{"id":1154,"library":"azure-keyvault-keys","title":"Azure Key Vault Keys Client Library for Python","description":"The `azure-keyvault-keys` library is the Microsoft Azure Key Vault client library for Python, enabling developers to manage cryptographic keys within Azure Key Vault. It facilitates operations such as creating, retrieving, updating, deleting, and listing RSA and Elliptic Curve (EC) keys, including those backed by Hardware Security Modules (HSMs). The library is part of the broader Azure SDK for Python, currently at version 4.11.0, and typically sees a few stable releases per year while being actively maintained.","status":"active","version":"4.11.0","language":"en","source_language":"en","source_url":"https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys","tags":["azure","keyvault","keys","cryptography","security","cloud","sdk"],"install":[{"cmd":"pip install azure-keyvault-keys azure-identity","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Required for Azure Active Directory authentication, including the recommended `DefaultAzureCredential` for most scenarios.","package":"azure-identity","optional":false},{"reason":"Fundamental underlying library for all new Azure SDKs for Python, providing shared primitives and HTTP pipeline functionality.","package":"azure-core","optional":false},{"reason":"Minimum Python version required.","package":"python","optional":false}],"imports":[{"symbol":"KeyClient","correct":"from azure.keyvault.keys import KeyClient"},{"symbol":"KeyVaultKey","correct":"from azure.keyvault.keys import KeyVaultKey"},{"symbol":"DefaultAzureCredential","correct":"from azure.identity import DefaultAzureCredential"}],"quickstart":{"code":"import os\nfrom azure.keyvault.keys import KeyClient\nfrom azure.identity import DefaultAzureCredential\nfrom azure.core.exceptions import ResourceNotFoundError\n\n# Retrieve the Key Vault URI from environment variable\n# Ensure 'KEY_VAULT_NAME' environment variable is set\n# e.g., export KEY_VAULT_NAME=\"your-unique-keyvault-name\"\nkey_vault_name = os.environ.get(\"KEY_VAULT_NAME\", None)\nif not key_vault_name:\n    raise ValueError(\"Please set the KEY_VAULT_NAME environment variable.\")\n\nKV_URI = f\"https://{key_vault_name}.vault.azure.net/\"\n\n# Authenticate with DefaultAzureCredential\n# This credential type is suitable for most scenarios, including local development and production.\n# It attempts to authenticate via environment variables (e.g., AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID),\n# managed identity, Azure CLI, etc.\ncredential = DefaultAzureCredential()\n\n# Create a KeyClient\nkey_client = KeyClient(vault_url=KV_URI, credential=credential)\n\nkey_name = \"MyTestKeyPython\"\n\ntry:\n    print(f\"Creating an RSA key named '{key_name}'...\")\n    # Create an RSA key with a specified size\n    key = key_client.create_rsa_key(key_name, size=2048)\n    print(f\"Key created: {key.name}, Version: {key.properties.version}\")\n\n    print(f\"Retrieving the key named '{key_name}'...\")\n    retrieved_key = key_client.get_key(key_name)\n    print(f\"Key retrieved: {retrieved_key.name}, Type: {retrieved_key.key_type}\")\n\n    print(f\"Deleting the key named '{key_name}'...\")\n    # begin_delete_key starts a long-running operation, .wait() waits for completion\n    deleted_key = key_client.begin_delete_key(key_name).wait()\n    print(f\"Key deletion initiated: {deleted_key.name} (Recovery ID: {deleted_key.recovery_id})\")\n\nexcept ResourceNotFoundError:\n    print(f\"Key '{key_name}' not found. It might have been deleted or never existed.\")\nexcept Exception as e:\n    print(f\"An error occurred: {e}\")\nfinally:\n    # Always close the credential and client when no longer needed\n    credential.close()\n    key_client.close() # KeyClient is not explicitly closeable, but credential should be.\n    print(\"Credential closed.\")","lang":"python","description":"This quickstart demonstrates how to authenticate to Azure Key Vault using `DefaultAzureCredential`, create an RSA key, retrieve it, and then initiate its deletion. Ensure your environment variables for Azure authentication (e.g., `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`) are set or that you are logged in via Azure CLI, and `KEY_VAULT_NAME` is configured to point to your Key Vault instance."},"warnings":[{"fix":"Upgrade your Python environment to 3.9 or later.","message":"Python 2.7 and Python 3.6 are no longer supported. Version 4.x.x of `azure-keyvault-keys` requires Python 3.9 or later.","severity":"breaking","affected_versions":"<4.7.0, <4.8.0, all 4.x.x for Py3.9+"},{"fix":"Replace `pip install azure-keyvault` with `pip install azure-keyvault-keys azure-keyvault-secrets azure-keyvault-certificates` (or only the ones you need).","message":"The `azure-keyvault` package is a metapackage and no longer contains actual code. Users should install specific client libraries like `azure-keyvault-keys` directly.","severity":"gotcha","affected_versions":"4.2.0+"},{"fix":"Review and adjust Azure Key Vault access policies or Azure RBAC roles to grant the necessary 'Key' permissions. It may take a few minutes for changes to propagate.","message":"Incorrect permissions are a common issue. Ensure the authenticated identity (user, service principal, managed identity) has the specific 'List' and 'Get' Key permissions (e.g., 'Key Vault Crypto Officer' role in RBAC or 'Get', 'List' for Keys in access policies) configured for the Key Vault.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Avoid relying on the exact internal structure or serialization format of model objects returned by `as_dict()` for private properties. Access public properties directly.","message":"Reliance on the exact output format of model methods like `as_dict()` (or similar internal representations) can break across minor/patch versions. The SDK team considers changes to private properties or their serialization not a public breaking change.","severity":"gotcha","affected_versions":"4.9.0b3 to 4.11.0b1 (example from issue) and potentially other versions."}],"env_vars":null,"last_verified":"2026-04-07T00:50:08.188Z","next_check":"2026-07-04T00:00:00.000Z"}