Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,359 questions
Using a private RSA key stored in key vault to ssh within python code
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 70%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZ%3C/text%3E%3C/svg%3E)
ZZ
20
Reputation points
I am confused about how to use my keys stored in key vault.
My scenario:
- I have an Azure function, which needs to ssh into a virtual machine
- I use Python's paramiko library to manage ssh access to this VM
- Basically, I need to mimic the operation in my python code: ssh -i my_key.pem user@azure.vm.address
In order to do this safely, I thought that I just upload my private key my_key.pem to the key vault, and then use it in my code. But this does not work.
Below is my python code:
def main(request: func.HttpRequest) -> func.HttpResponse:
if request.method == 'GET':
# for checking job status only
key = get_private_key_pem(
vault_url,
key_name
)
ip_address = ...
user = ...
private_key = paramiko.RSAKey(file_obj=io.BytesIO(key))
ssh_client = paramiko.SSHClient()
ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh_client.connect(ip_address, username=user, pkey=private_key)
stdin, stdout, stderr = ssh_client.exec_command('pwd')
stdout = stdout.read().decode()
stderr = stderr.read().decode()
msg = "stdout={}; stderr={}".format(stdout, stderr)
logging.info(msg)
return func.HttpResponse(msg, status_code=200)
else:
return func.HttpResponse("Method not allowed", status_code=405)
def get_private_key_pem(vault_url, key_name):
"""
Retrieve a secret from Azure Key Vault.
"""
credential = DefaultAzureCredential()
client = KeyClient(vault_url=vault_url, credential=credential)
# Get the secret value
key = client.get_key(key_name)
private_key_pem = key.key.n
return private_key_pem
I tried many ways but it seems that the object returned by
client.get_key(key_name)
is not quite what paramiko.RSAKey is expecting.
I can confirm that the key retrieved is an RSA key and it works if I just do 'ssh -i ...' in a shell.
Have I misunderstood how key vault works? Should I use secrets instead but isn't that less safe?
Thanks
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 1,395 Reputation points Microsoft Vendor2025-01-24T23:30:50.3133333+00:00 Hello @ZZ ,
Thank you for reaching out Microsoft Q&A.
I Undersand your trying to retrieve a key from Key Vault and use it to authenticate an SSH connection. However, the
get_key()method of theKeyClientclass returns aKeyVaultKeyobject, which is not compatible with theRSAKeyconstructor of theparamikolibrary.You can use the
get_secret()method of theSecretClientclass instead. You can store the private key as a secret in Key Vault and retrieve it using theget_secret()method.
You can try the following code:def main(request: func.HttpRequest) -> func.HttpResponse: if request.method == 'GET': # for checking job status only private_key_pem = get_private_key_pem(vault_url, key_name) ip_address = ... user = ... private_key = paramiko.RSAKey(file_obj=io.StringIO(private_key_pem)) ssh_client = paramiko.SSHClient() ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh_client.connect(ip_address, username=user, pkey=private_key) stdin, stdout, stderr = ssh_client.exec_command('pwd') stdout = stdout.read().decode() stderr = stderr.read().decode() msg = "stdout={}; stderr={}".format(stdout, stderr) logging.info(msg) return func.HttpResponse(msg, status_code=200) else: return func.HttpResponse("Method not allowed", status_code=405) def get_private_key_pem(vault_url, secret_name): """ Retrieve a secret from Azure Key Vault. """ # Use DefaultAzureCredential to authenticate with Key Vaultcredential = DefaultAzureCredential() client = SecretClient(vault_url=vault_url, credential=credential) # Get the secret valuesecret = client.get_secret(secret_name) private_key_pem = secret.value return private_key_pemHope this helps. Do let us know if you any further queries.
Regards,
Goutam Pratti.
Sign in to comment
Sign in to answer