Skills Azure Key Vault SDK for Python
📦

Azure Key Vault SDK for Python

Safe

Manage Azure secrets, keys, and certificates with Python SDK

Securely store and access sensitive data using Azure Key Vault. This skill enables developers to implement enterprise-grade secret management with minimal setup.

Supports: Claude Codex Code(CC)
📊 70 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "Azure Key Vault SDK for Python". Retrieve a secret named 'api-key' from Key Vault

Expected outcome:

Successfully retrieved secret 'api-key'. Value is masked for security. Version: v1, Created: 2024-01-15, Expires: 2025-01-15. Use secret.value property to access the actual value in your code.

Using "Azure Key Vault SDK for Python". Create an RSA key with 2048-bit size named 'signing-key'

Expected outcome:

Key 'signing-key' created successfully. Key type: RSA, Size: 2048 bits, Key ID: https://myvault.vault.azure.net/keys/signing-key/abc123. Use CryptographyClient with this key for sign/verify operations.

Security Audit

Safe
v1 • 2/25/2026

This skill contains documentation-only content for Azure Key Vault SDK for Python. Static analysis scanned 0 files with 0 lines of executable code, resulting in a risk score of 0/100. The SKILL.md file contains standard code examples for Azure SDK usage with no security concerns. Safe for publication.

0
Files scanned
0
Lines analyzed
0
findings
1
Total audits
No security issues found
Audited by: claude

Quality Score

38
Architecture
100
Maintainability
87
Content
31
Community
100
Security
83
Spec Compliance

What You Can Build

Database Credential Management

Store and rotate database passwords securely without hardcoding in application code. Applications retrieve credentials at runtime using managed identity.

API Key and Token Storage

Centralize storage for third-party API keys, tokens, and connection strings with automatic rotation and audit logging.

Document Encryption at Rest

Use Key Vault cryptographic keys to encrypt sensitive documents and data before storage, ensuring only authorized services can decrypt.

Try These Prompts

Basic Secret Retrieval 
Help me retrieve a secret named 'database-connection-string' from my Azure Key Vault using Python. My vault URL is https://myvault.vault.azure.net/
Create and Version a Secret 
Show me how to create a new secret with a value and then retrieve a specific previous version using the Azure Key Vault Python SDK.
Encrypt and Decrypt Data 
I need to encrypt a file using RSA encryption with a key stored in Azure Key Vault. Write Python code using CryptographyClient to encrypt the file and then decrypt it later.
Async Secret Management with Error Handling 
Create an async Python function that retrieves multiple secrets from Key Vault, handles ResourceNotFoundError and HttpResponseError appropriately, and returns a dictionary of secret names to values.

Best Practices

  • Use DefaultAzureCredential for authentication which supports multiple credential types including managed identity, environment credentials, and Azure CLI
  • Enable soft-delete on Key Vault to recover accidentally deleted secrets, keys, and certificates within the retention period
  • Implement secret rotation by creating new versions instead of overwriting, and update application references to use the latest version

Avoid

  • Never hardcode Key Vault URLs or secrets directly in application code - use environment variables or configuration
  • Avoid storing large amounts of data in secrets - Key Vault is designed for small sensitive values like passwords and connection strings
  • Do not skip error handling for 403 Forbidden responses - this usually indicates missing RBAC permissions that need to be addressed

Frequently Asked Questions

What authentication methods does DefaultAzureCredential support?
DefaultAzureCredential automatically tries multiple methods: managed identity (in Azure), environment credentials (AZURE_CLIENT_ID, etc.), Azure CLI login, Visual Studio credentials, and more. It uses the first successful method.
How do I enable soft-delete on my Key Vault?
Soft-delete is enabled by default on all new Key Vaults. For existing vaults, check the Azure portal under Access Policies. Once enabled, deleted items are retained for 7-90 days and can be recovered.
What is the difference between access policies and RBAC for Key Vault?
RBAC (Role-Based Access Control) provides more granular permissions and is recommended for new implementations. Access policies are simpler but less flexible. You can use either model, but not both simultaneously on the same vault.
Can I use Azure Key Vault from on-premises applications?
Yes, on-premises applications can access Key Vault over HTTPS. You need to authenticate using Azure AD credentials, service principals, or managed identity if using Azure Arc-enabled servers.
How do I rotate secrets automatically in Key Vault?
Key Vault supports automatic rotation for secrets with configured policies. You can set rotation triggers based on time intervals. Alternatively, implement manual rotation by creating new versions using set_secret() before the old version expires.
What happens to my secrets if I delete the Key Vault?
If soft-delete is enabled (default), deleted vaults and their contents are retained for 7-90 days and can be recovered. After the retention period expires or if purged, recovery is not possible. Always enable soft-delete in production.

Developer Details

Author

sickn33

License

MIT

Repository

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/azure-keyvault-py

Ref

main

File structure

📄 SKILL.md