{"id":748,"library":"azure-keyvault-secrets","title":"Azure Key Vault Secrets Client Library","description":"The Azure Key Vault Secrets client library for Python (version 4.10.0) provides secure storage and management for sensitive information like tokens, passwords, API keys, and certificates. As part of the actively developed Azure SDK for Python, it maintains a regular release cadence with updates typically occurring every few months to introduce new features and improvements.","status":"active","version":"4.10.0","language":"python","source_language":"en","source_url":"https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets","tags":["azure","key vault","secrets","cloud","security","identity"],"install":[{"cmd":"pip install azure-keyvault-secrets azure-identity","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Required for Azure Active Directory authentication, which is the recommended method for interacting with Azure Key Vault.","package":"azure-identity","optional":false},{"reason":"Core dependency for all Azure SDKs, providing shared primitives.","package":"azure-core","optional":false},{"reason":"Likely used for parsing and formatting ISO 8601 date/time strings for Key Vault metadata.","package":"isodate","optional":false},{"reason":"Provides backported and experimental type hints.","package":"typing-extensions","optional":false}],"imports":[{"note":"The primary client for interacting with Azure Key Vault secrets.","symbol":"SecretClient","correct":"from azure.keyvault.secrets import SecretClient"},{"note":"Authentication credentials are provided by the `azure-identity` library, not `azure-keyvault-secrets` directly. `DefaultAzureCredential` is recommended for most scenarios as it handles various authentication flows.","wrong":"from azure.keyvault.secrets import DefaultAzureCredential","symbol":"DefaultAzureCredential","correct":"from azure.identity import DefaultAzureCredential"},{"note":"Represents a secret retrieved from Azure Key Vault, including its value and attributes.","symbol":"KeyVaultSecret","correct":"from azure.keyvault.secrets import KeyVaultSecret"},{"note":"Represents the attributes of a secret, such as its expiration date, content type, and tags.","symbol":"SecretProperties","correct":"from azure.keyvault.secrets import SecretProperties"}],"quickstart":{"code":"import os\nfrom azure.keyvault.secrets import SecretClient\nfrom azure.identity import DefaultAzureCredential\n\n# Retrieve the Key Vault URL from an environment variable\nkey_vault_url = os.environ.get(\"KEY_VAULT_URL\", \"\")\nif not key_vault_url:\n    raise ValueError(\"KEY_VAULT_URL environment variable not set.\")\n\n# Authenticate using DefaultAzureCredential, which handles various authentication flows\ncredential = DefaultAzureCredential()\n\n# Create a SecretClient\nsecret_client = SecretClient(vault_url=key_vault_url, credential=credential)\n\nsecret_name = \"MyTestSecret\"\nsecret_value = \"mysecretvalue123\"\n\nprint(f\"Setting a secret named '{secret_name}'...\")\n# Set a secret\nset_secret = secret_client.set_secret(secret_name, secret_value)\nprint(f\"Secret set: {{set_secret.name}}, version: {{set_secret.id}}\")\n\nprint(f\"Retrieving the secret named '{secret_name}'...\")\n# Get a secret\nretrieved_secret = secret_client.get_secret(secret_name)\nprint(f\"Secret retrieved: {{retrieved_secret.name}}, value: {{retrieved_secret.value}}\")\n\nprint(f\"Deleting the secret named '{secret_name}'...\")\n# Delete a secret (soft-delete, if enabled on the vault)\ndeleted_secret = secret_client.begin_delete_secret(secret_name).result()\nprint(f\"Secret deleted: {{deleted_secret.name}}, recovery ID: {{deleted_secret.recovery_id}}\")\n\nprint(\"Done.\")\n","lang":"python","description":"This quickstart demonstrates how to authenticate with Azure Key Vault using `DefaultAzureCredential` and perform basic secret operations: setting a secret, retrieving it, and initiating its deletion. Ensure you have the `KEY_VAULT_URL` environment variable set to your Key Vault's URI (e.g., `https://<your-keyvault-name>.vault.azure.net`). Your identity must have appropriate permissions (e.g., 'Key Vault Secrets User' RBAC role or 'Get', 'Set', 'Delete' permissions via access policies) to perform these operations."},"warnings":[{"fix":"Migrate your code to use the new scoped packages and their specific client classes (e.g., `from azure.keyvault.secrets import SecretClient`).","message":"The legacy `azure-keyvault` package has been split into specific client libraries: `azure-keyvault-keys`, `azure-keyvault-secrets`, and `azure-keyvault-certificates`. The `azure-keyvault` package no longer contains code and only installs these sub-packages. Direct imports from `azure.keyvault` will fail.","severity":"breaking","affected_versions":"<4.0.0"},{"fix":"Verify that the identity used for authentication has the necessary RBAC role assignments (recommended) or access policy entries configured on the Azure Key Vault. Ensure network firewall rules are not blocking access if the Key Vault has network restrictions.","message":"Common errors (HTTP 403 Forbidden) are typically due to incorrect permissions. Azure Key Vault uses either Role-Based Access Control (RBAC) or legacy access policies. The authenticated identity (user, service principal, managed identity) must have explicit permissions (e.g., 'Key Vault Secrets User' role or 'Get', 'Set', 'Delete' access policy permissions) for the desired operations.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Implement caching mechanisms for secrets within your application. Use a singleton pattern for `SecretClient` instances and the credential object to reduce connection overhead and token refresh frequency.","message":"Frequent requests can lead to Key Vault throttling (HTTP 429 Too Many Requests). Key Vault is designed for secure storage, not as a high-throughput runtime database. Avoid fetching secrets on every application request.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Explicitly define the access control model (`enableRbacAuthorization`) when creating new vaults through infrastructure-as-code. Ensure that appropriate RBAC roles (e.g., 'Key Vault Secrets User') are assigned to identities that need to interact with new vaults. The deadline to migrate deployment scripts is February 27, 2027.","message":"Starting with Azure Key Vault REST API version 2026-02-01 (and corresponding SDKs), Azure RBAC becomes the *default* access control model for *newly created vaults*. While existing vaults retain their current model, deployment scripts creating new vaults might implicitly get RBAC as default, potentially causing `403 Forbidden` errors if RBAC roles are not assigned.","severity":"breaking","affected_versions":"Deployment scripts using API versions >= 2026-02-01 or future SDKs"},{"fix":"Upgrade your Python environment to 3.9 or newer.","message":"Support for Python 2.7 has officially ended. This library requires Python 3.9 or later.","severity":"breaking","affected_versions":"<4.3.0"},{"fix":"Ensure the environment variable `KEY_VAULT_URL` (or the equivalent configuration parameter) is set with the URL of your Azure Key Vault, typically in the format `https://<your-key-vault-name>.vault.azure.net/`.","message":"The Key Vault client requires the URL of the Azure Key Vault. This is typically provided via an environment variable (e.g., `KEY_VAULT_URL`) or passed directly to the client constructor, and is essential for initializing the client.","severity":"breaking","affected_versions":"All versions"},{"fix":"Set the `KEY_VAULT_URL` environment variable to the appropriate Azure Key Vault URL before running the script. Example: `export KEY_VAULT_URL=\"https://YOUR_KEY_VAULT_NAME.vault.azure.net/\"` or define it in your deployment environment.","message":"The script requires the `KEY_VAULT_URL` environment variable to be set, typically to the URL of your Azure Key Vault instance. This variable is crucial for the `SecretClient` to know which Key Vault to connect to.","severity":"breaking","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-05-12T18:33:16.433Z","next_check":"2026-06-27T00:00:00.000Z","problems":[{"fix":"Ensure the package is correctly installed using `pip install azure-keyvault-secrets`. If the error persists, check your project directory for files or folders named `azure` or `keyvault` that might be causing an import conflict.","cause":"The `azure-keyvault-secrets` package is not installed, or there is a naming conflict (e.g., a local file named `azure.py` or `keyvault.py` shadowing the actual library).","error":"ModuleNotFoundError: No module named 'azure.keyvault.secrets'"},{"fix":"Configure appropriate Azure authentication for your environment. For local development, set `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_CLIENT_SECRET` environment variables. For Azure services (like App Service or Functions), enable and assign a system-assigned or user-assigned managed identity to the resource.","cause":"The `DefaultAzureCredential` class, which attempts various authentication methods, was unable to obtain an access token. This often happens because necessary environment variables are not set, a managed identity is not correctly configured or assigned, or local developer tools are not authenticated to Azure.","error":"DefaultAzureCredential failed to retrieve a token from the included credentials."},{"fix":"Grant the required permissions to the identity. If using Azure RBAC (recommended), assign the 'Key Vault Secrets User' role (or 'Key Vault Secrets Officer' for write operations) to the identity at the Key Vault scope. If using Vault Access Policies, ensure an access policy granting 'Get' and 'List' secret permissions is configured for the identity. Verify that the Key Vault's 'Access configuration' setting aligns with your chosen permission model.","cause":"The identity (user, service principal, or managed identity) attempting to access the Key Vault lacks the necessary data plane permissions (e.g., 'Get', 'List' for secrets) or there's a mismatch in the Key Vault's access model (Azure RBAC vs. Vault Access Policies).","error":"AccessDenied / Forbidden (403) or User is not authorized to read secrets from '/subscriptions/{resource guid}/resourceGroups/{resourcegroup}/providers/Microsoft.KeyVault/vaults/{keyvaultname}/secrets/{secretname}' resource."},{"fix":"After retrieving a secret with `client.get_secret('secretName')`, the actual string value of the secret is accessed via the `.value` attribute of the returned `KeyVaultSecret` object, like `secret_object = client.get_secret('mySecretName'); secret_value = secret_object.value`.","cause":"This error occurs when attempting to access the secret value from the `KeyVaultSecret` object using dictionary-like indexing (e.g., `secret['value']`) instead of the correct attribute access (`.value`).","error":"TypeError: string indices must be integers (when trying to get secret value)"}],"ecosystem":"pypi","meta_description":null,"install_score":100,"install_tag":"verified","quickstart_score":0,"quickstart_tag":"stale","pypi_latest":"4.11.0","cli_name":null,"install_checks":{"last_tested":"2026-05-12","tag":"verified","tag_description":"installs cleanly on critical runtimes, fast import, recently tested","results":[{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.42,"mem_mb":12.1,"disk_size":"43.1M"},{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.41,"mem_mb":12.1,"disk_size":"42.2M"},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":3.9,"import_time_s":0.29,"mem_mb":12.1,"disk_size":"44M"},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.29,"mem_mb":12.1,"disk_size":"43M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.51,"mem_mb":12.8,"disk_size":"46.6M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.54,"mem_mb":12.8,"disk_size":"45.7M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":3.7,"import_time_s":0.44,"mem_mb":12.8,"disk_size":"47M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.41,"mem_mb":12.8,"disk_size":"46M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.47,"mem_mb":12.8,"disk_size":"38.1M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.49,"mem_mb":12.8,"disk_size":"37.2M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":3.3,"import_time_s":0.46,"mem_mb":12.8,"disk_size":"38M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.46,"mem_mb":12.8,"disk_size":"38M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.45,"mem_mb":12.9,"disk_size":"37.8M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.48,"mem_mb":12.9,"disk_size":"36.8M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":3.5,"import_time_s":0.46,"mem_mb":12.9,"disk_size":"38M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.45,"mem_mb":12.9,"disk_size":"37M"},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.46,"mem_mb":11.8,"disk_size":"43.1M"},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.41,"mem_mb":11.8,"disk_size":"42.3M"},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":4.4,"import_time_s":0.41,"mem_mb":11.8,"disk_size":"44M"},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.35,"mem_mb":11.8,"disk_size":"43M"}]},"quickstart_checks":{"last_tested":"2026-04-24","tag":"stale","tag_description":"widespread failures or data too old to trust","results":[{"runtime":"python:3.10-alpine","exit_code":1},{"runtime":"python:3.10-slim","exit_code":1},{"runtime":"python:3.11-alpine","exit_code":1},{"runtime":"python:3.11-slim","exit_code":1},{"runtime":"python:3.12-alpine","exit_code":1},{"runtime":"python:3.12-slim","exit_code":1},{"runtime":"python:3.13-alpine","exit_code":1},{"runtime":"python:3.13-slim","exit_code":1},{"runtime":"python:3.9-alpine","exit_code":1},{"runtime":"python:3.9-slim","exit_code":1}]}}