Azure Key Vault Management Client

14.0.1 · active · verified Thu Apr 09

Microsoft Azure Keyvault Management Client Library for Python. It provides an interface to manage Azure Key Vault resources, such as creating, deleting, and updating vaults, and configuring access policies. Current version is 14.0.1. Releases follow the Azure SDK for Python's frequent cadence, often coinciding with new API versions or bug fixes.

Warnings

breaking Version 14.0.0 introduced breaking changes, specifically regarding how `api_version` is handled and changes to the default models namespace. `VaultsOperations` methods no longer accept keyword arguments for `api_version`.
Fix: Remove explicit `api_version` keyword arguments from client method calls. If using older API versions explicitly, adjust model imports from `azure.mgmt.keyvault.vYYYY_MM_DD.models` to the new default `azure.mgmt.keyvault.models` or ensure you're using the correct namespace.
gotcha This library (`azure-mgmt-keyvault`) is for *managing* Key Vault resources (create, delete, update policies). It is NOT for interacting with secrets, keys, or certificates *inside* a vault. For data plane operations, use `azure-keyvault-secrets`, `azure-keyvault-keys`, or `azure-keyvault-certificates`.
Fix: Always distinguish between management plane (managing the vault itself) and data plane (managing content within the vault). Choose the appropriate library based on your task.
gotcha Authentication with `DefaultAzureCredential` relies on a chain of authentication methods. Misconfigured environment variables or lack of `az login` can lead to authentication failures.
Fix: For local development, ensure `AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET` (for service principal) or `AZURE_USERNAME`, `AZURE_PASSWORD` (for interactive login) are set, or ensure you are logged in via `az login` (Azure CLI). Always verify the `AZURE_SUBSCRIPTION_ID` environment variable is correctly set.

Install

pip install azure-mgmt-keyvault azure-identity Install core library and authentication dependency

Imports

KeyVaultManagementClient

from azure.mgmt.keyvault import KeyVaultManagementClient

DefaultAzureCredential
```
from azure.identity import DefaultAzureCredential
```
Older authentication methods are deprecated; `azure-identity` is the recommended approach for modern Azure SDKs.

Quickstart

This quickstart demonstrates how to authenticate using `DefaultAzureCredential` and list all Key Vaults within a specified Azure subscription using `KeyVaultManagementClient`. It assumes `AZURE_SUBSCRIPTION_ID` is set as an environment variable and appropriate permissions are granted.

import os
from azure.identity import DefaultAzureCredential
from azure.mgmt.keyvault import KeyVaultManagementClient

# --- Authentication ---
# The DefaultAzureCredential attempts to authenticate via several methods,
# including environment variables, managed identity, Azure CLI, and more.
# For local development, set these environment variables or ensure 'az login' is active:
# - AZURE_SUBSCRIPTION_ID (required)
# - AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID for service principal
# - AZURE_USERNAME, AZURE_PASSWORD for developer accounts

subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID")
if not subscription_id:
    raise ValueError("AZURE_SUBSCRIPTION_ID environment variable must be set.")

credential = DefaultAzureCredential()

# --- Client Initialization ---
client = KeyVaultManagementClient(credential, subscription_id)

# --- Example: List all Key Vaults in the subscription ---
print(f"Listing all Key Vaults in subscription: {subscription_id}")
try:
    vaults_iterator = client.vaults.list()
    found_vaults = False
    for vault in vaults_iterator:
        print(f"  - Vault Name: {vault.name}, Location: {vault.location}")
        found_vaults = True
    if not found_vaults:
        print("  No Key Vaults found.")
except Exception as e:
    print(f"Error listing vaults: {e}")
    print("Ensure your credential has the 'Microsoft.KeyVault/vaults/read' permission at the subscription scope.")

view raw JSON →