Python SDK未经授权访问Key Vault

时间:2019-02-26 12:52:08

标签: python python-3.x azure azure-keyvault

def auth_callback(server, resource, scope):
    credentials = ServicePrincipalCredentials(
        client_id = os.getenv('ARM_CLIENT_ID'),
        secret = os.getenv('ARM_CLIENT_SECRET'),
        tenant = os.getenv('ARM_TENANT_ID'),
        resource = "https://vault.azure.net/"
    )
    token = credentials.token
    return token['token_type'], token['access_token']  

kv_client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret = kv_client.get_secret("https://xxx.vault.azure.net/", "CLIENT-SECRET", KeyVaultId.version_none).value.encode()

完全相同的代码可在2个不同的租户中使用(在第三个租户中不可用)。为应用程序服务主体授予了订阅的所有者权限(请确保),赋予特定的秘密权限,尝试了所有权限,还尝试启用了高级权限(只是提示,我按下了save按钮),使用门户和Powershell进行访问(最终结果相同)。

我看到了这些:
How do I fix an "Operation 'set' not allowed" error when creating an Azure KeyVault secret programmatically?
Azure key vault: access denied

确切错误:

secret = kv_client.get_secret("https://xxx.vault.azure.net/", "CLIENT-SECRET", KeyVaultId.version_none).value.
File "/usr/local/lib/python3.6/site-packages/azure/keyvault/v7_0/key_vault_client.py", line 1846, in get_secret
raise models.KeyVaultErrorException(self._deserialize, response)
azure.keyvault.v7_0.models.key_vault_error_py3.KeyVaultErrorException: Operation returned an invalid status code 'Unauthorized'

1 个答案:

答案 0 :(得分:0)

它看起来像这样:

resource = "https://vault.azure.net/"

需要这样:

resource = "https://vault.azure.net"

否则没有任何作用。