For general information on resource management, see Resource Management.

Create the client

The following code creates an instance of the client.

See Resource Management Authentication for details on handling Azure Active Directory authentication with the Python SDK, and creating a Credentials instance.


You must specify resource=”” while authenticating to get a valid token

from azure.keyvault import KeyVaultClient
from azure.common.credentials import UserPassCredentials

# See above for details on creating different types of AAD credentials
credentials = UserPassCredentials(
    '',  # Your user
    'my_password',      # Your password

client = KeyVaultClient(

Access policies

Some operations require the correct access policies for your credentials.

If you get an “Unauthorized” error, please add the correct access policies to this credentials using the Azure Portal, the Azure CLI or the Key Vault Management SDK itself


KEY_VAULT_URI is the base url of your keyvault. Eg.

# Create a key
key_bundle = client.create_key(KEY_VAULT_URI, 'FirstKey', 'RSA')
key_id = key_vault_id.parse_key_id(key_bundle.key.kid)

# Update a key without version
client.update_key(key_id.base_id, key_attributes={'enabled': False})

# Update a key with version
client.update_key(, key_attributes={'enabled': False})

# Print a list of versions for a key
versions = client.get_key_versions(KEY_VAULT_URI, 'FirstKey')
for version in versions:
    print(version.kid)  #

# Read a key without version

# Read a key with version

# Delete a key
client.delete_key(KEY_VAULT_URI, 'FirstKey')

# Create a secret
secret_bundle = client.set_secret(KEY_VAULT_URI, 'FirstSecret', 'Hush, that is secret!!')
secret_id = key_vault_id.parse_secret_id(

# Update a secret without version
client.update_key(secret_id.base_id, secret_attributes={'enabled': False})

# Update a secret with version
client.update_key(, secret_attributes={'enabled': False})

# Print a list of versions for a secret
versions = client.get_secret_versions(KEY_VAULT_URI, 'FirstSecret')
for version in versions:
    print(  #

# Read a secret without version

# Read a secret with version

# Delete a secret
client.delete_secret(KEY_VAULT_URI, 'FirstSecret')