def main(): arg_parser = argparse.ArgumentParser() arg_parser.add_argument( '--name', '-n', action='store', help='secret name to add') arg_parser.add_argument( '--value', '-v', action='store', help='secret value to add') arg_parser.add_argument( '--delete', '-d', action='store', help='secret name to delete') arg_parser.add_argument( '--keyvault', '-k', action='store', help='key vault name') args = arg_parser.parse_args() if args.name is None and args.delete is None: sys.exit('Error: --name (-n) or --delete (-d) argument not provided.') # Load Azure app defaults try: with open('azurermconfig.json') as config_file: config_data = json.load(config_file) except FileNotFoundError: sys.exit("Error: Expecting azurermconfig.json in current folder") tenant_id = config_data['tenantId'] app_id = config_data['appId'] app_secret = config_data['appSecret'] if args.keyvault is None: kv_name = config_data['keyvault'] else: kv_name = args.keyvault key_vault_uri = f'https://{kv_name}.vault.azure.net/' # get credentials credentials = ServicePrincipalCredentials(client_id=app_id, secret=app_secret, tenant=tenant_id) # instantiate a key vault client client = KeyVaultClient(credentials) try: if args.value is not None: # add a secret secret_bundle = client.set_secret(key_vault_uri, args.name, args.value) print('Secret added:', secret_bundle.id) elif args.delete is not None: # delete a secret client.delete_secret(key_vault_uri, args.delete) print('Secret deleted:', args.delete) else: # get a secret secret = client.get_secret(key_vault_uri, args.name, '') print(secret.value) except Exception as ex: print(ex)
class AzureRMKeyVaultSecret(AzureRMModuleBase): ''' Module that creates or deletes secrets in Azure KeyVault ''' def __init__(self): self.module_arg_spec = dict(secret_name=dict(type='str', required=True), secret_value=dict(type='str', no_log=True), keyvault_uri=dict(type='str', required=True), state=dict(type='str', default='present', choices=['present', 'absent'])) required_if = [('state', 'present', ['secret_value'])] self.results = dict(changed=False, state=dict()) self.secret_name = None self.secret_value = None self.keyvault_uri = None self.state = None self.data_creds = None self.client = None self.tags = None super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec, supports_check_mode=True, required_if=required_if, supports_tags=True) def exec_module(self, **kwargs): for key in list(self.module_arg_spec.keys()) + ['tags']: setattr(self, key, kwargs[key]) # Create KeyVault Client using KeyVault auth class and auth_callback def auth_callback(server, resource, scope): if self.credentials['client_id'] is None or self.credentials[ 'secret'] is None: self.fail( 'Please specify client_id, secret and tenant to access azure Key Vault.' ) tenant = self.credentials.get('tenant') if not self.credentials['tenant']: tenant = "common" authcredential = ServicePrincipalCredentials( client_id=self.credentials['client_id'], secret=self.credentials['secret'], tenant=tenant, resource="https://vault.azure.net") token = authcredential.token return token['token_type'], token['access_token'] self.client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) results = dict() changed = False try: results['secret_id'] = self.get_secret(self.secret_name) # Secret exists and will be deleted if self.state == 'absent': changed = True except KeyVaultErrorException: # Secret doesn't exist if self.state == 'present': changed = True self.results['changed'] = changed self.results['state'] = results if not self.check_mode: # Create secret if self.state == 'present' and changed: results['secret_id'] = self.create_secret( self.secret_name, self.secret_value, self.tags) self.results['state'] = results self.results['state']['status'] = 'Created' # Delete secret elif self.state == 'absent' and changed: results['secret_id'] = self.delete_secret(self.secret_name) self.results['state'] = results self.results['state']['status'] = 'Deleted' else: if self.state == 'present' and changed: self.results['state']['status'] = 'Created' elif self.state == 'absent' and changed: self.results['state']['status'] = 'Deleted' return self.results def get_secret(self, name, version=''): ''' Gets an existing secret ''' secret_bundle = self.client.get_secret(self.keyvault_uri, name, version) if secret_bundle: secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def create_secret(self, name, secret, tags): ''' Creates a secret ''' secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags) secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def delete_secret(self, name): ''' Deletes a secret ''' deleted_secret = self.client.delete_secret(self.keyvault_uri, name) secret_id = KeyVaultId.parse_secret_id(deleted_secret.id) return secret_id.id
vault_url = os.getenv("AZURE_KEYVAULT_URL") # Initialize KV client credentials = ServicePrincipalCredentials( client_id=os.getenv("AZURE_KEYVAULT_CLIENT_ID"), secret=os.getenv("AZURE_KEYVAULT_CLIENT_SECRET"), tenant=os.getenv("AZURE_TENANT_ID")) kvclient = KeyVaultClient(credentials) #Create list of secrets secrets = ["root-ca", "intermediate-ca"] # Load host names hosts = json.loads(open("hostnames.json", "rt").read())["hosts"] # Remove all secrets for secret in secrets: try: kvclient.delete_secret(vault_url, secret) except: logging.critical("Failed to remove: {}".format(secret)) # Remove all hosts for host in hosts: try: kvclient.delete_certificate(vault_url, host) except: logging.critical("Failed to remove: {}".format(secret))
class AzureRMKeyVaultSecret(AzureRMModuleBase): ''' Module that creates or deletes secrets in Azure KeyVault ''' def __init__(self): self.module_arg_spec = dict(secret_name=dict(type='str', required=True), secret_value=dict(type='str', aliases=['secret'], no_log=True), keyvault_uri=dict(type='str', required=True), state=dict(type='str', default='present', choices=['present', 'absent'])) required_if = [('state', 'present', ['secret_value'])] self.results = dict(changed=False, state=dict()) self.secret_name = None self.secret_value = None self.keyvault_uri = None self.state = None self.data_creds = None self.client = None self.tags = None super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec, supports_check_mode=True, required_if=required_if, supports_tags=True) def exec_module(self, **kwargs): for key in list(self.module_arg_spec.keys()) + ['tags']: setattr(self, key, kwargs[key]) # Create KeyVault Client using KeyVault auth class and auth_callback self.client = KeyVaultClient(self.azure_credentials) results = dict() changed = False try: results['secret_id'] = self.get_secret(self.secret_name) # Secret exists and will be deleted if self.state == 'absent': changed = True except KeyVaultErrorException: # Secret doesn't exist if self.state == 'present': changed = True self.results['changed'] = changed self.results['state'] = results if not self.check_mode: # Create secret if self.state == 'present' and changed: results['secret_id'] = self.create_secret( self.secret_name, self.secret_value, self.tags) self.results['state'] = results self.results['state']['status'] = 'Created' # Delete secret elif self.state == 'absent' and changed: results['secret_id'] = self.delete_secret(self.secret_name) self.results['state'] = results self.results['state']['status'] = 'Deleted' else: if self.state == 'present' and changed: self.results['state']['status'] = 'Created' elif self.state == 'absent' and changed: self.results['state']['status'] = 'Deleted' return self.results def get_secret(self, name, version=''): ''' Gets an existing secret ''' secret_bundle = self.client.get_secret(self.keyvault_uri, name, version) if secret_bundle: secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def create_secret(self, name, secret, tags): ''' Creates a secret ''' secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags) secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def delete_secret(self, name): ''' Deletes a secret ''' deleted_secret = self.client.delete_secret(self.keyvault_uri, name) secret_id = KeyVaultId.parse_secret_id(deleted_secret.id) return secret_id.id
class AzureRMKeyVaultSecret(AzureRMModuleBase): ''' Module that creates or deletes secrets in Azure KeyVault ''' def __init__(self): self.module_arg_spec = dict( secret_name=dict(type='str', required=True), secret_value=dict(type='str', aliases=['secret'], no_log=True), keyvault_uri=dict(type='str', required=True), state=dict(type='str', default='present', choices=['present', 'absent']) ) required_if = [ ('state', 'present', ['secret_value']) ] self.results = dict( changed=False, state=dict() ) self.secret_name = None self.secret_value = None self.keyvault_uri = None self.state = None self.data_creds = None self.client = None self.tags = None super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec, supports_check_mode=True, required_if=required_if, supports_tags=True) def exec_module(self, **kwargs): for key in list(self.module_arg_spec.keys()) + ['tags']: setattr(self, key, kwargs[key]) # Create KeyVault Client using KeyVault auth class and auth_callback self.client = KeyVaultClient(self.azure_credentials) results = dict() changed = False try: results['secret_id'] = self.get_secret(self.secret_name) # Secret exists and will be deleted if self.state == 'absent': changed = True except KeyVaultErrorException: # Secret doesn't exist if self.state == 'present': changed = True self.results['changed'] = changed self.results['state'] = results if not self.check_mode: # Create secret if self.state == 'present' and changed: results['secret_id'] = self.create_secret(self.secret_name, self.secret_value, self.tags) self.results['state'] = results self.results['state']['status'] = 'Created' # Delete secret elif self.state == 'absent' and changed: results['secret_id'] = self.delete_secret(self.secret_name) self.results['state'] = results self.results['state']['status'] = 'Deleted' else: if self.state == 'present' and changed: self.results['state']['status'] = 'Created' elif self.state == 'absent' and changed: self.results['state']['status'] = 'Deleted' return self.results def get_secret(self, name, version=''): ''' Gets an existing secret ''' secret_bundle = self.client.get_secret(self.keyvault_uri, name, version) if secret_bundle: secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def create_secret(self, name, secret, tags): ''' Creates a secret ''' secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags) secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def delete_secret(self, name): ''' Deletes a secret ''' deleted_secret = self.client.delete_secret(self.keyvault_uri, name) secret_id = KeyVaultId.parse_secret_id(deleted_secret.id) return secret_id.id