Develop a Python App to Access Key Vault Using a Service Principal

1 hour
  • 4 Learning Objectives

About this Hands-on Lab

Azure Active Directory (AD) can play a crucial role in not only user management, but also with application security for Azure-based solutions. When an application is registered in Azure AD and provided a service principal, it can be used to securely access other Azure resources that support Azure AD authentication. In this hands-on lab, we’ll use an existing service principal and client secret to demonstrate how a registered application can use Azure AD authentication to access Key Vault.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Key Vault

In the Azure portal, create a key vault.

Ensure the service principal is granted full access to the key vault via an access policy (using the service principal ID provided for you on the lab details page).

Set Up the Python Application

Either on your own local development environment or within the Azure portal Cloud Shell (Bash), set up the Python application provided for you.

You will need to download the Python application, and use pip to install the required Azure packages.

Configure the Python Application

Either on your own local development environment or within the Azure portal Cloud Shell (Bash), add the required Azure AD and key vault details for the Python application.

Run the Python Application and Access Secrets in the Key Vault

Either on your own local development environment or within the Azure portal Cloud Shell (Bash), run the Python application.

You can test the creation and retrieval of secrets from the key vault.

Additional Resources


To help you walk through the lab, consider the following scenario:

You work as a cloud developer, and you currently have a legacy Python application running on-premises, which stores a variety of confidential information in plaintext within code.

Management has asked you to perform a proof of concept to determine whether your application can use a key vault to securely store secret information by leveraging the Azure Python SDK.

The security team has registered an application for you for testing purposes and provided you with a service principal and client secret.

You need to complete the following tasks as part of your proof of concept:

  • Create a key vault to store secret information.
  • Configure an access policy to allow data access.
  • Update your Python test application with the key vault and Azure AD credential information.
  • Perform test reads and writes to the key vault.

Lab Setup

To log in to the Azure portal, right-click Open Azure Portal, and select the option to open it in a new private browser window. (This option will read differently depending on your browser — for example, in Chrome, it reads Open Link in Incognito Window.) Then, sign in using the credentials provided on the lab page.

The objectives for this hands-on lab can be completed using the Azure portal. The Cloud Shell can also be used for testing the Python app also.

Note: You should use West US as the location for all resources created within this hands-on lab.

A limited Python application has been provided to you for completing this hands-on lab, as follows:

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?