Skip to content

helper class for storing secrets in Azure Key Vault

License

Notifications You must be signed in to change notification settings

dmahugh/azure-key-vault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 

Repository files navigation

helper class for Azure Key Vault secrets

The KeyVaultSettings class provides a simple way to initialize an object that contains all of the secrets from an Azure Key Vault as properties. That object can then be passed around to methods and functions within your code that need access to those secrets.

The key vault secrets are read when a class instance is created. You can add new settings to the key vault at any time (through the Azure Portal, Azure CLI, or programmatically), and they'll automatically show up as properties of KeyVaultSettings the next time it is instantiated.

Installation

  • Install Python (version 3.6 or higher)
  • Clone this repo
  • In the root folder of the cloned repo, install dependencies: python -m pip install -r requirements.txt

Usage

Four settings are needed to initialize a KeyVaultSettings instance:

  • Client ID (App ID), App Secret (Password), and Tenant ID for an identity that has Get and List permissions for the key vault (typically a service principal identity)
  • Key Vault URI for the key vault (which you can find under DNS Name in the Azure Portal)

Those settings can be read from a JSON file, or can be passed to the constructor as keyword arguments. Here's a simple example of how to use AzureKeyVault:

from akvheler import KeyVaultSettings

settings = KeyVaultSettings(client_id="YOUR_CLIENT_ID",
                            app_secret="YOUR_APP_SECRET",
                            tenant_id="YOUR_TENANT_ID",
                            key_vault_uri="https://YOUR_VAULT_NAME.vault.azure.net/")

print(f"The MY_SECRET setting is {settings.MY_SECRET}")

The str/repr representation of a KeyVaultSettings instance shows the vault name and a list of the secret names (but not their values):

<class 'akvhelper.KeyVaultSettings'>
  <vault: https://MY_VAULT_NAME.azure.net/>
    <settings: gh_token, gh_username, vsts_org_url, vsts_token>

For a detailed walk-through of how to set up a key vault, store secrets, and configure programmatic access to those secrets, see the blog post Storing secrets in Azure Key Vault.

getting a SecretBundle object

The KeyVaultSettings class provides a simple approach for working with secrets, and only gives you access to the values of the secrets. If you need access to content types, activation/deactivation dates, or other metadata, use the get_secret() method of KeyVaultSettings, which returns a SecretBundle object that contains all of the secret's metadata.

Contributing

This project is a work in progress, and pull requests, feature requests and issues are welcome. I've implemented the functionality I needed for various projects, but I'm interested in knowing what may be useful to others, so please log an issue if you have a suggestion. Thanks!

License

This project is licensed under the MIT License.

About

helper class for storing secrets in Azure Key Vault

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages