Azure Key Vault Secrets Client Library

4.10.0 · active · verified Sun Mar 29

The Azure Key Vault Secrets client library for Python (version 4.10.0) provides secure storage and management for sensitive information like tokens, passwords, API keys, and certificates. As part of the actively developed Azure SDK for Python, it maintains a regular release cadence with updates typically occurring every few months to introduce new features and improvements.

Warnings

breaking The legacy `azure-keyvault` package has been split into specific client libraries: `azure-keyvault-keys`, `azure-keyvault-secrets`, and `azure-keyvault-certificates`. The `azure-keyvault` package no longer contains code and only installs these sub-packages. Direct imports from `azure.keyvault` will fail.
Fix: Migrate your code to use the new scoped packages and their specific client classes (e.g., `from azure.keyvault.secrets import SecretClient`).
gotcha Common errors (HTTP 403 Forbidden) are typically due to incorrect permissions. Azure Key Vault uses either Role-Based Access Control (RBAC) or legacy access policies. The authenticated identity (user, service principal, managed identity) must have explicit permissions (e.g., 'Key Vault Secrets User' role or 'Get', 'Set', 'Delete' access policy permissions) for the desired operations.
Fix: Verify that the identity used for authentication has the necessary RBAC role assignments (recommended) or access policy entries configured on the Azure Key Vault. Ensure network firewall rules are not blocking access if the Key Vault has network restrictions.
gotcha Frequent requests can lead to Key Vault throttling (HTTP 429 Too Many Requests). Key Vault is designed for secure storage, not as a high-throughput runtime database. Avoid fetching secrets on every application request.
Fix: Implement caching mechanisms for secrets within your application. Use a singleton pattern for `SecretClient` instances and the credential object to reduce connection overhead and token refresh frequency.
breaking Starting with Azure Key Vault REST API version 2026-02-01 (and corresponding SDKs), Azure RBAC becomes the *default* access control model for *newly created vaults*. While existing vaults retain their current model, deployment scripts creating new vaults might implicitly get RBAC as default, potentially causing `403 Forbidden` errors if RBAC roles are not assigned.
Fix: Explicitly define the access control model (`enableRbacAuthorization`) when creating new vaults through infrastructure-as-code. Ensure that appropriate RBAC roles (e.g., 'Key Vault Secrets User') are assigned to identities that need to interact with new vaults. The deadline to migrate deployment scripts is February 27, 2027.
breaking Support for Python 2.7 has officially ended. This library requires Python 3.9 or later.
Fix: Upgrade your Python environment to 3.9 or newer.

Install

pip install azure-keyvault-secrets azure-identity Install stable version

Imports

SecretClient
```
from azure.keyvault.secrets import SecretClient
```
The primary client for interacting with Azure Key Vault secrets.
DefaultAzureCredential
```
from azure.identity import DefaultAzureCredential
```
Authentication credentials are provided by the `azure-identity` library, not `azure-keyvault-secrets` directly. `DefaultAzureCredential` is recommended for most scenarios as it handles various authentication flows.
KeyVaultSecret
```
from azure.keyvault.secrets import KeyVaultSecret
```
Represents a secret retrieved from Azure Key Vault, including its value and attributes.
SecretProperties
```
from azure.keyvault.secrets import SecretProperties
```
Represents the attributes of a secret, such as its expiration date, content type, and tags.

Quickstart

This quickstart demonstrates how to authenticate with Azure Key Vault using `DefaultAzureCredential` and perform basic secret operations: setting a secret, retrieving it, and initiating its deletion. Ensure you have the `KEY_VAULT_URL` environment variable set to your Key Vault's URI (e.g., `https://<your-keyvault-name>.vault.azure.net`). Your identity must have appropriate permissions (e.g., 'Key Vault Secrets User' RBAC role or 'Get', 'Set', 'Delete' permissions via access policies) to perform these operations.

import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

# Retrieve the Key Vault URL from an environment variable
key_vault_url = os.environ.get("KEY_VAULT_URL", "")
if not key_vault_url:
    raise ValueError("KEY_VAULT_URL environment variable not set.")

# Authenticate using DefaultAzureCredential, which handles various authentication flows
credential = DefaultAzureCredential()

# Create a SecretClient
secret_client = SecretClient(vault_url=key_vault_url, credential=credential)

secret_name = "MyTestSecret"
secret_value = "mysecretvalue123"

print(f"Setting a secret named '{secret_name}'...")
# Set a secret
set_secret = secret_client.set_secret(secret_name, secret_value)
print(f"Secret set: {{set_secret.name}}, version: {{set_secret.id}}")

print(f"Retrieving the secret named '{secret_name}'...")
# Get a secret
retrieved_secret = secret_client.get_secret(secret_name)
print(f"Secret retrieved: {{retrieved_secret.name}}, value: {{retrieved_secret.value}}")

print(f"Deleting the secret named '{secret_name}'...")
# Delete a secret (soft-delete, if enabled on the vault)
deleted_secret = secret_client.begin_delete_secret(secret_name).result()
print(f"Secret deleted: {{deleted_secret.name}}, recovery ID: {{deleted_secret.recovery_id}}")

print("Done.")

view raw JSON →