msticpy.auth.secret_settings module

Settings provider for secrets.

class msticpy.auth.secret_settings.SecretsClient(tenant_id: str | None = None, use_keyring: bool = False, auth_methods: List[str] | None = None, credential: Any | None = None, **kwargs)

Bases: object

Secrets client - manages Key Vault and keyring secrets.

Initialize SecretsClient instance.

  • tenant_id (str, optional) – TenantID, by default None

  • use_keyring (bool, optional) – If True use keyring to cache secrets, by default False

  • auth_methods (List[str]) – The authentication methods to use for Key Vault auth Possible values are: - “env” - to get authentication details from environment variables - “cli” - to use Azure CLI authentication details - “msi” - to user Managed Service Identity details - “interactive” - to prompt for interactive login - “vscode” - to use VSCode credentials - “powershell” - to use PowerShell credentials - “interactive” - to prompt for interactive login - “cache” - to use shared token cache credentials - “devicecode” - to use device code with web login - “clientsecret” - to use client id/secret login.

  • credential (Optional[AzureCredential]) – Azure credential

  • client_id (Optional[str]) – Required if auth_methods is [“clientsecret”]

  • client_secret (Optional[str]) – Required if auth_methods is [“clientsecret”]


MsticpyKeyVaultConfigError – Missing or invalid configuration settings or failure to authenticate to Key Vault with the chosen credential type.


Requires KeyVault settings to be defined in msticpyconfig.yaml


Clear any cached secrets from keyring.

static format_kv_name(setting_path)

Return normalized name for use as a KeyVault secret name.

get_secret_accessor(setting_path: str) Callable[[], Any]

Return accessor function for a secret.


setting_path (str) – The msticpy configuration path (dot-separated)


Accessor function for the secret value.

Return type:

Callable[[None], Any]

static read_secret(secret_object: Any) Any

Return the secret value.


secret_object (Any) – If it is a func, call and return the return value of that func. Otherwise just return the object.


The secret value

Return type:



Reload keyring values from Key Vault.