我已经能够通过我的外部网络应用程序使用oauth rest api访问azure密钥保险库,但由于某种原因,我无法从密钥中检索秘密。经过长时间的研究,我发现有可能用PowerShell和c#做到这一点,但仍然没有找到任何python解决方案。 任何人都知道它是否可能与python,或者有没有办法模仿powershell正在做什么? 这是检索秘密的代码:
def getSecret(vault_name, secret_name, secret_version = ''):
#Get acess token to azure account
data = { "grant_type" : "client_credentials",
"client_id" : 'appidxx',
"client_secret" : 'appsecretxx',
"resource" : "https://vault.azure.net"
}
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format('my tenant id'), data=data, headers=headers)
access_token = r.json()['access_token']
#Get secret from KeyVault
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
result = r.json()
if 'value' in result.keys():
return result["value"]
else:
return 'Secret Not Found'
def searchSecret(secret_name, secret_version = ''):
subscription_id = 'subscription id'
credentials = ServicePrincipalCredentials(
client_id= 'appidxx',
secret= 'appsecretxx',
tenant= 'tenantidxx'
)
kvm_client = KeyVaultManagementClient(credentials, subscription_id )
for vault in kvm_client.vaults.list():
#return when secret found in vault
secret = getSecret(vault.name, secret_name, secret_version = '')
if (secret != 'Secret Not Found'):
return secret
return 'Secret Not Found'
此外,我已在azure portal中注册了我的应用程序,并授予了我的密钥和机密的权限,但是我注意到,当通过访问策略授予对我的应用程序的访问权限时,"授权应用程序"选项被锁定,我无法添加我的应用程序,这可能是我的问题的根本原因?? screenshot
答案 0 :(得分:1)
如果您想使用 Azure SDK 更轻松地访问机密,可以使用 Python 中使用 Key Vault 的新包替换 azure-keyvault:
azure-identity 也是应该与这些一起用于身份验证的包。
可以在 azure-sdk-for-python GitHub repository 上找到有关使用机密库的文档,这里有一个像您一样检索机密的示例:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.mgmt.keyvault import KeyVaultManagementClient
credential = DefaultAzureCredential()
subscription_id = "subscription id"
def getSecret(vault_url, secret_name, secret_version=None):
client = SecretClient(vault_url, credential)
# list the secrets in the vault
secret_properties = client.list_properties_of_secrets()
for secret_property in secret_properties:
if secret_property.name == secret_name:
# get secret from Key Vault
return client.get_secret(secret_name, secret_version)
return "Secret Not Found"
def searchSecret(secret_name, secret_version=None):
kvm_client = KeyVaultManagementClient(credential, subscription_id)
for vault in kvm_client.vaults.list():
# return when secret found in vault
secret = getSecret(vault.properties.vault_uri, secret_name, secret_version)
if secret != "Secret Not Found":
return secret
return "Secret Not Found"
您可以通过设置与 ServicePrincipalCredentials、client_id 和 secret 对应的环境变量来提供用于 tenant 的相同凭据:
export AZURE_CLIENT_ID="appidxx"
export AZURE_CLIENT_SECRET="appsecretxx"
export AZURE_TENANT_ID="tenantidxx"
(我使用 Python 开发 Azure SDK)
答案 1 :(得分:0)
首先,您应该让您的服务主体访问您的密钥保管库权限。像这样https://imgur.com/a/mrth1。
我使用getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b')测试您的代码,它适用于我。
import requests
def getSecret(vault_name, secret_name, secret_version = ''):
#Get acess token to azure account
data = { "grant_type" : "client_credentials",
"client_id" : '*******',
"client_secret" : '*******',
"resource" : "https://vault.azure.net"
}
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format('*******'), data=data, headers=headers)
access_token = r.json()['access_token']
#Get secret from KeyVault
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
print r
result = r.json()
if 'value' in result.keys():
return result["value"]
else:
return 'Secret Not Found'
getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b')