `from azure.keyvault.secrets import SecretClient` etc. Do not attempt to import them directly from `azure.keyvault`.","message":"Azure Key Vault clients are modular. While `azure-keyvault` is a meta-package, you instantiate `SecretClient`, `KeyClient`, and `CertificateClient` from their respective sub-packages (`azure.keyvault.secrets`, `azure.keyvault.keys`, `azure.keyvault.certificates`).","severity":"gotcha","affected_versions":">=4.0.0"},{"fix":"Ensure `azure-identity` is installed and correctly configured. For local development, `DefaultAzureCredential` relies on environment variables (`AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`) or an active `az login` session.","message":"Authentication is handled by the `azure-identity` library. Misconfiguration of credentials (e.g., missing environment variables, unauthenticated Azure CLI session) is a common initial hurdle, leading to `ClientAuthenticationError`.","severity":"gotcha","affected_versions":">=4.0.0"},{"fix":"Always provide the correct and complete `vault_url` when instantiating any Key Vault client. It's often sourced from an environment variable or Azure resource properties.","message":"All Key Vault client constructors (e.g., `SecretClient`, `KeyClient`) require the `vault_url` parameter, which specifies the URI of your Azure Key Vault instance. This URL typically follows the pattern `https://<your-key-vault-name>.vault.azure.net/`.","severity":"gotcha","affected_versions":">=4.0.0"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}