Lowkey Vault - Example Python

This is an example for Lowkey Vault. It demonstrates a basic scenario where a key is used for encrypt/decrypt operations and database connection specific credentials as well as getting a PKCS12 store with a certificate and matching private key inside.

Points of interest

• Key "repository"
• Secret "repository"
• Certificate "repository"
• Empty credentials for connecting to Lowkey Vault (not needed if Assumed Identity is used)
• Tests
  • TestRepository is using NoopCredential for authentication to demonstrate integration with
    • Secrets
    • Keys
    • Certificates
  • TestRepositoryWithManagedIdentity is performing exactly the same but, it is using the DefaultAzureCredential with Assumed Identity

Usage

1. Start Lowkey Vault and Assumed Identity
   1. Either by following the steps here and here.
   2. Or running docker-compose up -d
2. Set REQUESTS_CA_BUNDLE environment variable to reference lowkeyvault.pem
3. If you are not using the default 169.254.169.254:80 address for Assumed Identity (because for example you are running it in the cloud)
   1. Set AZURE_POD_IDENTITY_AUTHORITY_HOST environment variable to point to the Assumed Identity base URL e.g., http://localhost:8080
   2. Set IMDS_ENDPOINT environment variable to point to the Assumed Identity base URL e.g., http://localhost:8080
   3. Set IDENTITY_ENDPOINT environment variable to point to the /metadata/identity/oauth2/token path of Assumed Identity e.g., http://localhost:8080/metadata/identity/oauth2/token
4. Run the tests

Note

In order to better understand what is needed in general to make similar examples work, please find a generic overview here.

Tip

Since v2.4.2, Lowkey Vault is providing the same token endpoint on the 8080 port by default. Therefore, you don't need to start another container.