How to create Azure Key Vault using Python

This post describes how to create Azure Key Vault using Python. The Azure Key Vault client libraries for Python offer a convenient interface for making calls to Azure Key Vault.

Prerequisite: Below are the prerequisites for following this post.

1. Azure CLI. Refer below articles to install Azure CLI.

[Windows]
Install Azure CLI on windows
[Ubuntu]
Install Azure CLI on Ubuntu
2. Python 3.6 or later

Create Azure Key Vault using Python

  • Login with Azure CLI
  •     
    
    az login
    
    
    
  • Install required Python Libraries
  •     
    
    pip install azure-identity
    pip install azure-mgmt-keyvault
    
    
    
  • Import required modules
  •     
    
    from azure.identity import AzureCliCredential
    from azure.mgmt.keyvault import KeyVaultManagementClient
    from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
    from azure.mgmt.keyvault.models import VaultProperties
    from azure.mgmt.keyvault.models import Sku
    from azure.mgmt.keyvault.models import Permissions
    from azure.mgmt.keyvault.models import AccessPolicyEntry
    
    
    
  • Define Tenant ID and Object ID
  •     
    
    # Define tenant ID and object ID
    # The object ID of a user, service principal or security group
    # in the Azure Active Directory tenant for the vault
    tenant_id = "Tenant_ID"  # Replace with Tenant ID
    object_id = "Object_ID"  # Replace with Object ID of user, service principal etc..
    
    
    
  • Define Subscription ID, ResourceGroup Name, Key vault Name and Key Vault Location
  • 
    
    # Define subscription_id, resource_group_name, keyvault_name and keyvault_location
    subscription_id = "subscription_id"  # Replace with Subscription ID
    resource_group_name = "resource_group_name"  # Replace with Resource Group Name
    keyvault_name = "keyvault_name"  # Replace with Key Vault Name to be created
    keyvault_location = "keyvault_location"  # Replace with KeyVault Location    
    
    
    
  • Get credentials and Obtain the management object for Key Vault
  •     
    
    # Acquire a credential object using CLI-based authentication
    credential = AzureCliCredential()
    
    # Obtain management object for Key Vault, using the credentials from the CLI login
    keyvault_client = KeyVaultManagementClient(credential, subscription_id)
    
    
    
  • Create Azure Key Vault
  •     
    
    # Create a key vault
    response = keyvault_client.vaults.begin_create_or_update(
        resource_group_name,
        keyvault_name,
        VaultCreateOrUpdateParameters(
            location=keyvault_location,
            properties=VaultProperties(
                tenant_id=tenant_id,
                sku=Sku(name="standard", family="A"),
                access_policies=[
                    AccessPolicyEntry(
                        tenant_id=tenant_id,
                        object_id=object_id,
                        permissions=Permissions(keys=["all"], secrets=["all"]),
                    )
                ],
            ),
        ),
    )
    
    key_vault = response.result()
    
    print(f"Created key vault {key_vault.name} in {key_vault.location} region")
            
            
    
    
  • Complete Code Snippet to create Azure Key Vault with Python
  •     
    
    from azure.identity import AzureCliCredential
    from azure.mgmt.keyvault import KeyVaultManagementClient
    from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
    from azure.mgmt.keyvault.models import VaultProperties
    from azure.mgmt.keyvault.models import Sku
    from azure.mgmt.keyvault.models import Permissions
    from azure.mgmt.keyvault.models import AccessPolicyEntry
    
    # Define tenant ID and object ID
    # The object ID of a user, service principal or security group
    # in the Azure Active Directory tenant for the vault
    tenant_id = "Tenant_ID"  # Replace with Tenant ID
    object_id = "Object_ID"  # Replace with Object ID of user, service principal etc..
    
    # Define subscription_id, resource_group_name, keyvault_name and keyvault_location
    subscription_id = "subscription_id"  # Replace with Subscription ID
    resource_group_name = "resource_group_name"  # Replace with Resource Group Name
    keyvault_name = "keyvault_name"  # Replace with Key Vault Name to be created
    keyvault_location = "keyvault_location"  # Replace with KeyVault Location
    
    
    # Acquire a credential object using CLI-based authentication
    credential = AzureCliCredential()
    
    # Obtain management object for Key Vault, using the credentials from the CLI login
    keyvault_client = KeyVaultManagementClient(credential, subscription_id)
    
    # Create a key vault
    response = keyvault_client.vaults.begin_create_or_update(
        resource_group_name,
        keyvault_name,
        VaultCreateOrUpdateParameters(
            location=keyvault_location,
            properties=VaultProperties(
                tenant_id=tenant_id,
                sku=Sku(name="standard", family="A"),
                access_policies=[
                    AccessPolicyEntry(
                        tenant_id=tenant_id,
                        object_id=object_id,
                        permissions=Permissions(keys=["all"], secrets=["all"]),
                    )
                ],
            ),
        ),
    )
    
    key_vault = response.result()
    
    print(f"Created key vault {key_vault.name} in {key_vault.location} region")      
      
    
    

    Category: Azure