Azure Key Vault SDK for Python

安全存储和管理机密、加密密钥和证书。

安装

bash

机密

pip install azure-keyvault-secrets azure-identity

密钥（加密操作）

pip install azure-keyvault-keys azure-identity

证书

pip install azure-keyvault-certificates azure-identity

全部

pip install azure-keyvault-secrets azure-keyvault-keys azure-keyvault-certificates azure-identity

环境变量

bash
AZUREKEYVAULTURL=https://<保管库名称>.vault.azure.net/

机密

SecretClient 设置

python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
vault_url = https://<保管库名称>.vault.azure.net/

client = SecretClient(vaulturl=vaulturl, credential=credential)

机密操作

python

设置机密

secret = client.set_secret(database-password, 超级机密值)
print(f已创建: {secret.name}, 版本: {secret.properties.version})

获取机密

secret = client.get_secret(database-password) print(f值: {secret.value})

获取特定版本

secret = client.get_secret(database-password, version=abc123)

列出机密（仅名称，不包含值）

for secretproperties in client.listpropertiesofsecrets(): print(f机密: {secret_properties.name})

列出版本

for version in client.listpropertiesofsecretversions(database-password): print(f版本: {version.version}, 创建时间: {version.created_on})

删除机密（软删除）

poller = client.begindeletesecret(database-password) deleted_secret = poller.result()

永久删除（如果启用了软删除）

client.purgedeletedsecret(database-password)

恢复已删除的机密

client.beginrecoverdeleted_secret(database-password).result()

密钥

KeyClient 设置

python
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient

credential = DefaultAzureCredential()
vault_url = https://<保管库名称>.vault.azure.net/

client = KeyClient(vaulturl=vaulturl, credential=credential)

密钥操作

python
from azure.keyvault.keys import KeyType

创建 RSA 密钥

rsakey = client.creatersa_key(rsa-key, size=2048)

创建 EC 密钥

eckey = client.createec_key(ec-key, curve=P-256)

获取密钥

key = client.get_key(rsa-key) print(f密钥类型: {key.key_type})

列出密钥

for keyproperties in client.listpropertiesofkeys(): print(f密钥: {key_properties.name})

删除密钥

poller = client.begindeletekey(rsa-key) deleted_key = poller.result()

加密操作

python
from azure.keyvault.keys.crypto import CryptographyClient, EncryptionAlgorithm

获取特定密钥的加密客户端

crypto_client = CryptographyClient(key, credential=credential)

或通过密钥 ID

crypto_client = CryptographyClient( https://<保管库>.vault.azure.net/keys/<密钥名称>/<版本>, credential=credential )

加密

plaintext = b你好，Key Vault！ result = cryptoclient.encrypt(EncryptionAlgorithm.rsaoaep, plaintext) ciphertext = result.ciphertext

解密

result = cryptoclient.decrypt(EncryptionAlgorithm.rsaoaep, ciphertext) decrypted = result.plaintext

签名

from azure.keyvault.keys.crypto import SignatureAlgorithm import hashlib

digest = hashlib.sha256(b要签名的数据).digest()
result = crypto_client.sign(SignatureAlgorithm.rs256, digest)
signature = result.signature

验证

result = crypto_client.verify(SignatureAlgorithm.rs256, digest, signature) print(f有效: {result.is_valid})

证书

CertificateClient 设置

python
from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient, CertificatePolicy

credential = DefaultAzureCredential()
vault_url = https://<保管库名称>.vault.azure.net/

client = CertificateClient(vaulturl=vaulturl, credential=credential)

证书操作

python

创建自签名证书

policy = CertificatePolicy.get_default()
poller = client.begincreatecertificate(my-cert, policy=policy)
certificate = poller.result()

获取证书

certificate = client.get_certificate(my-cert) print(f指纹: {certificate.properties.x509_thumbprint.hex()})

获取包含私钥的证书（作为机密）

from azure.keyvault.secrets import SecretClient secretclient = SecretClient(vaulturl=vault_url, credential=credential) certsecret = secretclient.get_secret(my-cert)

cert_secret.value 包含 PEM 或 PKCS12 格式

列出证书

for cert in client.listpropertiesof_certificates(): print(f证书: {cert.name})

删除证书

poller = client.begindeletecertificate(my-cert) deleted = poller.result()

客户端类型表

客户端	包	用途
SecretClient	azure-keyvault-secrets	存储/检索机密
KeyClient

azure-keyvault-keys | 管理加密密钥 | | CryptographyClient | azure-keyvault-keys | 加密/解密/签名/验证 | | CertificateClient | azure-keyvault-certificates | 管理证书 |

异步客户端

python
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient

async def get_secret():
credential = DefaultAzureCredential()
client = SecretClient(vaulturl=vaulturl, credential=credential)

async with client:
secret = await client.get_secret(my-secret)
print(secret.value)

import asyncio
asyncio.run(get_secret())

错误处理

python
from azure.core.exceptions import ResourceNotFoundError, HttpResponseError

try:
secret = client.get_secret(不存在的机密)
except ResourceNotFoundError:
print(未找到机密)
except HttpResponseError as e:
if e.status_code == 403:
print(访问被拒绝 - 请检查 RBAC 权限)
raise

最佳实践

1. 1. 使用 DefaultAzureCredential 进行身份验证
2. 在 Azure 托管的应用程序中使用托管标识
3. 启用软删除 以便恢复（默认启用）
4. 使用 RBAC 替代访问策略以实现细粒度控制
5. 定期轮换机密 并使用版本管理
6. 在 App Service/Functions 配置中使用 Key Vault 引用
7. 适当缓存机密 以减少 API 调用
8. 对高吞吐量场景使用异步客户端