def _add_vault(self):
name = input('\nenter vault name:')
all_perms = Permissions()
all_perms.keys = [KeyPermissions.all]
all_perms.secrets = [SecretPermissions.all]
all_perms.certificates = [CertificatePermissions.all]
user_policy = AccessPolicyEntry(self._config.tenant_id,
self._config.user_oid, all_perms)
app_policy = AccessPolicyEntry(CLIENT_TENANT_ID, CLIENT_OID, all_perms)
access_policies = [user_policy, app_policy]
properties = VaultProperties(self._config.tenant_id,
Sku(name='standard'), access_policies)
properties.enabled_for_deployment = True
properties.enabled_for_disk_encryption = True
properties.enabled_for_template_deployment = True
vault = VaultCreateOrUpdateParameters(self._config.location,
properties)
self._mgmt_client.vaults.create_or_update(self._config.resource_group,
name, vault)
print('vault %s created\n' % name)
def update_key_vault_access_policy(
self,
keyvault_client,
resource_group_name,
key_vault_name,
tenant_id,
app_object_id,
stg_object_id,
):
"""Updates Key Vault Access Policy
:param keyvault_client: Instance of the Azure KeyVaultManagementClient.
:param resource_group_name: The name of the resource group.
:param key_vault_name: Name of the Key Vault.
:param region: The location in which the Key Vault exists.
:param tenant_id: Azure tenant Id
:param app_object_id: Object Id of the application
:param stg_principal_id: Principal Id of the Storage Account
:type keyvault_client: object
:type resource_group_name: str
:type key_vault_name: str
:type region: str
:type tenant_id: str
:type app_object_id: str
:type stg_principal_id: str
:returns: None
:rtype: None
"""
access_policy_storage = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=stg_object_id,
permissions=Permissions(
keys=[
KeyPermissions.GET,
KeyPermissions.UNWRAP_KEY,
KeyPermissions.WRAP_KEY,
],
),
)
access_policy_app = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=app_object_id,
permissions=Permissions(keys=[KeyPermissions.GET, KeyPermissions.CREATE]),
)
access_policy = [access_policy_app, access_policy_storage]
logging.info("Updating Key Vault Access Policy")
logging.info("executing keyvault_client.vaults.update_access_policy")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" vault_name={key_vault_name}")
keyvault_client.vaults.update_access_policy(
resource_group_name=resource_group_name,
vault_name=key_vault_name,
operation_kind=AccessPolicyUpdateKind.ADD,
parameters=VaultAccessPolicyParameters(
properties=VaultAccessPolicyProperties(access_policies=access_policy),
),
)
def create(self):
secret_permissions = ['all']
permissions = Permissions(secrets=secret_permissions)
access_policy = AccessPolicyEntry(
tenant_id=self.config.tenant_id,
object_id=self.config.client_object_id,
permissions=permissions)
sku = Sku(name="standard")
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=sku,
access_policies=[access_policy])
vault_paramerters = VaultCreateOrUpdateParameters(
location="eastus", properties=properties)
client = self._get_kv_client()
result = client.vaults.create_or_update(
resource_group_name=self.config.resource_group_name,
vault_name=self.config.key_vault_name,
parameters=vault_paramerters)
_poll_for_complete(result)
def create_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
vault_name = KeyVaultSampleBase.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_namne, vault_name, parameters)
return vault
def set_policy(client, resource_group_name, vault_name,
object_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None,
certificate_permissions=None):
""" Update security policy settings for a Key Vault. """
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
# Find the existing policy to set
policy = next((p for p in vault.properties.access_policies
if object_id.lower() == p.object_id.lower() and
vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(AccessPolicyEntry(
tenant_id=vault.properties.tenant_id,
object_id=object_id,
permissions=Permissions(keys=key_permissions,
secrets=secret_permissions,
certificates=certificate_permissions)))
else:
# Modify existing policy.
# If key_permissions is not set, use prev. value (similarly with secret_permissions).
keys = policy.permissions.keys if key_permissions is None else key_permissions
secrets = policy.permissions.secrets if secret_permissions is None else secret_permissions
certs = policy.permissions.certificates \
if certificate_permissions is None else certificate_permissions
policy.permissions = Permissions(keys=keys, secrets=secrets, certificates=certs)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def create_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions()
permissions.keys = KEY_PERMISSIONS_ALL
permissions.secrets = SECRET_PERMISSIONS_ALL
permissions.certificates = CERTIFICATE_PERMISSIONS_ALL
policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location, properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
vault = self.keyvault_mgmt_client.vaults.create_or_update(self.config.group_name, vault_name, parameters)
# wait for vault DNS entry to be created
# see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172
self._poll_for_vault_connection(vault.properties.vault_uri)
print('created vault {} {}'.format(vault_name, vault.properties.vault_uri))
return vault
def create_keyvault(client,
resource_group_name,
vault_name,
location=None,
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=None,
tags=None):
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
from azure.cli.core._profile import Profile, CLOUD
from azure.graphrbac.models import GraphErrorException
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=CLOUD.endpoints.active_directory_graph_resource_id)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=CLOUD.endpoints.active_directory_graph_resource_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[
KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete,
KeyPermissions.list, KeyPermissions.update,
KeyPermissions.import_enum, KeyPermissions.backup,
KeyPermissions.restore
],
secrets=[SecretPermissions.all],
certificates=[CertificatePermissions.all])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError(
'Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def create_resource(self, name, **kwargs):
if self.is_live:
# create a vault with the management client
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.settings.TENANT_ID,
object_id=self.test_class_instance.settings.CLIENT_OID,
permissions=self.permissions,
)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.settings.TENANT_ID,
sku=Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None,
)
parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties)
self.management_client = self.create_mgmt_client(KeyVaultManagementClient)
vault = self.management_client.vaults.create_or_update(group, name, parameters).result()
vault_uri = vault.properties.vault_uri
else:
# playback => we need only the uri used in the recording
vault_uri = "https://{}.vault.azure.net/".format(name)
vault_credentials = self.test_class_instance.settings.get_credentials(resource="https://vault.azure.net")
client = VaultClient(vault_uri, vault_credentials)
return {self.parameter_name: client}
def create_resource(self, name, **kwargs):
self.client_oid = self.test_class_instance.set_value_to_scrub(
'CLIENT_OID', CLIENT_OID)
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.settings.TENANT_ID,
object_id=self.client_oid,
permissions=self.permissions)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.settings.TENANT_ID,
sku=Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.
enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None)
if self.is_live:
self.client = self.create_mgmt_client(KeyVaultManagementClient)
parameters = VaultCreateOrUpdateParameters(location=self.location,
properties=properties)
self.resource = self.client.vaults.create_or_update(
group, name, parameters).result()
else:
properties.vault_uri = 'https://{}.vault.azure.net/'.format(name)
self.resource = FakeVault(name=name,
location=self.location,
properties=properties)
return {self.parameter_name: self.resource}
def _get_params(self):
"""Build the vault parameters block."""
oid = _user_oid(self.auth_client.legacy.token)
sec_perms_all = [perm.value for perm in SecretPermissions]
key_perms_all = [perm.value for perm in KeyPermissions]
cert_perms_all = [perm.value for perm in CertificatePermissions]
permissions = Permissions()
permissions.keys = key_perms_all
permissions.secrets = sec_perms_all
permissions.certificates = cert_perms_all
policy = AccessPolicyEntry(tenant_id=self.tenant_id,
object_id=oid,
permissions=permissions)
properties = VaultProperties(
tenant_id=self.tenant_id,
sku=Sku(name="standard", family="A"),
access_policies=[policy],
)
parameters = VaultCreateOrUpdateParameters(location=self.azure_region,
properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
return parameters
def create_vault(self):
self.keyvault_mgmt_client.vaults.create_or_update()
vault_name = KeyVaultSample.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_namne, vault_name, parameters)
return vault
def create_keyvault(
client,
resource_group_name,
vault_name,
location, #pylint:disable=too-many-arguments
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=False,
tags=None):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID])
graph_client = GraphRbacManagementClient(cred, tenant_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[
KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete,
KeyPermissions.list, KeyPermissions.update,
KeyPermissions.import_enum, KeyPermissions.backup,
KeyPermissions.restore
],
secrets=[SecretPermissions.all],
certificates=[CertificatePermissions.all])
object_id = _get_current_user_object_id(graph_client)
if not object_id:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\n'
'Unable to query active directory for information '\
'about the current user.\n'
'You may try the --no-self-perms flag to create a vault'\
' without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def create_keyvault(
client,
resource_group_name,
vault_name,
location, #pylint:disable=too-many-arguments
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=False,
tags=None):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(for_graph_client=True)
graph_client = GraphRbacManagementClient(cred, tenant_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
# TODO Use the enums instead of strings when new keyvault SDK is released
# https://github.com/Azure/azure-sdk-for-python/blob/dev/azure-mgmt-keyvault/
# azure/mgmt/keyvault/models/key_vault_management_client_enums.py
permissions = Permissions(keys=[
'get', 'create', 'delete', 'list', 'update', 'import', 'backup',
'restore'
],
secrets=['all'])
object_id = _get_current_user_object_id(graph_client)
if not object_id:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\n'
'Unable to query active directory for information '\
'about the current user.\n'
'You may try the --no-self-perms flag to create a vault'\
' without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def create_resource(self, name, **kwargs):
self.client_oid = self.test_class_instance.set_value_to_scrub(
"CLIENT_OID", CLIENT_OID)
if self.is_live:
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.get_settings_value(
"TENANT_ID"),
object_id=self.client_oid,
permissions=self.permissions,
)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.get_settings_value(
"TENANT_ID"),
sku=Sku(name=self.sku, family=SkuFamily.A)
if SkuFamily else Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.
enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None,
)
parameters = VaultCreateOrUpdateParameters(location=self.location,
properties=properties)
self.client = self.create_mgmt_client(KeyVaultManagementClient)
# ARM may return not found at first even though the resource group has been created
retries = 4
for i in range(retries):
try:
vault = self.client.vaults.begin_create_or_update(
group, name, parameters).result()
break
except Exception as ex:
if "VaultAlreadyExists" in str(ex):
raise NameInUseError(name)
if "ReservedResourceName" in str(ex):
raise ReservedResourceNameError(name)
if "ResourceGroupNotFound" not in str(
ex) or i == retries - 1:
raise
time.sleep(3)
self.test_class_instance.scrubber.register_name_pair(
name, self.resource_moniker)
vault_uri = vault.properties.vault_uri
else:
# playback => we need only the uri used in the recording
vault_uri = "https://{}.vault.azure.net/".format(name)
return {self.parameter_name: vault_uri}
def create_vault_with_network(self):
"""
Creates a key vault with network access limited by a NetworkRuleSet
"""
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions(keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
# Network ACL definitions
# The only action supported for virtual network and IP rules is "allow".
# To deny an address, set the default action to 'deny' and do not explicitly allow the address.
network_acls = NetworkRuleSet(
# allow bypass of network ACL rules by other azure services. Valid values are azure_services or none
bypass=NetworkRuleBypassOptions.azure_services,
# the action to take if access attempt doesn't match any rule. Valid values are allow or deny
default_action=NetworkRuleAction.deny,
# IP rules (allowed IPv4 addresses / ranges)
ip_rules=[IPRule(value='0.0.0.0/0')
], # Allow access from a IP address range
# Virtual network rules(Allows access to Azure Virtual Networks by their Azure Resource ID)
virtual_network_rules=[
# To specifically allow access to a vnet, uncomment the line below and replace the id with the correct
# resource id for your vnet
# VirtualNetworkRule(id='/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1')
])
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy],
network_acls=network_acls)
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
self.vault = self.mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault_name,
parameters=parameters).result()
def create_resource(self, name, **kwargs):
self.client_oid = self.test_class_instance.set_value_to_scrub(
'CLIENT_OID', CLIENT_OID)
if self.is_live:
# create a vault with the management client
group = self._get_resource_group(**kwargs).name
access_policies = [
AccessPolicyEntry(
tenant_id=self.test_class_instance.settings.TENANT_ID,
object_id=self.client_oid,
permissions=self.permissions,
)
]
properties = VaultProperties(
tenant_id=self.test_class_instance.settings.TENANT_ID,
sku=Sku(name=self.sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=self.enabled_for_deployment,
enabled_for_disk_encryption=self.enabled_for_disk_encryption,
enabled_for_template_deployment=self.
enabled_for_template_deployment,
enable_soft_delete=self.enable_soft_delete,
enable_purge_protection=None,
)
parameters = VaultCreateOrUpdateParameters(location=self.location,
properties=properties)
self.management_client = self.create_mgmt_client(
KeyVaultManagementClient)
# ARM may return not found at first even though the resource group has been created
retries = 4
for i in range(retries):
try:
vault = self.management_client.vaults.create_or_update(
group, name, parameters).result()
except Exception as ex:
if "ResourceGroupNotFound" not in str(
ex) or i == retries - 1:
raise
time.sleep(3)
vault_uri = vault.properties.vault_uri
else:
# playback => we need only the uri used in the recording
vault_uri = "https://{}.vault.azure.net/".format(name)
client = self.create_vault_client(vault_uri)
return {self.parameter_name: client}
def get_sample_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
if not self.config.vault:
keyvault_mgmt_client = KeyVaultManagementClient(
self.mgmt_client_creds, self.config.subscription_id)
if self.config.vault_name:
vault = keyvault_mgmt_client.vaults.get(
resource_group_name=self.config.group_name,
vault_name=self.config.vault_name)
else:
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions(
keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
vault = keyvault_mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault_name,
parameters=parameters).result()
self.config.vault = vault
return self.config.vault
def create_soft_delete_enabled_vault(self):
"""
creates a key vault which has soft delete enabled so that the vault as well as all of its keys,
certificates and secrets are recoverable
"""
vault_name = get_name('vault')
permissions = Permissions()
permissions.keys = KEY_PERMISSIONS_ALL
permissions.secrets = SECRET_PERMISSIONS_ALL
permissions.certificates = CERTIFICATE_PERMISSIONS_ALL
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
# NOTE: This value should only None or True, setting the value to false will cause a service validation error
# once soft delete has been enabled on the vault it cannot be disabled
parameters.properties.enable_soft_delete = True
print('creating soft delete enabled vault: {}'.format(vault_name))
# create the vault
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters)
# wait for vault DNS entry to be created
# see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172
self._poll_for_vault_connection(vault.properties.vault_uri)
print('vault {} created enable_soft_delete={}'.format(
vault.name, vault.properties.enable_soft_delete))
def grant_access_to_sample_vault(self, vault, oid):
keyvault_mgmt_client = KeyVaultManagementClient(
credentials=self.mgmt_client_creds,
subscription_id=self.config.subscription_id)
# setup vault permissions for the access policy for the oid
permissions = Permissions(keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=oid,
permissions=permissions)
vault.properties.access_policies.append(policy)
return keyvault_mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault.name,
parameters=vault).result()
def create_recoverable_vault_sample(self):
"""
Provides a sample for creating a key vault which has recovery enable so that the vault as well as all of its keys,
certificates and secrets are recoverable
:return: a key vault which has been created with recovery enabled
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
self.setup_sample()
vault_name = KeyVaultSampleBase.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
parameters.properties.enable_soft_delete = True
# create the vault
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters)
print(vault)
return vault
def create_vault(self, group_name, vault_name, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True,
enabled_for_template_deployment=True, enable_soft_delete=None, sku=None):
creds = self.settings.get_credentials()
access_policies = [AccessPolicyEntry(tenant_id=self.settings.TENANT_ID,
object_id=self.settings.CLIENT_OID,
permissions=permissions or self.default_permissions)]
properties = VaultProperties(tenant_id=self.settings.TENANT_ID,
sku=Sku(sku or SkuName.premium.value),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete)
parameters = VaultCreateOrUpdateParameters(location='westus',
properties=properties)
vault = self.mgmt_client.vaults.create_or_update(group_name, vault_name, parameters)
if not self.is_playback():
self.sleep(10)
return vault
def set_policy(
client,
resource_group_name,
vault_name, #pylint:disable=too-many-arguments
object_id=None,
spn=None,
upn=None,
perms_to_keys=None,
perms_to_secrets=None):
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
# Find the existing policy to set
policy = next((p for p in vault.properties.access_policies \
if object_id.lower() == p.object_id.lower() and \
vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(
AccessPolicyEntry(
tenant_id=vault.properties.tenant_id,
object_id=object_id,
permissions=Permissions(keys=perms_to_keys,
secrets=perms_to_secrets)))
else:
# Modify existing policy.
# If perms_to_keys is not set, use prev. value (similarly with perms_to_secrets).
keys = policy.permissions.keys if perms_to_keys is None else perms_to_keys
secrets = policy.permissions.secrets if perms_to_secrets is None else perms_to_secrets
policy.permissions = Permissions(keys=keys, secrets=secrets)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def create_key_vault(
self,
keyvault_client,
resource_group_name,
key_vault_name,
region,
tenant_id,
app_object_id,
stg_principal_id,
):
"""Creates a Key Vault
:param keyvault_client: Instance of the Azure KeyVaultManagementClient.
:param resource_group_name: The name of the resource group.
:param key_vault_name: Name of the Key Vault.
:param region: location of the Key Vault.
:param tenant_id: Azure tenant Id
:param app_object_id: Object Id of the application
:param stg_principal_id: Principal Id of the Storage Account
:type keyvault_client: object
:type resource_group_name: str
:type key_vault_name: str
:type region: str
:type tenant_id: str
:type app_object_id: str
:type stg_principal_id: str
:returns: Vault object
:rtype: object
"""
access_policy_storage_account = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=stg_principal_id,
permissions=Permissions(keys=[
KeyPermissions.GET,
KeyPermissions.UNWRAP_KEY,
KeyPermissions.WRAP_KEY,
], ),
)
access_policy_app = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=app_object_id,
permissions=Permissions(keys=[
KeyPermissions.GET,
KeyPermissions.LIST,
KeyPermissions.CREATE,
KeyPermissions.UPDATE,
KeyPermissions.DELETE,
KeyPermissions.BACKUP,
KeyPermissions.RESTORE,
KeyPermissions.RECOVER,
], ),
)
key_vault_properties = VaultCreateOrUpdateParameters(
location=region,
tags={"Created By": "CHSS"},
properties=VaultProperties(
tenant_id=tenant_id,
sku=Sku(
family="A",
name="standard",
),
access_policies=[
access_policy_storage_account, access_policy_app
],
soft_delete_retention_in_days=90,
enabled_for_disk_encryption=False,
enabled_for_deployment=False,
enabled_for_template_deployment=False,
enable_soft_delete=True,
enable_purge_protection=True,
),
)
logging.info("creating a key vault")
logging.info("executing keyvault_client.vaults.begin_create_or_update")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" vault_name={key_vault_name}")
vault = keyvault_client.vaults.begin_create_or_update(
resource_group_name=resource_group_name,
vault_name=key_vault_name,
parameters=key_vault_properties,
).result()
return vault
def create_keyvault(
cmd,
client, # pylint: disable=too-many-locals
resource_group_name,
vault_name,
location=None,
sku=None,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
enable_soft_delete=None,
no_self_perms=None,
tags=None):
from azure.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, Permissions, KeyPermissions,
SecretPermissions, CertificatePermissions, StoragePermissions,
AccessPolicyEntry, Sku, VaultProperties)
from azure.cli.core._profile import Profile
from azure.graphrbac.models import GraphErrorException
from azure.graphrbac import GraphRbacManagementClient
profile = Profile(cli_ctx=cmd.cli_ctx)
cred, _, tenant_id = profile.get_login_credentials(
resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(
keys=[
KeyPermissions.get, KeyPermissions.create,
KeyPermissions.delete, KeyPermissions.list,
KeyPermissions.update, KeyPermissions.import_enum,
KeyPermissions.backup, KeyPermissions.restore,
KeyPermissions.recover
],
secrets=[
SecretPermissions.get, SecretPermissions.list,
SecretPermissions.set, SecretPermissions.delete,
SecretPermissions.backup, SecretPermissions.restore,
SecretPermissions.recover
],
certificates=[
CertificatePermissions.get, CertificatePermissions.list,
CertificatePermissions.delete, CertificatePermissions.create,
CertificatePermissions.import_enum,
CertificatePermissions.update,
CertificatePermissions.managecontacts,
CertificatePermissions.getissuers,
CertificatePermissions.listissuers,
CertificatePermissions.setissuers,
CertificatePermissions.deleteissuers,
CertificatePermissions.manageissuers,
CertificatePermissions.recover
],
storage=[
StoragePermissions.get, StoragePermissions.list,
StoragePermissions.delete, StoragePermissions.set,
StoragePermissions.update, StoragePermissions.regeneratekey,
StoragePermissions.setsas, StoragePermissions.listsas,
StoragePermissions.getsas, StoragePermissions.deletesas
])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError(
'Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def test_create_kafka_cluster_with_disk_encryption(self, resource_group, location, storage_account,
storage_account_key, vault):
# create managed identities for Azure resources.
msi_name = self.get_resource_name('hdipyuai')
msi_principal_id = "00000000-0000-0000-0000-000000000000"
msi_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/{}/providers/microsoft.managedidentity/userassignedidentities/{}".format(
resource_group.name, msi_name)
if self.is_live:
msi = self.msi_client.user_assigned_identities.create_or_update(resource_group.name, msi_name, location)
msi_id = msi.id
msi_principal_id = msi.principal_id
# add managed identity to vault
required_permissions = Permissions(
keys=[KeyPermissions.get, KeyPermissions.wrap_key, KeyPermissions.unwrap_key],
secrets=[SecretPermissions.get, SecretPermissions.set, SecretPermissions.delete])
vault.properties.access_policies.append(
AccessPolicyEntry(tenant_id=self.tenant_id,
object_id=msi_principal_id,
permissions=required_permissions)
)
update_params = VaultCreateOrUpdateParameters(location=location,
properties=vault.properties)
vault = self.vault_mgmt_client.vaults.begin_create_or_update(resource_group.name, vault.name,
update_params).result()
self.assertIsNotNone(vault)
# create keyclient
key_client_credential = self.settings.get_azure_core_credentials(scope="https://vault.azure.net/.default")
self.vault_client = KeyClient(vault_url=vault.properties.vault_uri, credential=key_client_credential)
# create key
key_name = self.get_resource_name('hdipykey1')
vault_key = self.vault_client.create_key(key_name, 'RSA')
# create a new key for test rotate
new_key_name = self.get_resource_name('hdipykey2')
new_vault_key = self.vault_client.create_key(new_key_name, 'RSA')
# create HDInsight cluster with Kafka disk encryption
rg_name = resource_group.name
cluster_name = self.get_resource_name('hdisdk-kafka-byok')
create_params = self.get_cluster_create_params(location, cluster_name, storage_account, storage_account_key)
create_params.properties.cluster_definition.kind = 'Kafka'
workernode = next(item for item in create_params.properties.compute_profile.roles if item.name == 'workernode')
workernode.data_disks_groups = [
DataDisksGroups(
disks_per_node=8
)
]
create_params.identity = ClusterIdentity(
type=ResourceIdentityType.user_assigned,
user_assigned_identities={msi_id: ClusterIdentityUserAssignedIdentitiesValue()}
)
create_params.properties.disk_encryption_properties = DiskEncryptionProperties(
vault_uri=vault_key.properties.vault_url,
key_name=vault_key.name,
key_version=vault_key.properties.version,
msi_resource_id=msi_id
)
cluster = self.hdinsight_client.clusters.begin_create(resource_group.name, cluster_name, create_params).result()
self.validate_cluster(cluster_name, create_params, cluster)
# check disk encryption properties
self.assertIsNotNone(cluster.properties.disk_encryption_properties)
self.assertEqual(create_params.properties.disk_encryption_properties.vault_uri,
cluster.properties.disk_encryption_properties.vault_uri)
self.assertEqual(create_params.properties.disk_encryption_properties.key_name,
cluster.properties.disk_encryption_properties.key_name)
self.assertEqual(create_params.properties.disk_encryption_properties.msi_resource_id.lower(),
cluster.properties.disk_encryption_properties.msi_resource_id.lower())
rotate_params = ClusterDiskEncryptionParameters(
vault_uri=new_vault_key.properties.vault_url,
key_name=new_vault_key.name,
key_version=new_vault_key.properties.version
)
# rotate cluster key
self.hdinsight_client.clusters.rotate_disk_encryption_key(rg_name, cluster_name, rotate_params).wait()
cluster = self.hdinsight_client.clusters.get(rg_name, cluster_name)
# check disk encryption properties
self.assertIsNotNone(cluster.properties.disk_encryption_properties)
self.assertEqual(rotate_params.vault_uri, cluster.properties.disk_encryption_properties.vault_uri)
self.assertEqual(rotate_params.key_name, cluster.properties.disk_encryption_properties.key_name)
self.assertEqual(msi_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower())
