def _authenticate(self):
keyvault_client_id = self._auth_params.get('keyvault_client_id')
keyvault_secret_id = self._auth_params.get('keyvault_secret_id')
# If user provided KeyVault secret, we will pull auth params information from it
if keyvault_secret_id:
self._auth_params.update(
json.loads(
get_keyvault_secret(keyvault_client_id,
keyvault_secret_id)))
client_id = self._auth_params.get('client_id')
client_secret = self._auth_params.get('client_secret')
access_token = self._auth_params.get('access_token')
tenant_id = self._auth_params.get('tenant_id')
use_msi = self._auth_params.get('use_msi')
subscription_id = self._auth_params.get('subscription_id')
if access_token and subscription_id:
self.log.info("Creating session with Token Authentication")
self.subscription_id = subscription_id
self.credentials = BasicTokenAuthentication(
token={'access_token': access_token})
self._is_token_auth = True
elif client_id and client_secret and tenant_id and subscription_id:
self.log.info(
"Creating session with Service Principal Authentication")
self.subscription_id = subscription_id
self.credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource=self.resource_namespace)
self.tenant_id = tenant_id
elif use_msi and subscription_id:
self.log.info("Creating session with MSI Authentication")
self.subscription_id = subscription_id
if client_id:
self.credentials = MSIAuthentication(
client_id=client_id, resource=self.resource_namespace)
else:
self.credentials = MSIAuthentication(
resource=self.resource_namespace)
elif self._auth_params.get('enable_cli_auth'):
self.log.info("Creating session with Azure CLI Authentication")
self._is_cli_auth = True
try:
(self.credentials, self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=self.resource_namespace)
except Exception:
self.log.error('Unable to authenticate with Azure')
self.log.info("Session using Subscription ID: %s" %
self.subscription_id)
def test_get_keyvault_secret(self, _1):
mock = Mock()
mock.value = '{"client_id": "client", "client_secret": "secret"}'
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
return_value=None), \
patch('azure.keyvault.v7_0.KeyVaultClient.get_secret', return_value=mock):
reload(sys.modules['c7n_azure.utils'])
result = get_keyvault_secret(None, 'https://testkv.vault.net/secrets/testsecret/123412')
self.assertEqual(result, mock.value)
def test_get_keyvault_secret_with_parameter(self, _1):
mock = Mock()
mock.value = '{"client_id": "client", "client_secret": "secret"}'
with patch('azure.common.credentials.ServicePrincipalCredentials.__init__',
return_value=None), \
patch('azure.keyvault.v7_0.KeyVaultClient.get_secret', return_value=mock):
reload(sys.modules['c7n_azure.utils'])
result = get_keyvault_secret(None, 'https://testkv.vault.net/secrets/testsecret/123412',
cloud_endpoints=AZURE_CHINA_CLOUD)
self.assertEqual(mock.value, result)
resource_auth = _1.call_args.kwargs.get('resource')
self.assertEqual('https://vault.azure.cn', resource_auth)
def _authenticate(self):
keyvault_client_id = self._auth_params.get('keyvault_client_id')
keyvault_secret_id = self._auth_params.get('keyvault_secret_id')
# If user provided KeyVault secret, we will pull auth params information from it
try:
if keyvault_secret_id:
self._auth_params.update(
json.loads(
get_keyvault_secret(keyvault_client_id, keyvault_secret_id)))
except HTTPError as e:
e.message = 'Failed to retrieve SP credential ' \
'from Key Vault with client id: {0}'.format(keyvault_client_id)
raise
token_providers = [
AccessTokenProvider,
ServicePrincipalProvider,
MSIProvider,
CLIProvider
]
for provider in token_providers:
instance = provider(self._auth_params, self.resource_namespace)
if instance.is_available():
result = instance.authenticate()
self.subscription_id = result.subscription_id
self.tenant_id = result.tenant_id
self.credentials = result.credential
self.token_provider = provider
break
# Let provided id parameter override everything else
if self.subscription_id_override is not None:
self.subscription_id = self.subscription_id_override
log.info('Authenticated [%s | %s%s]',
instance.name, self.subscription_id,
' | Authorization File' if self.authorization_file else '')
def __init__(self,
cloud_endpoints,
authorization_file=None,
subscription_id_override=None):
# type: (*str, *str) -> None
if authorization_file:
with open(authorization_file) as json_file:
self._auth_params = json.load(json_file)
else:
self._auth_params = {
'client_id':
os.environ.get(constants.ENV_CLIENT_ID),
'client_secret':
os.environ.get(constants.ENV_CLIENT_SECRET),
'access_token':
os.environ.get(constants.ENV_ACCESS_TOKEN),
'tenant_id':
os.environ.get(constants.ENV_TENANT_ID),
'use_msi':
bool(os.environ.get(constants.ENV_USE_MSI)),
'subscription_id':
os.environ.get(constants.ENV_SUB_ID),
'keyvault_client_id':
os.environ.get(constants.ENV_KEYVAULT_CLIENT_ID),
'keyvault_secret_id':
os.environ.get(constants.ENV_KEYVAULT_SECRET_ID),
'enable_cli_auth':
True
}
self._auth_params[
'authority'] = cloud_endpoints.endpoints.active_directory
keyvault_client_id = self._auth_params.get('keyvault_client_id')
keyvault_secret_id = self._auth_params.get('keyvault_secret_id')
# If user provided KeyVault secret, we will pull auth params information from it
try:
if keyvault_secret_id:
self._auth_params.update(
json.loads(
get_keyvault_secret(keyvault_client_id,
keyvault_secret_id)))
except HTTPError as e:
e.message = 'Failed to retrieve SP credential ' \
'from Key Vault with client id: {0}'.format(keyvault_client_id)
raise
self._credential = None
if self._auth_params.get('access_token') is not None:
auth_name = 'Access Token'
pass
elif (self._auth_params.get('client_id')
and self._auth_params.get('client_secret')
and self._auth_params.get('tenant_id')):
auth_name = 'Principal'
self._credential = ClientSecretCredential(
client_id=self._auth_params['client_id'],
client_secret=self._auth_params['client_secret'],
tenant_id=self._auth_params['tenant_id'],
authority=self._auth_params['authority'])
elif self._auth_params.get('use_msi'):
auth_name = 'MSI'
self._credential = ManagedIdentityCredential(
client_id=self._auth_params.get('client_id'))
elif self._auth_params.get('enable_cli_auth'):
auth_name = 'Azure CLI'
self._credential = AzureCliCredential()
account_info, error = _run_command('az account show --output json')
account_json = json.loads(account_info)
self._auth_params['subscription_id'] = account_json['id']
self._auth_params['tenant_id'] = account_json['tenantId']
if error is not None:
raise Exception('Unable to query TenantId and SubscriptionId')
if subscription_id_override is not None:
self._auth_params['subscription_id'] = subscription_id_override
self._subscription_id = self._auth_params['subscription_id']
self._tenant_id = self._auth_params['tenant_id']
log.info('Authenticated [%s | %s%s]', auth_name, self.subscription_id,
' | Authorization File' if authorization_file else '')
def _authenticate(self):
try:
keyvault_client_id = self._auth_params.get('keyvault_client_id')
keyvault_secret_id = self._auth_params.get('keyvault_secret_id')
# If user provided KeyVault secret, we will pull auth params information from it
if keyvault_secret_id:
self._auth_params.update(
json.loads(
get_keyvault_secret(keyvault_client_id,
keyvault_secret_id)))
client_id = self._auth_params.get('client_id')
client_secret = self._auth_params.get('client_secret')
access_token = self._auth_params.get('access_token')
tenant_id = self._auth_params.get('tenant_id')
use_msi = self._auth_params.get('use_msi')
subscription_id = self._auth_params.get('subscription_id')
if access_token and subscription_id:
log.info("Creating session with Token Authentication")
self.subscription_id = subscription_id
self.credentials = BasicTokenAuthentication(
token={'access_token': access_token})
self._is_token_auth = True
elif client_id and client_secret and tenant_id and subscription_id:
log.info(
"Creating session with Service Principal Authentication")
self.subscription_id = subscription_id
self.credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource=self.resource_namespace)
self.tenant_id = tenant_id
elif use_msi and subscription_id:
log.info("Creating session with MSI Authentication")
self.subscription_id = subscription_id
if client_id:
self.credentials = MSIAuthentication(
client_id=client_id, resource=self.resource_namespace)
else:
self.credentials = MSIAuthentication(
resource=self.resource_namespace)
elif self._auth_params.get('enable_cli_auth'):
log.info("Creating session with Azure CLI Authentication")
self._is_cli_auth = True
(self.credentials, self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=self.resource_namespace)
log.info("Session using Subscription ID: %s" %
self.subscription_id)
except AuthenticationError as e:
log.error('Azure Authentication Failure\n'
'Error: {0}'.format(
json.dumps(e.inner_exception.error_response,
indent=2)))
sys.exit(1)
except HTTPError as e:
if keyvault_client_id and keyvault_secret_id:
log.error(
'Azure Authentication Failure\n'
'Error: Cannot retrieve SP credentials from the Key Vault '
'(KV uses MSI to access) with client id: {0}'.format(
keyvault_client_id))
elif use_msi:
log.error(
'Azure Authentication Failure\n'
'Error: Could not authenticate using managed service identity {0}'
.format(client_id if client_id else '(system identity)'))
else:
log.error('Azure Authentication Failure: %s' % e.response)
sys.exit(1)
except CLIError as e:
log.error(
'Azure Authentication Failure\n'
'Error: Could not authenticate with Azure CLI credentials: {0}'
.format(e))
sys.exit(1)
except Exception as e:
log.error('Azure Authentication Failure\n' 'Error: {0}'.format(e))
sys.exit(1)
