def create_arm_client_factory(config): if arm_client_factory: return arm_client_factory(config) else: return change_ssl_cert_verification(SubscriptionClient( config, base_url=CLOUD.endpoints.resource_manager))
# Load the Auth File. with open(file='config/credentials/azure_sigma_auth_sp.jsonc', mode='r') as auth_file: auth_dict = json.load(fp=auth_file) # Retrieve the IDs and secret to use with ServicePrincipalCredentials tenant_id = auth_dict['tenantId'] client_id = auth_dict['clientId'] client_secret = auth_dict['clientSecret'] # Grab our credentials. credential = DefaultAzureCredential() # Pass through the credential. subscription_client = SubscriptionClient(credentials=credential) # Grab the Subscriptions Tenants. for tenant_page in subscription_client.tenants.list(): # Redfine this for Type Hinting. tenant: TenantIdDescription = tenant_page print(tenant.id) print(tenant.tenant_id) print(tenant.domains) print(tenant.country) # If you want a "dictionary", you need to explicitly say that. pprint(tenant.as_dict())
def subscription_client(self): return SubscriptionClient(self.credentials)
# ------------------------------------------------------------ # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License (MIT). See License.txt in the repo root for # license information. # ------------------------------------------------------------ from msrestazure.azure_active_directory import MSIAuthentication from azure.mgmt.resource import SubscriptionClient import azure.mgmt.cosmosdb as cosmosdbmgmt __credentials__ = MSIAuthentication() __subscription_client__ = SubscriptionClient(__credentials__) __subscription__ = next(__subscription_client__.subscriptions.list()) __subscription_id__ = __subscription__.subscription_id def get_client_using_msi_profile(): """Return a SDK client initialized with MSI credentials using default subscription """ return cosmosdbmgmt.CosmosDB(__credentials__, __subscription_id__)
def sql_vm_discovery(credentials, confluence): #Create output variables output_name = "" output_application = "" output_environment = "" output_application = "" output_owner_login = "" output_owner = "" output_project = "" output_subscription_name = "" output_resource_group = "" output_location = "" # Build Confluene body today = date.today() post_body = '' # Create a Subscription Client subscription_client = SubscriptionClient(credentials) for subscriptions in subscription_client.subscriptions.list(): vm_count = 0 print(subscriptions.display_name) subscription_name = subscriptions.display_name subscription_id = subscriptions.subscription_id output_subscription_name = subscription_name body = '' body += '<h2>Subscription: ' + subscription_name + '</h2>' body += '<table><colgroup><col /><col /></colgroup><tbody>' body += '<tr>' body += '<th>SQL Server Name</th>' body += '<th>Version</th>' body += '<th>Edition</th>' body += '<th>License</th>' body += '<th>SQL Management</th>' body += '<th>Location</th>' body += '</tr>' sql_client = SqlVirtualMachineManagementClient(credentials, subscription_id) for sql in sql_client.sql_virtual_machines.list(): vm_count += 1 output_name = sql.name output_location = sql.location output_image = sql.sql_image_offer output_sku = sql.sql_image_sku output_management = sql.sql_management output_license = sql.sql_server_license_type tags = sql.tags if tags != None: if "Application" in tags: output_application = tags["Application"] else: output_application = "" if "OwnerLogin" in tags: output_owner_login = tags["OwnerLogin"] else: output_owner_login = "" if "Owner" in tags: output_owner = tags["Owner"] else: output_owner = "" if "Environment" in tags: output_environment = tags["Environment"] else: output_environment = "" if "Project" in tags: output_project = tags["Project"] else: output_project = "" body += '<tr>' body += '<td>' + output_name + '</td>' body += '<td>' + output_image + '</td>' body += '<td>' + output_sku + '</td>' body += '<td>' + output_license + '</td>' body += '<td>' + output_management + '</td>' body += '<td>' + output_location.capitalize() + '</td>' body += '</tr>' body += '</tbody></table>' body += '<p></p>' if vm_count == 0: print("No VMs in subscription:" + subscription_name) else: post_body += body post_body += '<p>Azure Automated Inventory - SQL Server Virtual Machines </p>' post_body += '<p>Last discovery execution date :' + str(today) + '</p>' # print (post_body) #status = confluence.create_page(space='DCS',parent_id=1463911167,title="Azure Virtual Machines",body=body) status = confluence.update_page(page_id=1465450878, title="Azure SQL Server Virtual Machines", body=post_body) print(status)
def _set_subscriptions(self): # Create the client subscription_client = SubscriptionClient( self.credentials.arm_credentials) # Get all the accessible subscriptions accessible_subscriptions_list = list( subscription_client.subscriptions.list()) if not accessible_subscriptions_list: print_exception( 'The provided credentials do not have access to any subscriptions' ) self.subscription_list = [] return # Final list, start empty subscriptions_list = [] # No subscription provided, infer if not (self.subscription_ids or self.all_subscriptions): try: # Tries to read the subscription list print_info('No subscription set, inferring ID') s = next(subscription_client.subscriptions.list()) except StopIteration: print_info('Unable to infer a subscription') # If the user cannot read subscription list, ask Subscription ID: if not self.programmatic_execution: s = input('Subscription ID: ') else: print_exception('Unable to infer a Subscription ID') raise finally: print_info('Running against the "{}" subscription'.format( s.subscription_id)) subscriptions_list.append(s) # A specific set of subscriptions elif self.subscription_ids: # Only include accessible subscriptions subscriptions_list = [ s for s in accessible_subscriptions_list if s.subscription_id in self.subscription_ids ] # Verbose skip for s in self.subscription_ids: if not any(subs.subscription_id == s for subs in accessible_subscriptions_list): print_info( 'Skipping subscription "{}": this subscription does not exist or ' 'is not accessible with the provided credentials'. format(s)) print_info('Running against {} subscription(s)'.format( len(subscriptions_list))) # All subscriptions elif self.all_subscriptions: subscriptions_list = accessible_subscriptions_list print_info('Running against {} subscription(s)'.format( len(subscriptions_list))) # Other == error else: print_exception('Unknown Azure subscription option') self.subscription_list = [] raise if subscriptions_list: self.subscription_list = subscriptions_list else: print_exception('No subscriptions to scan') self.subscription_list = [] raise
def _set_subscriptions(self): # Create the client subscription_client = SubscriptionClient( self.credentials.arm_credentials) subscription_client._client.config.add_user_agent(get_user_agent()) # Get all the accessible subscriptions accessible_subscriptions_list = list( subscription_client.subscriptions.list()) if not accessible_subscriptions_list: raise AuthenticationException( 'The provided credentials do not have access to any subscriptions' ) # Final list, start empty subscriptions_list = [] # No subscription provided, infer if not (self.subscription_ids or self.all_subscriptions): try: # Tries to read the subscription list print_info('No subscription set, inferring') s = next(subscription_client.subscriptions.list()) except StopIteration: print_info('Unable to infer a subscription') # If the user cannot read subscription list, ask Subscription ID: if not self.programmatic_execution: s = input('Subscription ID: ') else: print_exception('Unable to infer a Subscription ID') # raise finally: subscriptions_list.append(s) # All subscriptions elif self.all_subscriptions: subscriptions_list = accessible_subscriptions_list # A specific set of subscriptions elif self.subscription_ids: # Only include accessible subscriptions subscriptions_list = [ s for s in accessible_subscriptions_list if s.subscription_id in self.subscription_ids ] # Verbose skip for s in self.subscription_ids: if not any(subs.subscription_id == s for subs in accessible_subscriptions_list): raise AuthenticationException( 'Subscription {} does not exist or is not accessible ' 'with the provided credentials'.format(s)) # Other == error else: raise AuthenticationException('Unknown Azure subscription option') if subscriptions_list and len(subscriptions_list) > 0: self.subscription_list = subscriptions_list if len(subscriptions_list) == 1: print_info('Running against subscription {}'.format( subscriptions_list[0].subscription_id)) else: print_info('Running against {} subscriptions'.format( len(subscriptions_list))) else: raise AuthenticationException('No subscriptions to scan')
def _get_subscription(self, session_factory, config): session = local_session(session_factory) client = SubscriptionClient(session.get_credentials()) details = client.subscriptions.get( subscription_id=session.get_subscription_id()) return details.serialize(True)
def authenticate(self, cli=None, msi=None, service_principal=None, file_auth=None, user_account=None, tenant_id=None, subscription_id=None, client_id=None, client_secret=None, username=None, password=None, **kargs): """ Implements authentication for the Azure provider """ try: if cli: cli_credentials, subscription_id = get_azure_cli_credentials() return AzureCredentials(cli_credentials, subscription_id) elif msi: msi_auth_credentials = MSIAuthentication() # Get the subscription ID subscription_client = SubscriptionClient(msi_auth_credentials) try: # Tries to read the subscription list subscription = next(subscription_client.subscriptions.list()) subscription_id = subscription.subscription_id except StopIteration: # If the VM cannot read subscription list, ask Subscription ID: subscription_id = input('Subscription ID: ') return AzureCredentials(msi_auth_credentials, subscription_id) elif file_auth: data = json.loads(file_auth.read()) subscription_id = data.get('subscriptionId') tenant_id = data.get('tenantId') client_id = data.get('clientId') client_secret = data.get('clientSecret') credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id ) return AzureCredentials(credentials, subscription_id) elif service_principal: subscription_id = subscription_id if subscription_id else input( "Subscription ID: ") tenant_id = tenant_id if tenant_id else input("Tenant ID: ") client_id = client_id if client_id else input("Client ID: ") client_secret = client_secret if client_secret else getpass( "Client secret: ") credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id ) return AzureCredentials(credentials, subscription_id, tenant_id) elif user_account: username = username if username else input("Username: "******"Password: ") credentials = UserPassCredentials(username, password) if not subscription_id: # Get the subscription ID subscription_client = SubscriptionClient(credentials) try: # Tries to read the subscription list subscription = next(subscription_client.subscriptions.list()) subscription_id = subscription.subscription_id except StopIteration: # If the user cannot read subscription list, ask Subscription ID: subscription_id = input('Subscription ID: ') return AzureCredentials(credentials, subscription_id) except Exception as e: raise AuthenticationException(e)
def read(self): """Return an Azure cloud infrastructure configuration record. Yields: dict: An Azure cloud infrastructure configuration record. """ # pylint: disable=R0914 subscription_client = SubscriptionClient(self._credentials) for i, sub in enumerate(subscription_client.subscriptions.list()): subscription_id = str(sub.subscription_id) _log.info('Found subscription #%d; subscription_id: %s; ' 'display_name: %s', i, subscription_id, sub.display_name) # Initialize Azure clients for the current subscription. creds = self._credentials compute_client = ComputeManagementClient(creds, subscription_id) network_client = NetworkManagementClient(creds, subscription_id) storage_client = StorageManagementClient(creds, subscription_id) resource_client = ResourceManagementClient(creds, subscription_id) # Get iterators for each type of data. vm_list = compute_client.virtual_machines.list_all() app_gw_list = network_client.application_gateways.list_all() lb_iter = network_client.load_balancers.list_all() nic_list = network_client.network_interfaces.list_all() nsg_list = network_client.network_security_groups.list_all() pubip_list = network_client.public_ip_addresses.list_all() storage_account_list = storage_client.storage_accounts.list() resource_group_list = resource_client.resource_groups.list() resource_list = resource_client.resources.list() # Retrieve data using each iterator. for record in itertools.chain( _get_record(vm_list, 'virtual_machine', subscription_id, self._max_recs), _get_record(app_gw_list, 'app_gateway', subscription_id, self._max_recs), _get_record(lb_iter, 'lb', subscription_id, self._max_recs), _get_record(nic_list, 'nic', subscription_id, self._max_recs), _get_record(nsg_list, 'nsg', subscription_id, self._max_recs), _get_record(pubip_list, 'public_ip', subscription_id, self._max_recs), _get_record(storage_account_list, 'storage_account', subscription_id, self._max_recs), _get_record(resource_group_list, 'resource_group', subscription_id, self._max_recs), _get_record(resource_list, 'resource', subscription_id, self._max_recs), ): yield record # Break after pulling data for self._max_subs number of # subscriptions. Note that if self._max_subs is 0 or less, # then the following condition never evaluates to True. if i + 1 == self._max_subs: _log.info('Ending subscriptions fetch due to ' '_max_subs: %d', self._max_subs) break
def main(req: func.HttpRequest) -> func.HttpResponse: logger = logging.getLogger(__name__) formatter = logging.Formatter( '%(asctime)s %(name)s %(levelname)s: %(message)s') func_context = os.environ['FUNCTION_CONTEXT'] logger.debug(f"Function context --> {func_context}") credentials = None subscription_id = None kv_credentials = None kv_subscription_id = None if func_context == 'local': filehandler = logging.FileHandler('func.log') filehandler.setFormatter(formatter) logger.addHandler(filehandler) logger.setLevel(logging.DEBUG) credentials, kv_credentials, subscription_id = get_local_credentials() else: console = logging.StreamHandler() console.setLevel(logging.INFO) console.setFormatter(formatter) credentials, kv_credentials, subscription_id = get_azure_credentials() logger.debug('Python HTTP trigger function processed a request.') logger.debug(f"method={req.method}, url={req.url}, params={req.params}") logger.debug(f"body={req.get_json()}") # Handle WebHook webhook = req.get_json() # Get resource information specifically tags if this is an alert resource_id = None if "azureMonitorCommonAlertSchema" in webhook["schemaId"]: if check_keys(webhook, 'data', 'essentials', 'alertTargetIDs'): resource_id = webhook["data"]["essentials"]["alertTargetIDs"] if resource_id: resource_client = ResourceManagementClient(credentials, subscription_id) try: resource = resource_client.resources.get_by_id( resource_id[0], api_version='2018-06-01') if resource.tags: # webhook['resource_tags'] = resource.tags logger.info(f"found resource tags {resource.tags}") else: logger.info(f"no tags found in resource {resource_id}") except: logger.error( f"received exception from ResourceManagementClient for {resource_id}" ) else: logger.info("no resource_id found in webhook") subscription_client = SubscriptionClient(credentials) subscription = next(subscription_client.subscriptions.list()) webhook['additionalData'] = {} if 'motsID' in subscription.tags.keys(): webhook['additionalData']['motsID'] = subscription.tags['motsID'] logger.info(f"added subscription tags={subscription.tags}") # Key Vault stuff kv_mgmt_client = KeyVaultManagementClient(credentials, subscription_id) # kv_client = KeyVaultClient(credentials) kv_client = SecretClient(vault_url=os.environ['KEY_VAULT_URI'], credential=kv_credentials) namespace = kv_client.get_secret('EventHubNamespace').value event_hub = kv_client.get_secret('EventHub').value user = kv_client.get_secret('EventHubKeyName').value key = kv_client.get_secret('EventHubKey').value # Check whether connection string exists in Key Vault kv_prop = kv_client.list_properties_of_secrets() if 'EventHubConnectionString' in [prop.name for prop in kv_prop]: conn_string = get_kv_secret(kv_client, 'EventHubConnectionString').value else: conn_string = f"Endpoint=sb://{namespace}.servicebus.windows.net/;SharedAccessKeyName={user};SharedAccessKey={key}" eh_prod_client = EventHubProducerClient.from_connection_string( conn_string, eventhub_name=event_hub) event_data_batch = eh_prod_client.create_batch() event_data_batch.add(EventData(json.dumps(webhook))) eh_prod_client.send_batch(event_data_batch) logger.info(f"sending event to {namespace}, {json.dumps(webhook)}") date = datetime.datetime.now().strftime("%Y-%m-%dT%H:%M:%S.%f") return func.HttpResponse(json.dumps({'date': date, 'status': 'SUCCESS'}))
def authenticate(self, cli=None, msi=None, service_principal=None, file_auth=None, user_account=None, tenant_id=None, subscription_id=None, client_id=None, client_secret=None, username=None, password=None, **kargs): """ Implements authentication for the Azure provider using azure-cli. Refer to https://docs.microsoft.com/en-us/python/azure/python-sdk-azure-authenticate?view=azure-python. :return: """ try: if cli: cli_credentials, self.aws_account_id = get_azure_cli_credentials() # TODO: Remove aws_account_id self.credentials = AzureCredentials(cli_credentials, self.aws_account_id) return True elif msi: credentials = MSIAuthentication() # Get the subscription ID subscription_client = SubscriptionClient(credentials) try: # Tries to read the subscription list subscription = next(subscription_client.subscriptions.list()) self.aws_account_id = subscription.subscription_id except StopIteration: # If the VM cannot read subscription list, ask Subscription ID: self.aws_account_id = input('Subscription ID: ') self.credentials = AzureCredentials(credentials, self.aws_account_id) return True elif file_auth: data = json.loads(file_auth.read()) subscription_id = data.get('subscriptionId') tenant_id = data.get('tenantId') client_id = data.get('clientId') client_secret = data.get('clientSecret') self.aws_account_id = tenant_id # TODO this is for AWS credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id ) self.credentials = AzureCredentials(credentials, subscription_id) return True elif service_principal: subscription_id = subscription_id if subscription_id else input("Subscription ID: ") tenant_id = tenant_id if tenant_id else input("Tenant ID: ") client_id = client_id if client_id else input("Client ID: ") client_secret = client_secret if client_secret else getpass("Client secret: ") self.aws_account_id = tenant_id # TODO this is for AWS credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id ) self.credentials = AzureCredentials(credentials, subscription_id) return True elif user_account: username = username if username else input("Username: "******"Password: ") credentials = UserPassCredentials(username, password) if subscription_id: self.aws_account_id = subscription_id else: # Get the subscription ID subscription_client = SubscriptionClient(credentials) try: # Tries to read the subscription list subscription = next(subscription_client.subscriptions.list()) self.aws_account_id = subscription.subscription_id except StopIteration: # If the user cannot read subscription list, ask Subscription ID: self.aws_account_id = input('Subscription ID: ') self.credentials = AzureCredentials(credentials, self.aws_account_id) return True except Exception as e: printError('Failed to authenticate to Azure') printException(e) return False
def authenticate(self, cli=None, user_account=None, service_principal=None, file_auth=None, msi=None, tenant_id=None, subscription_id=None, client_id=None, client_secret=None, username=None, password=None, programmatic_execution=False, **kargs): """ Implements authentication for the Azure provider """ try: # Set logging level to error for libraries as otherwise generates a lot of warnings logging.getLogger('adal-python').setLevel(logging.ERROR) logging.getLogger('msrest').setLevel(logging.ERROR) logging.getLogger('urllib3').setLevel(logging.ERROR) if cli: credentials, subscription_id, tenant_id = get_azure_cli_credentials( with_tenant=True) graphrbac_credentials, placeholder_1, placeholder_2 = \ get_azure_cli_credentials(with_tenant=True, resource='https://graph.windows.net') elif user_account: if not (username and password): if not programmatic_execution: username = username if username else input( "Username: "******"Password: "******"Tenant ID: ") else: raise AuthenticationException('No Tenant ID set') if not client_id: if not programmatic_execution: client_id = input("Client ID: ") else: raise AuthenticationException('No Client ID set') if not client_secret: if not programmatic_execution: client_secret = getpass("Client secret: ") else: raise AuthenticationException('No Client Secret set') credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id) graphrbac_credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource='https://graph.windows.net') elif file_auth: data = json.loads(file_auth.read()) subscription_id = data.get('subscriptionId') tenant_id = data.get('tenantId') client_id = data.get('clientId') client_secret = data.get('clientSecret') credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id) graphrbac_credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource='https://graph.windows.net') elif msi: credentials = MSIAuthentication() graphrbac_credentials = MSIAuthentication( resource='https://graph.windows.net') if not subscription_id: try: # Get the subscription ID subscription_client = SubscriptionClient(credentials) print_info('No subscription set, inferring ID') # Tries to read the subscription list subscription = next( subscription_client.subscriptions.list()) subscription_id = subscription.subscription_id tenant_id = subscription.tenant_id print_info( 'Running against the {} subscription'.format( subscription_id)) except StopIteration: # If the VM cannot read subscription list, ask Subscription ID: if not programmatic_execution: subscription_id = input('Subscription ID: ') else: raise AuthenticationException( 'Unable to infer a Subscription ID') return AzureCredentials(credentials, graphrbac_credentials, subscription_id, tenant_id) except Exception as e: raise AuthenticationException(e)
def authenticate(self, cli=None, msi=None, service_principal=None, file_auth=None, user_account=None, tenant_id=None, subscription_id=None, client_id=None, client_secret=None, username=None, password=None, programmatic_execution=False, **kargs): """ Implements authentication for the Azure provider """ try: if cli: credentials, subscription_id = get_azure_cli_credentials() elif msi: credentials = MSIAuthentication() # Get the subscription ID subscription_client = SubscriptionClient(credentials) try: print_info('No subscription set, inferring ID') # Tries to read the subscription list subscription = next( subscription_client.subscriptions.list()) subscription_id = subscription.subscription_id print_info('Running against the {} subscription'.format( subscription_id)) except StopIteration: # If the VM cannot read subscription list, ask Subscription ID: if not programmatic_execution: subscription_id = input('Subscription ID: ') else: AuthenticationException( 'Unable to infer a Subscription ID') elif file_auth: data = json.loads(file_auth.read()) subscription_id = data.get('subscriptionId') tenant_id = data.get('tenantId') client_id = data.get('clientId') client_secret = data.get('clientSecret') credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id) elif service_principal: if not subscription_id: if not programmatic_execution: subscription_id = input('Subscription ID: ') else: AuthenticationException('No Subscription ID set') if not tenant_id: if not programmatic_execution: tenant_id = input("Tenant ID: ") else: AuthenticationException('No Tenant ID set') if not client_id: if not programmatic_execution: client_id = input("Client ID: ") else: AuthenticationException('No Client ID set') if not client_secret: if not programmatic_execution: client_secret = getpass("Client secret: ") else: AuthenticationException('No Client Secret set') credentials = ServicePrincipalCredentials(client_id=client_id, secret=client_secret, tenant=tenant_id) elif user_account: if not username and password: if not programmatic_execution: username = username if username else input( "Username: "******"Password: ") else: AuthenticationException( 'Username and/or password not set') credentials = UserPassCredentials(username, password) if not subscription_id: # Get the subscription ID subscription_client = SubscriptionClient(credentials) try: # Tries to read the subscription list print_info('No subscription set, inferring ID') subscription = next( subscription_client.subscriptions.list()) subscription_id = subscription.subscription_id print_info( 'Running against the {} subscription'.format( subscription_id)) except StopIteration: print_info('Unable to infer a subscription') # If the user cannot read subscription list, ask Subscription ID: if not programmatic_execution: subscription_id = input('Subscription ID: ') else: AuthenticationException( 'Unable to infer a Subscription ID') return AzureCredentials(credentials, subscription_id, tenant_id) except Exception as e: raise AuthenticationException(e)
from azure.mgmt.storage import StorageManagementClient from azure.mgmt.storage.models import StorageAccountCreateParameters from pprint import pprint from msrestazure.azure_active_directory import MSIAuthentication from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient credentials, sub_id = get_azure_cli_credentials() print(credentials) # exit(0) # subscriptionClient = get_client_from_cli_profile(SubscriptionClient) subscriptionClient = SubscriptionClient(credentials) for subscription in subscriptionClient.subscriptions.list(): subscription_id = subscription.subscription_id print("Subcription ID: {} Name: {} State: {} \n\tAuth: {}".format( subscription.subscription_id, subscription.display_name, subscription.state, subscription.authorization_source)) print("\tLocation: {} \n\tQuota: {} \n\tSpendLimit: {}".format( subscription.subscription_policies.location_placement_id, subscription.subscription_policies.quota_id, subscription.subscription_policies.spending_limit)) storageClient = StorageManagementClient(credentials, subscription_id) storage_accounts = storageClient.storage_accounts.list() for sa in storage_accounts: