適用於 Python 的 Azure Key Vault 程式庫Azure Key Vault libraries for Python
Azure Key Vault 是 Azure 的密碼金鑰、祕密和憑證管理的存放區和管理系統。Azure Key Vault is Azure's storage and management system for cryptographic keys, secrets, and certificate management. 適用於 Key Vault 的 Python SDK API 分為用戶端程式庫和管理程式庫。The Python SDK API for Key Vault is split between client libraries and management libraries.
使用用戶端程式庫可以:Use the client library to:
- 存取、更新或刪除儲存在 Azure Key Vault 中的項目Access, update, or delete items stored in an Azure Key Vault
- 取得儲存憑證的中繼資料Get metadata for stored certificates
- 驗證簽章和 Key Vault 中的對稱金鑰Verify signatures against symmetric keys in Key Vault
使用管理程式庫可以:Use the management library to:
- 建立、更新或刪除新的 Key Vault 存放區Create, update, or delete new Key Vault stores
- 控管保存庫存取原則Control vault access policies
- 依訂用帳戶或資源群組列出保存庫List vaults by subscription or resource group
- 檢查保存庫名稱可用性Check for vault name availability
安裝程式庫Install the libraries
用戶端程式庫Client library
pip install azure-keyvault
範例Examples
下列範例使用建議的服務主體驗證作為與 Azure 連線的應用程式登入方法。The following examples use service principal authentication, which is the recommended sign in method for applications that connect to Azure. 要學習服務主體驗證相關資訊,請參閱使用適用於 Python 的 Azure SDK 驗證To learn about service principal authentication, see Authenticate with the Azure SDK for Python
從保存庫擷取非對稱金鑰的公開部分:Retrieve the public portion of an asymmetric key from a vault:
from azure.keyvault import KeyVaultClient
from azure.common.credentials import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(
client_id = '...',
secret = '...',
tenant = '...'
)
client = KeyVaultClient(credentials)
# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# KEY_VERSION is required, and can be obtained with the KeyVaultClient.get_key_versions(self, vault_url, key_name) API
key_bundle = client.get_key(VAULT_URL, KEY_NAME, KEY_VERSION)
key = key_bundle.key
從保存庫擷取祕密:Retrieve a secret from a vault:
from azure.keyvault import KeyVaultClient
from azure.common.credentials import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(
client_id = '...',
secret = '...',
tenant = '...'
)
client = KeyVaultClient(credentials)
# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# SECRET_VERSION is required, and can be obtained with the KeyVaultClient.get_secret_versions(self, vault_url, secret_id) API
secret_bundle = client.get_secret(VAULT_URL, SECRET_ID, SECRET_VERSION)
secret = secret_bundle.value
管理程式庫Management library
pip install azure-mgmt-keyvault
範例Example
下列範例示範如何建立 Azure Key Vault。The following example shows how to create an Azure Key Vault.
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.common.credentials import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(
client_id = '...',
secret = '...',
tenant = '...'
)
# Even when using service principal credentials, a subscription ID is required. For service principals,
# this should be the subscription used to create the service principal. Storing a token like a valid
# subscription ID in code is not recommended and only shown here for example purposes.
SUBSCRIPTION_ID = '...'
client = KeyVaultManagementClient(credentials, SUBSCRIPTION_ID)
# The object ID and organization ID (tenant) of the user, application, or service principal for access policies.
# These values can be found through the Azure CLI or the Portal.
ALLOW_OBJECT_ID = '...'
ALLOW_TENANT_ID = '...'
RESOURCE_GROUP = '...'
VAULT_NAME = '...'
# Vault properties may also be created by using the azure.mgmt.keyvault.models.VaultCreateOrUpdateParameters
# class, rather than a map.
operation = client.vaults.create_or_update(
RESOURCE_GROUP,
VAULT_NAME,
{
'location': 'eastus',
'properties': {
'sku': {
'name': 'standard'
},
'tenant_id': TENANT_ID,
'access_policies': [{
'object_id': OBJECT_ID,
'tenant_id': ALLOW_TENANT_ID,
'permissions': {
'keys': ['all'],
'secrets': ['all']
}
}]
}
}
)
vault = operation.result()
print(f'New vault URI: {vault.properties.vault_uri}')
範例Samples
檢視 Azure Key Vault 範例的完整清單。View the complete list of Azure Key Vault samples.