def _initialize_session(self):
"""
Creates a session using available authentication type.
Auth priority:
1. Token Auth
2. Tenant Auth
3. Azure CLI Auth
"""
# Only run once
if self.credentials is not None:
return
if self.authorization_file:
self.log.info("Using file for authentication parameters")
with open(self.authorization_file) as json_file:
self._auth_params = json.load(json_file)
else:
self.log.info(
"Using environment variables for authentication parameters")
self._auth_params = {
'client_id':
os.environ.get(constants.ENV_CLIENT_ID),
'client_secret':
os.environ.get(constants.ENV_CLIENT_SECRET),
'access_token':
os.environ.get(constants.ENV_ACCESS_TOKEN),
'tenant_id':
os.environ.get(constants.ENV_TENANT_ID),
'use_msi':
bool(os.environ.get(constants.ENV_USE_MSI)),
'subscription_id':
os.environ.get(constants.ENV_SUB_ID),
'keyvault_client_id':
os.environ.get(constants.ENV_KEYVAULT_CLIENT_ID),
'keyvault_secret_id':
os.environ.get(constants.ENV_KEYVAULT_SECRET_ID),
'enable_cli_auth':
True
}
# Let provided id parameter override everything else
if self.subscription_id_override is not None:
self._auth_params[
'subscription_id'] = self.subscription_id_override
self._authenticate()
if self.credentials is None:
self.log.error('Unable to authenticate with Azure.')
sys.exit(1)
# TODO: cleanup this workaround when issue resolved.
# https://github.com/Azure/azure-sdk-for-python/issues/5096
if self.resource_namespace == constants.RESOURCE_VAULT:
access_token = AccessToken(token=self.get_bearer_token())
self.credentials = KeyVaultAuthentication(
lambda _1, _2, _3: access_token)
def _initialize_session(self):
"""
Creates a session using available authentication type.
"""
# Only run once
if self.credentials is not None:
return
if self.authorization_file:
with open(self.authorization_file) as json_file:
self._auth_params = json.load(json_file)
if self.subscription_id_override is not None:
self._auth_params[
'subscription_id'] = self.subscription_id_override
else:
self._auth_params = {
'client_id':
os.environ.get(constants.ENV_CLIENT_ID),
'client_secret':
os.environ.get(constants.ENV_CLIENT_SECRET),
'access_token':
os.environ.get(constants.ENV_ACCESS_TOKEN),
'tenant_id':
os.environ.get(constants.ENV_TENANT_ID),
'region':
os.environ.get(constants.ENV_REGION),
'use_msi':
bool(os.environ.get(constants.ENV_USE_MSI)),
'subscription_id':
self.subscription_id_override
or os.environ.get(constants.ENV_SUB_ID),
'keyvault_client_id':
os.environ.get(constants.ENV_KEYVAULT_CLIENT_ID),
'keyvault_secret_id':
os.environ.get(constants.ENV_KEYVAULT_SECRET_ID),
'enable_cli_auth':
True
}
try:
self._authenticate()
except Exception as e:
if hasattr(e, 'message'):
log.error(e.message)
else:
log.exception("Failed to authenticate.")
sys.exit(1)
if self.credentials is None:
log.error('Failed to authenticate.')
sys.exit(1)
# Override credential type for KV auth
# https://github.com/Azure/azure-sdk-for-python/issues/5096
if self.resource_namespace == constants.RESOURCE_VAULT:
access_token = AccessToken(token=self.get_bearer_token())
self.credentials = KeyVaultAuthentication(
lambda _1, _2, _3: access_token)
def get_keyvault_secret(user_identity_id, keyvault_secret_id):
secret_id = KeyVaultId.parse_secret_id(keyvault_secret_id)
access_token = None
# Use UAI if client_id is provided
if user_identity_id:
msi = MSIAuthentication(client_id=user_identity_id,
resource=RESOURCE_VAULT)
else:
msi = MSIAuthentication(resource=RESOURCE_VAULT)
access_token = AccessToken(token=msi.token['access_token'])
credentials = KeyVaultAuthentication(lambda _1, _2, _3: access_token)
kv_client = KeyVaultClient(credentials)
return kv_client.get_secret(secret_id.vault, secret_id.name,
secret_id.version).value
def get_keyvault_secret(user_identity_id,
keyvault_secret_id,
cloud_endpoints=AZURE_PUBLIC_CLOUD):
secret_id = KeyVaultId.parse_secret_id(keyvault_secret_id)
access_token = None
resource = get_keyvault_auth_endpoint(cloud_endpoints)
# Use UAI if client_id is provided
if user_identity_id:
msi = MSIAuthentication(client_id=user_identity_id, resource=resource)
else:
msi = MSIAuthentication(resource=resource)
access_token = AccessToken(token=msi.token['access_token'])
credentials = KeyVaultAuthentication(lambda _1, _2, _3: access_token)
kv_client = KeyVaultClient(credentials)
return kv_client.get_secret(secret_id.vault, secret_id.name,
secret_id.version).value
def _auth_callback(server, resource, scope):
return AccessToken('Bearer', 'fake-token')
def authenticate_user(server, resource, scope, scheme):
token = self.get_user_token(resource=resource)
return AccessToken(scheme=token['tokenType'],
token=token['accessToken'],
key=None)
def _initialize_session(self):
"""
Creates a session using available authentication type.
Auth priority:
1. Token Auth
2. Tenant Auth
3. Azure CLI Auth
"""
# Only run once
if self.credentials is not None:
return
tenant_auth_variables = [
constants.ENV_TENANT_ID, constants.ENV_SUB_ID,
constants.ENV_CLIENT_ID, constants.ENV_CLIENT_SECRET
]
token_auth_variables = [
constants.ENV_ACCESS_TOKEN, constants.ENV_SUB_ID
]
msi_auth_variables = [
constants.ENV_USE_MSI, constants.ENV_SUB_ID
]
if self.authorization_file:
self.credentials, self.subscription_id = self.load_auth_file(self.authorization_file)
self.log.info("Creating session with authorization file")
elif all(k in os.environ for k in token_auth_variables):
# Token authentication
self.credentials = BasicTokenAuthentication(
token={
'access_token': os.environ[constants.ENV_ACCESS_TOKEN]
})
self.subscription_id = os.environ[constants.ENV_SUB_ID]
self.log.info("Creating session with Token Authentication")
self._is_token_auth = True
elif all(k in os.environ for k in tenant_auth_variables):
# Tenant (service principal) authentication
self.credentials = ServicePrincipalCredentials(
client_id=os.environ[constants.ENV_CLIENT_ID],
secret=os.environ[constants.ENV_CLIENT_SECRET],
tenant=os.environ[constants.ENV_TENANT_ID],
resource=self.resource_namespace)
self.subscription_id = os.environ[constants.ENV_SUB_ID]
self.tenant_id = os.environ[constants.ENV_TENANT_ID]
self.log.info("Creating session with Service Principal Authentication")
elif all(k in os.environ for k in msi_auth_variables):
# MSI authentication
if constants.ENV_CLIENT_ID in os.environ:
self.credentials = MSIAuthentication(
client_id=os.environ[constants.ENV_CLIENT_ID],
resource=self.resource_namespace)
else:
self.credentials = MSIAuthentication(
resource=self.resource_namespace)
self.subscription_id = os.environ[constants.ENV_SUB_ID]
self.log.info("Creating session with MSI Authentication")
else:
# Azure CLI authentication
self._is_cli_auth = True
(self.credentials,
self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=self.resource_namespace)
self.log.info("Creating session with Azure CLI Authentication")
# TODO: cleanup this workaround when issue resolved.
# https://github.com/Azure/azure-sdk-for-python/issues/5096
if self.resource_namespace == constants.RESOURCE_VAULT:
access_token = AccessToken(token=self.get_bearer_token())
self.credentials = KeyVaultAuthentication(lambda _1, _2, _3: access_token)
# Let provided id parameter override everything else
if self.subscription_id_override is not None:
self.subscription_id = self.subscription_id_override
self.log.info("Session using Subscription ID: %s" % self.subscription_id)
if self.credentials is None:
self.log.error('Unable to locate credentials for Azure session.')