Key Vault Usage Update

mrm9084 · mrm9084 · commit fa980b98dc46 · 2026-03-16T13:57:37.000-07:00
diff --git a/articles/azure-app-configuration/TOC.yml b/articles/azure-app-configuration/TOC.yml
@@ -152,6 +152,8 @@
         href: use-key-vault-references-dotnet-core.md
       - name: Spring Boot
         href: use-key-vault-references-spring-boot.md
+      - name: Python
+        href: use-key-vault-references-python-provider.md
     - name: Reload secrets and certificates automatically
       items:
       - name: .NET
diff --git a/articles/azure-app-configuration/use-key-vault-references-python-provider.md b/articles/azure-app-configuration/use-key-vault-references-python-provider.md
@@ -0,0 +1,173 @@
+---
+title: Tutorial for using Azure App Configuration Key Vault references in a Python app | Microsoft Docs
+description: In this tutorial, you learn how to use Azure App Configuration's Key Vault references from a Python app
+services: azure-app-configuration
+author: mrm9084
+ms.service: azure-app-configuration
+ms.devlang: python
+ms.topic: tutorial
+ms.date: 03/16/2026
+ms.author: mametcal
+ms.custom: devx-track-python, devx-track-azurecli
+#Customer intent: I want to update my Python application to reference values stored in Key Vault through App Configuration.
+---
+
+# Tutorial: Use Key Vault references in a Python app
+
+In this tutorial, you learn how to implement Key Vault references in a Python application using App Configuration. It builds on the web app introduced in the quickstart. Before you continue, complete [Create a Python app with App Configuration](./quickstart-python-provider.md) first.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> * Create an App Configuration key that references a value stored in Key Vault.
+> * Access the value of this key from a Python application.
+
+## Prerequisites
+
+* Azure subscription - [create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn)
+* Python 3.8 or later - for information on setting up Python on Windows, see the [Python on Windows documentation](/windows/python/)
+* Finish the [Create a Python app with App Configuration](./quickstart-python-provider.md) quickstart.
+
+## Create a key vault
+
+1. Sign in to the [Azure portal](https://portal.azure.com), and then select **Create a resource**.
+
+1. In the search box, enter **Key Vault**. In the result list, select **Key Vault**.
+
+1. On the **Key Vault** page, select **Create**.
+
+1. On the **Create a key vault** page, enter the following information:
+   - For **Subscription**: Select a subscription.
+   - For **Resource group**: Enter the name of an existing resource group or select **Create new** and enter a resource group name.
+   - For **Key vault name**: Enter a unique name.
+   - For **Region**: Select a location.
+
+1. For the other options, use the default values.
+
+1. Select **Review + create**.
+
+1. After the system validates and displays your inputs, select **Create**.
+
+At this point, your Azure account is the only one authorized to access this new vault.
+
+## Add a secret to Key Vault
+
+Add a secret to the vault to test Key Vault retrieval. The secret is called **Message**, and its value is "Hello from Key Vault."
+
+1. On the Key Vault resource menu, select **Objects** > **Secrets**.
+
+1. Select **Generate/Import**.
+
+1. In the **Create a secret** dialog, enter the following values:
+   - For **Upload options**: Enter **Manual**.
+   - For **Name**: Enter **Message**.
+   - For **Secret value**: Enter **Hello from Key Vault**.
+
+1. For the other options, use the default values.
+
+1. Select **Create**.
+
+## Add a Key Vault reference to App Configuration
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and then select your App Configuration store.
+
+1. Select **Configuration Explorer**.
+
+1. Select **+ Create** > **Key vault reference**, and then specify the following values:
+    * **Key**: Enter **TestApp:Settings:KeyVaultMessage**.
+    * **Label**: Leave this value blank.
+    * **Subscription**, **Resource group**, and **Key vault**: Enter the values corresponding to the key vault you created in the previous section.
+    * **Secret**: Select the secret named **Message** that you created in the previous section.
+
+## Grant your app access to Key Vault
+
+Your application uses `DefaultAzureCredential` to authenticate to both App Configuration and Key Vault. This credential automatically works with managed identities in Azure, and with your developer credentials locally.
+
+1. Grant your identity access to Key Vault. Assign the **Key Vault Secrets User** role to your user account or managed identity:
+
+    ```azurecli
+    az role assignment create --role "Key Vault Secrets User" --scope /subscriptions/<subscriptionId>/resourceGroups/<group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name> --assignee <your-azure-ad-user-or-managed-identity>
+    ```
+
+1. Grant your identity access to App Configuration. Assign the **App Configuration Data Reader** role:
+
+    ```azurecli
+    az role assignment create --role "App Configuration Data Reader" --scope /subscriptions/<subscriptionId>/resourceGroups/<group-name>/providers/Microsoft.AppConfiguration/configurationStores/<your-app-configuration-store> --assignee <your-azure-ad-user-or-managed-identity>
+    ```
+
+## Update your code to use a Key Vault reference
+
+1. Install the required packages by running the following command:
+
+    ```console
+    pip install azure-appconfiguration-provider azure-identity
+    ```
+
+1. Create an environment variable called **AZURE_APPCONFIG_ENDPOINT**. Set its value to the endpoint of your App Configuration store. You can find the endpoint on the **Overview** blade in the Azure portal.
+
+    ### [Windows command prompt](#tab/cmd)
+
+    ```cmd
+    setx AZURE_APPCONFIG_ENDPOINT "endpoint-of-your-app-configuration-store"
+    ```
+
+    Restart the command prompt to allow the change to take effect.
+
+    ### [PowerShell](#tab/powershell)
+
+    ```powershell
+    $Env:AZURE_APPCONFIG_ENDPOINT = "endpoint-of-your-app-configuration-store"
+    ```
+
+    ### [macOS or Linux](#tab/bash)
+
+    ```bash
+    export AZURE_APPCONFIG_ENDPOINT='endpoint-of-your-app-configuration-store'
+    ```
+
+    ---
+
+1. Update your Python application file to load Key Vault references. Create or update a file called *app.py*:
+
+    ```python
+    from azure.appconfiguration.provider import load
+    from azure.identity import DefaultAzureCredential
+    import os
+
+    endpoint = os.environ.get("AZURE_APPCONFIG_ENDPOINT")
+    credential = DefaultAzureCredential()
+
+    # Connect to Azure App Configuration and resolve Key Vault references.
+    config = load(
+        endpoint=endpoint,
+        credential=credential,
+        keyvault_credential=credential,
+    )
+
+    # Access configuration values, including resolved Key Vault references.
+    print(config["TestApp:Settings:KeyVaultMessage"])
+    ```
+
+    The `keyvault_credential` parameter tells the provider to use the given credential when resolving Key Vault references. The same `DefaultAzureCredential` instance is used for both App Configuration and Key Vault authentication.
+
+    > [!NOTE]
+    > If your Key Vault references point to multiple key vaults that require different credentials, you can use the `keyvault_client_configs` parameter instead to provide per-vault credentials. For more information, see the [Python provider reference](./reference-python-provider.md).
+
+1. Run the application:
+
+    ```console
+    python app.py
+    ```
+
+    You see the message that you entered in App Configuration. You also see the message that you entered in Key Vault, resolved through the Key Vault reference.
+
+## Clean up resources
+
+[!INCLUDE [azure-app-configuration-cleanup](../../includes/azure-app-configuration-cleanup.md)]
+
+## Next steps
+
+In this tutorial, you created an App Configuration key that references a value stored in Key Vault. To learn more about the Python provider for Azure App Configuration, see the [Python provider reference documentation](./reference-python-provider.md).
+
+> [!div class="nextstepaction"]
+> [Python provider reference](./reference-python-provider.md)
diff --git a/articles/azure-app-configuration/use-key-vault-references-spring-boot.md b/articles/azure-app-configuration/use-key-vault-references-spring-boot.md
@@ -6,7 +6,7 @@ author: mrm9084
 ms.service: azure-app-configuration
 ms.devlang: java
 ms.topic: tutorial
-ms.date: 02/10/2026
+ms.date: 03/16/2026
 ms.author: mametcal
 ms.custom: mvc, devx-track-java, devx-track-azurecli, devx-track-extended-java
 #Customer intent: I want to update my Spring Boot application to reference values stored in Key Vault through App Configuration.
@@ -36,116 +36,75 @@ In this tutorial, you learn how to:
 * Azure subscription - [create one for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn)
 * A supported [Java Development Kit (JDK)](/java/azure/jdk) with version 17.
 * [Apache Maven](https://maven.apache.org/download.cgi) version 3.0 or above.
+* Finish the [Create a Java Spring app with App Configuration](./quickstart-java-spring-app.md) quickstart.
 
-## Create a vault
+## Create a key vault
 
-1. Select the **Create a resource** option in the upper-left corner of the Azure portal:
+1. Sign in to the [Azure portal](https://portal.azure.com), and then select **Create a resource**.
 
-    ![Screenshot shows the Create a resource option in the Azure portal.](./media/quickstarts/search-services.png)
-1. In the search box, enter **Key Vault**.
-1. From the results list, select **Key vaults**.
-1. In **Key vaults**, select **Add**.
-1. On the right in **Create key vault**, provide the following information:
-    * Select **Subscription** to choose a subscription.
-    * In **Resource Group**, select **Create new** and enter a resource group name.
-    * In **Key vault name**, a unique name is required. For this tutorial, enter **Contoso-vault2**.
-    * In the **Region** drop-down list, choose a location.
-1. Leave the other **Create key vault** options with their default values.
-1. Select **Create**.
+1. In the search box, enter **Key Vault**. In the result list, select **Key Vault**.
 
-At this point, your Azure account is the only one authorized to access this new vault.
+1. On the **Key Vault** page, select **Create**.
+
+1. On the **Create a key vault** page, enter the following information:
+   - For **Subscription**: Select a subscription.
+   - For **Resource group**: Enter the name of an existing resource group or select **Create new** and enter a resource group name.
+   - For **Key vault name**: Enter a unique name.
+   - For **Region**: Select a location.
+
+1. For the other options, use the default values.
 
-![Screenshot shows your key vault.](./media/quickstarts/vault-properties.png)
+1. Select **Review + create**.
+
+1. After the system validates and displays your inputs, select **Create**.
+
+At this point, your Azure account is the only one authorized to access this new vault.
 
 ## Add a secret to Key Vault
 
-To add a secret to the vault, you need to take just a few more steps. In this case, add a message that you can use to test Key Vault retrieval. The message is called **Message**, and you store the value "Hello from Key Vault" in it.
+Add a secret to the vault to test Key Vault retrieval. The secret is called **Message**, and its value is "Hello from Key Vault."
+
+1. On the Key Vault resource menu, select **Objects** > **Secrets**.
 
-1. From the Key Vault properties pages, select **Secrets**.
 1. Select **Generate/Import**.
-1. In the **Create a secret** pane, enter the following values:
-    * **Upload options**: Enter **Manual**.
-    * **Name**: Enter **Message**.
-    * **Value**: Enter **Hello from Key Vault**.
-1. Leave the other **Create a secret** properties with their default values.
+
+1. In the **Create a secret** dialog, enter the following values:
+   - For **Upload options**: Enter **Manual**.
+   - For **Name**: Enter **Message**.
+   - For **Secret value**: Enter **Hello from Key Vault**.
+
+1. For the other options, use the default values.
+
 1. Select **Create**.
 
 ## Add a Key Vault reference to App Configuration
 
-1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and then select the App Configuration store instance that you created in the quickstart.
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and then select your App Configuration store.
 
 1. Select **Configuration Explorer**.
 
 1. Select **+ Create** > **Key vault reference**, and then specify the following values:
-    * **Key**: Select **/application/config.keyvaultmessage**
+    * **Key**: Enter **/application/config.keyVaultMessage**.
     * **Label**: Leave this value blank.
-    * **Subscription**, **Resource group**, and **Key vault**: Enter the values corresponding to the values in the key vault you created in the previous section.
+    * **Subscription**, **Resource group**, and **Key vault**: Enter the values corresponding to the key vault you created in the previous section.
     * **Secret**: Select the secret named **Message** that you created in the previous section.
 
-## Connect to Key Vault
-
-1. In this tutorial, you use a service principal for authentication to Key Vault. To create this service principal, use the Azure CLI [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command:
-
-    ```azurecli
-    az ad sp create-for-rbac -n "http://mySP" --role Contributor --scopes /subscriptions/{subscription-id} --sdk-auth
-    ```
+## Grant your app access to Key Vault
 
-    This operation returns a series of key/value pairs:
-
-    ```json
-    {
-    "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
-    "clientSecret": "aaaaaaaa-0b0b-1c1c-2d2d-333333333333",
-    "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",
-    "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
-    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
-    "resourceManagerEndpointUrl": "https://management.azure.com/",
-    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
-    "galleryEndpointUrl": "https://gallery.azure.com/",
-    "managementEndpointUrl": "https://management.core.windows.net/"
-    }
-    ```
+Your application uses `DefaultAzureCredential` to authenticate to both App Configuration and Key Vault. This credential automatically works with managed identities in Azure, and with your developer credentials locally.
 
-1. Run the following command to let the service principal access your key vault:
+1. Grant your identity access to Key Vault. Assign the **Key Vault Secrets User** role to your user account or managed identity:
 
     ```azurecli
-    az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get
+    az role assignment create --role "Key Vault Secrets User" --scope /subscriptions/<subscriptionId>/resourceGroups/<group-name>/providers/Microsoft.KeyVault/vaults/<your-unique-keyvault-name> --assignee <your-azure-ad-user-or-managed-identity>
     ```
 
-1. Run the following command to get your object-id, then add it to App Configuration.
+1. Grant your identity access to App Configuration. Assign the **App Configuration Data Reader** role:
 
     ```azurecli
-    az ad sp show --id <clientId-of-your-service-principal>
-    az role assignment create --role "App Configuration Data Reader" --scope /subscriptions/<subscriptionId>/resourceGroups/<group-name> --assignee-principal-type --assignee-object-id <objectId-of-your-service-principal> --resource-group <your-resource-group>
-    ```
-
-1. Create the environment variables **AZURE_CLIENT_ID**, **AZURE_CLIENT_SECRET**, and **AZURE_TENANT_ID**. Use the values for the service principal that were displayed in the previous steps. At the command line, run the following commands and restart the command prompt to allow the change to take effect:
-
-    ```cmd
-    setx AZURE_CLIENT_ID "clientId"
-    setx AZURE_CLIENT_SECRET "clientSecret"
-    setx AZURE_TENANT_ID "tenantId"
-    ```
-
-    If you use Windows PowerShell, run the following command:
-
-    ```azurepowershell
-    $Env:AZURE_CLIENT_ID = "clientId"
-    $Env:AZURE_CLIENT_SECRET = "clientSecret"
-    $Env:AZURE_TENANT_ID = "tenantId"
+    az role assignment create --role "App Configuration Data Reader" --scope /subscriptions/<subscriptionId>/resourceGroups/<group-name>/providers/Microsoft.AppConfiguration/configurationStores/<your-app-configuration-store> --assignee <your-azure-ad-user-or-managed-identity>
     ```
 
-    If you use macOS or Linux, run the following command:
-
-    ```cmd
-    export AZURE_CLIENT_ID ='clientId'
-    export AZURE_CLIENT_SECRET ='clientSecret'
-    export AZURE_TENANT_ID ='tenantId'
-    ```
-
-> [!NOTE]
-> These Key Vault credentials are only used within your application.  Your application authenticates directly with Key Vault using these credentials without involving the App Configuration service.  The Key Vault provides authentication for both your application and your App Configuration service without sharing or exposing keys.
-
 ## Update your code to use a Key Vault reference
 
 1. Create an environment variable called **APP_CONFIGURATION_ENDPOINT**. Set its value to the endpoint of your App Configuration store. You can find the endpoint on the **Access Keys** blade in the Azure portal. Restart the command prompt to allow the change to take effect.
@@ -169,15 +128,15 @@ spring:
 
 ```properties
 spring.config.import=azureAppConfiguration
-spring.cloud.azure.appconfiguration.stores[0].endpoint= ${APP_CONFIGURATION_ENDPOINT}
+spring.cloud.azure.appconfiguration.stores[0].endpoint=${APP_CONFIGURATION_ENDPOINT}
 ```
 
 ---
 
 > [!NOTE]
 > You can also use the [Spring Cloud Azure global configurations](/azure/developer/java/spring-framework/authentication) to connect to Key Vault.
 
-1. Open *MessageProperties.java*. Add a new variable called *keyVaultMessage*:
+1. Open *MyProperties.java*. Add a new variable called *keyVaultMessage*:
 
     ```java
     private String keyVaultMessage;
