Back to Details

azure-keyvault-py

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Azure Key Vault SDK for Python

Azure Key Vault SDK for Python

Secure storage and management for secrets, cryptographic keys, and certificates.
用于机密、加密密钥和证书的安全存储与管理。

Installation

安装

bash
undefined
bash
undefined

Secrets

机密管理

pip install azure-keyvault-secrets azure-identity
pip install azure-keyvault-secrets azure-identity

Keys (cryptographic operations)

密钥(加密操作)

pip install azure-keyvault-keys azure-identity
pip install azure-keyvault-keys azure-identity

Certificates

证书管理

pip install azure-keyvault-certificates azure-identity
pip install azure-keyvault-certificates azure-identity

All

全部安装

pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity
undefined
pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity
undefined

Environment Variables

环境变量

bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/
bash
AZURE_KEYVAULT_URL=https://<vault-name>.vault.azure.net/

Secrets

机密管理

SecretClient Setup

SecretClient 配置

python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = SecretClient(vault_url=vault_url, credential=credential)
python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = SecretClient(vault_url=vault_url, credential=credential)

Secret Operations

机密操作

python
undefined
python
undefined

Set secret

设置机密

secret = client.set_secret("database-password", "super-secret-value") print(f"Created: {secret.name}, version: {secret.properties.version}")
secret = client.set_secret("database-password", "super-secret-value") print(f"已创建: {secret.name}, 版本: {secret.properties.version}")

Get secret

获取机密

secret = client.get_secret("database-password") print(f"Value: {secret.value}")
secret = client.get_secret("database-password") print(f"值: {secret.value}")

Get specific version

获取指定版本的机密

secret = client.get_secret("database-password", version="abc123")
secret = client.get_secret("database-password", version="abc123")

List secrets (names only, not values)

列出机密(仅名称,不含值)

for secret_properties in client.list_properties_of_secrets(): print(f"Secret: {secret_properties.name}")
for secret_properties in client.list_properties_of_secrets(): print(f"机密: {secret_properties.name}")

List versions

列出版本

for version in client.list_properties_of_secret_versions("database-password"): print(f"Version: {version.version}, Created: {version.created_on}")
for version in client.list_properties_of_secret_versions("database-password"): print(f"版本: {version.version}, 创建时间: {version.created_on}")

Delete secret (soft delete)

删除机密(软删除)

poller = client.begin_delete_secret("database-password") deleted_secret = poller.result()
poller = client.begin_delete_secret("database-password") deleted_secret = poller.result()

Purge (permanent delete, if soft-delete enabled)

清除(永久删除,若启用软删除)

client.purge_deleted_secret("database-password")
client.purge_deleted_secret("database-password")

Recover deleted secret

恢复已删除的机密

client.begin_recover_deleted_secret("database-password").result()
undefined
client.begin_recover_deleted_secret("database-password").result()
undefined

Keys

密钥管理

KeyClient Setup

KeyClient 配置

python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = KeyClient(vault_url=vault_url, credential=credential)
python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = KeyClient(vault_url=vault_url, credential=credential)

Key Operations

密钥操作

python
from azure.keyvault.keys import KeyType
python
from azure.keyvault.keys import KeyType

Create RSA key

创建RSA密钥

rsa_key = client.create_rsa_key("rsa-key", size=2048)
rsa_key = client.create_rsa_key("rsa-key", size=2048)

Create EC key

创建EC密钥

ec_key = client.create_ec_key("ec-key", curve="P-256")
ec_key = client.create_ec_key("ec-key", curve="P-256")

Get key

获取密钥

key = client.get_key("rsa-key") print(f"Key type: {key.key_type}")
key = client.get_key("rsa-key") print(f"密钥类型: {key.key_type}")

List keys

列出密钥

for key_properties in client.list_properties_of_keys(): print(f"Key: {key_properties.name}")
for key_properties in client.list_properties_of_keys(): print(f"密钥: {key_properties.name}")

Delete key

删除密钥

poller = client.begin_delete_key("rsa-key") deleted_key = poller.result()
undefined
poller = client.begin_delete_key("rsa-key") deleted_key = poller.result()
undefined

Cryptographic Operations

加密操作

python
from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm
python
from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

Get crypto client for a specific key

为指定密钥获取加密客户端

crypto_client = CryptographyClient(key, credential=credential)
crypto_client = CryptographyClient(key, credential=credential)

Or from key ID

或通过密钥ID获取

crypto_client = CryptographyClient( "https://<vault>.vault.azure.net/keys/<key-name>/<version>", credential=credential )
crypto_client = CryptographyClient( "https://<vault>.vault.azure.net/keys/<key-name>/<version>", credential=credential )

Encrypt

加密

plaintext = b"Hello, Key Vault!" result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) ciphertext = result.ciphertext
plaintext = b"Hello, Key Vault!" result = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, plaintext) ciphertext = result.ciphertext

Decrypt

解密

result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext) decrypted = result.plaintext
result = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext) decrypted = result.plaintext

Sign

签名

from azure.keyvault.keys.crypto import SignatureAlgorithm import hashlib
digest = hashlib.sha256(b"data to sign").digest() result = crypto_client.sign(SignatureAlgorithm.rs256, digest) signature = result.signature
from azure.keyvault.keys.crypto import SignatureAlgorithm import hashlib
digest = hashlib.sha256(b"data to sign").digest() result = crypto_client.sign(SignatureAlgorithm.rs256, digest) signature = result.signature

Verify

验证

result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature) print(f"Valid: {result.is_valid}")
undefined
result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature) print(f"有效: {result.is_valid}")
undefined

Certificates

证书管理

CertificateClient Setup

CertificateClient 配置

python
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = CertificateClient(vault_url=vault_url, credential=credential)
python
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()
vault_url = "https://<vault-name>.vault.azure.net/"

client = CertificateClient(vault_url=vault_url, credential=credential)

Certificate Operations

证书操作

python
undefined
python
undefined

Create self-signed certificate

创建自签名证书

policy = CertificatePolicy.get_default() poller = client.begin_create_certificate("my-cert", policy=policy) certificate = poller.result()
policy = CertificatePolicy.get_default() poller = client.begin_create_certificate("my-cert", policy=policy) certificate = poller.result()

Get certificate

获取证书

certificate = client.get_certificate("my-cert") print(f"Thumbprint: {certificate.properties.x509_thumbprint.hex()}")
certificate = client.get_certificate("my-cert") print(f"指纹: {certificate.properties.x509_thumbprint.hex()}")

Get certificate with private key (as secret)

获取包含私钥的证书(作为机密)

from azure.keyvault.secrets import SecretClient secret_client = SecretClient(vault_url=vault_url, credential=credential) cert_secret = secret_client.get_secret("my-cert")
from azure.keyvault.secrets import SecretClient secret_client = SecretClient(vault_url=vault_url, credential=credential) cert_secret = secret_client.get_secret("my-cert")

cert_secret.value contains PEM or PKCS12

cert_secret.value 包含PEM或PKCS12格式内容

List certificates

列出证书

for cert in client.list_properties_of_certificates(): print(f"Certificate: {cert.name}")
for cert in client.list_properties_of_certificates(): print(f"证书: {cert.name}")

Delete certificate

删除证书

poller = client.begin_delete_certificate("my-cert") deleted = poller.result()
undefined
poller = client.begin_delete_certificate("my-cert") deleted = poller.result()
undefined

Client Types Table

客户端类型对照表

ClientPackagePurpose
SecretClient
azure-keyvault-secrets
Store/retrieve secrets
KeyClient
azure-keyvault-keys
Manage cryptographic keys
CryptographyClient
azure-keyvault-keys
Encrypt/decrypt/sign/verify
CertificateClient
azure-keyvault-certificates
Manage certificates
客户端用途
SecretClient
azure-keyvault-secrets
存储/检索机密
KeyClient
azure-keyvault-keys
管理加密密钥
CryptographyClient
azure-keyvault-keys
加密/解密/签名/验证
CertificateClient
azure-keyvault-certificates
管理证书

Async Clients

异步客户端

python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient

async def get_secret():
    credential = DefaultAzureCredential()
    client = SecretClient(vault_url=vault_url, credential=credential)
    
    async with client:
        secret = await client.get_secret("my-secret")
        print(secret.value)

import asyncio
asyncio.run(get_secret())
python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient

async def get_secret():
    credential = DefaultAzureCredential()
    client = SecretClient(vault_url=vault_url, credential=credential)
    
    async with client:
        secret = await client.get_secret("my-secret")
        print(secret.value)

import asyncio
asyncio.run(get_secret())

Error Handling

错误处理

python
from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try:
    secret = client.get_secret("nonexistent")
except ResourceNotFoundError:
    print("Secret not found")
except HttpResponseError as e:
    if e.status_code == 403:
        print("Access denied - check RBAC permissions")
    raise
python
from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try:
    secret = client.get_secret("nonexistent")
except ResourceNotFoundError:
    print("机密不存在")
except HttpResponseError as e:
    if e.status_code == 403:
        print("访问被拒绝 - 检查RBAC权限")
    raise

Best Practices

最佳实践

  1. Use DefaultAzureCredential for authentication
  2. Use managed identity in Azure-hosted applications
  3. Enable soft-delete for recovery (enabled by default)
  4. Use RBAC over access policies for fine-grained control
  5. Rotate secrets regularly using versioning
  6. Use Key Vault references in App Service/Functions config
  7. Cache secrets appropriately to reduce API calls
  8. Use async clients for high-throughput scenarios
  1. 使用DefaultAzureCredential进行身份验证
  2. 在Azure托管应用中使用托管标识
  3. 启用软删除以便恢复(默认已启用)
  4. 使用RBAC而非访问策略实现细粒度控制
  5. 利用版本控制定期轮换机密
  6. 在App Service/Functions配置中使用Key Vault引用
  7. 适当缓存机密以减少API调用
  8. 在高吞吐量场景中使用异步客户端