def get_credentials(**kwargs):
# Put your credentials here in the "real" file
#return UserPassCredentials(
# '*****@*****.**',
# 'Password'
#)
# Needed to play recorded tests
return BasicTokenAuthentication(token={'access_token': 'faked_token'})
def _authenticate(self):
keyvault_client_id = self._auth_params.get('keyvault_client_id')
keyvault_secret_id = self._auth_params.get('keyvault_secret_id')
# If user provided KeyVault secret, we will pull auth params information from it
if keyvault_secret_id:
self._auth_params.update(
json.loads(
get_keyvault_secret(keyvault_client_id,
keyvault_secret_id)))
client_id = self._auth_params.get('client_id')
client_secret = self._auth_params.get('client_secret')
access_token = self._auth_params.get('access_token')
tenant_id = self._auth_params.get('tenant_id')
use_msi = self._auth_params.get('use_msi')
subscription_id = self._auth_params.get('subscription_id')
if access_token and subscription_id:
self.log.info("Creating session with Token Authentication")
self.subscription_id = subscription_id
self.credentials = BasicTokenAuthentication(
token={'access_token': access_token})
self._is_token_auth = True
elif client_id and client_secret and tenant_id and subscription_id:
self.log.info(
"Creating session with Service Principal Authentication")
self.subscription_id = subscription_id
self.credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource=self.resource_namespace)
self.tenant_id = tenant_id
elif use_msi and subscription_id:
self.log.info("Creating session with MSI Authentication")
self.subscription_id = subscription_id
if client_id:
self.credentials = MSIAuthentication(
client_id=client_id, resource=self.resource_namespace)
else:
self.credentials = MSIAuthentication(
resource=self.resource_namespace)
elif self._auth_params.get('enable_cli_auth'):
self.log.info("Creating session with Azure CLI Authentication")
self._is_cli_auth = True
try:
(self.credentials, self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=self.resource_namespace)
except Exception:
self.log.error('Unable to authenticate with Azure')
self.log.info("Session using Subscription ID: %s" %
self.subscription_id)
def _initialize_session(self):
"""
Creates a session using available authentication type.
Auth priority:
1. Token Auth
2. Tenant Auth
3. Azure CLI Auth
"""
# Only run once
if self.credentials is not None:
return
tenant_auth_variables = [
'AZURE_TENANT_ID', 'AZURE_SUBSCRIPTION_ID',
'AZURE_CLIENT_ID', 'AZURE_CLIENT_SECRET'
]
token_auth_variables = ['AZURE_ACCESS_TOKEN', 'AZURE_SUBSCRIPTION_ID']
if all(k in os.environ for k in token_auth_variables):
# Token authentication
self.credentials = BasicTokenAuthentication(
token={
'access_token': os.environ['AZURE_ACCESS_TOKEN']
})
self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID']
self.log.info("Creating session with Token Authentication")
elif all(k in os.environ for k in tenant_auth_variables):
# Tenant (service principal) authentication
self.credentials = ServicePrincipalCredentials(
client_id=os.environ['AZURE_CLIENT_ID'],
secret=os.environ['AZURE_CLIENT_SECRET'],
tenant=os.environ['AZURE_TENANT_ID']
)
self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID']
self.tenant_id = os.environ['AZURE_TENANT_ID']
self.log.info("Creating session with Service Principal Authentication")
else:
# Azure CLI authentication
(self.credentials,
self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id)
self.log.info("Creating session with Azure CLI Authentication")
# Let provided id parameter override everything else
if self.subscription_id_override is not None:
self.subscription_id = self.subscription_id_override
self.log.info("Session using Subscription ID: %s" % self.subscription_id)
if self.credentials is None:
self.log.error('Unable to locate credentials for Azure session.')
def authenticate(self):
# type: () -> TokenProvider.AuthenticationResult
credential = BasicTokenAuthentication(
token={'access_token': self.access_token})
decoded = jwt.decode(credential.token['access_token'], verify=False)
return TokenProvider.AuthenticationResult(
credential=credential,
subscription_id=self.subscription_id,
tenant_id=decoded['tid'])
def _create_azure_sdk_mgmt_client(
self,
client_class,
**kwargs):
if not self.is_live_mode:
credentials = BasicTokenAuthentication(
token = {
'access_token':'faked_token'
})
if 'subscription_id' in kwargs:
client = client_class(
credentials,
kwargs['subscription_id'])
else:
client = client_class(
credentials)
client.config.long_running_operation_timeout = 0
else:
if kwargs is not None and \
len(kwargs) > 0 and \
'client_id' in kwargs and \
kwargs['client_id'] is not None and \
'secret' in kwargs and \
kwargs['secret'] is not None:
# Secrets passed, let's authenticate the SDK using the values passed.
credentials = \
ServicePrincipalCredentials(
client_id=kwargs['client_id'],
secret=kwargs['secret'],
tenant=kwargs['tenant_id'])
if 'subscription_id' in kwargs:
client = client_class(
credentials,
kwargs['subscription_id'])
else:
client = client_class(credentials)
else:
from azure.common.client_factory import get_client_from_cli_profile
# No credentials passed, let's attempt to get the credentials from az login
if 'subscription_id' in kwargs:
client = get_client_from_cli_profile(
client_class,
subscription_id=kwargs['subscription_id'])
else:
client = get_client_from_cli_profile(
client_class)
return client
def getAccessKey(self) -> str:
self.tracer.info("getting access key for Storage Queue")
storageclient = StorageManagementClient(credentials = BasicTokenAuthentication(self.token),
subscription_id = self.subscriptionId)
# Retrieve keys from storage accounts
storageKeys = storageclient.storage_accounts.list_keys(resource_group_name = self.resourceGroup,
account_name = self.accountName)
if storageKeys is None or len(storageKeys.keys) == 0 :
self.log.error("could not retrieve storage keys of the storage account %s" % self.accountName)
return None
return storageKeys.keys[0].value
def __init__(self, args):
self._args = args
self._compute_client = None
self._resource_client = None
self._network_client = None
self.debug = False
if args.debug:
self.debug = True
self.credentials = self._get_credentials(args)
if not self.credentials:
self.fail("Failed to get credentials. Either pass as parameters, set environment variables, "
"or define a profile in ~/.azure/credentials.")
if self.credentials.get('subscription_id', None) is None:
self.fail("Credentials did not include a subscription_id value.")
self.log("setting subscription_id")
self.subscription_id = self.credentials['subscription_id']
if self.credentials.get('client_id') is not None and \
self.credentials.get('secret') is not None and \
self.credentials.get('tenant') is not None:
self.azure_credentials = ServicePrincipalCredentials(client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=self.credentials['tenant'])
elif self.credentials.get('ad_user') is not None and \
self.credentials.get('password') is not None and \
self.credentials.get('client_id') is not None and \
self.credentials.get('authority') is not None:
# ADAL support
# Default value for resource
resource = self.credentials['resource']
if resource is None:
resource = 'https://management.core.windows.net/'
# Get context
context = adal.AuthenticationContext(self.credentials['authority'])
# Get token
raw_token = context.acquire_token_with_username_password(resource,
self.credentials['ad_user'],
self.credentials['password'],
self.credentials['client_id'])
# From CamelCase to underscore
token = {}
for key, value in raw_token.items():
token[re.sub( '(?<!^)(?=[A-Z])', '_', key).lower()] = value
# Get azure credentials
self.azure_credentials = BasicTokenAuthentication(token)
elif self.credentials.get('ad_user') is not None and self.credentials.get('password') is not None:
self.azure_credentials = UserPassCredentials(self.credentials['ad_user'], self.credentials['password'])
else:
self.fail("Failed to authenticate with provided credentials. Some attributes were missing. "
"Credentials must include client_id, secret and tenant or ad_user and password.")
def get_credentials(**kwargs):
# Put your credentials here in the "real" file
#return UserPassCredentials(
# '*****@*****.**',
# 'Password'
#)
# note that UserCredential does not work any longer. Must use a ServicePrincipal.
# for deprecated APIs I believe will still work.
# return ServicePrincipalCredentials(
# client_id = '<AAD App client id>',
# secret = '<secret for the aad app>',
# tenant = '<microsoft aad tenant id>'
# )
# Needed to play recorded tests
return BasicTokenAuthentication(token={'access_token': 'faked_token'})
def getAccessKey(self):
"""
Get the access key to the storage queue
"""
storageclient = StorageManagementClient(
credentials=BasicTokenAuthentication(self.token),
subscription_id=self.subscriptionId)
storageKeys = storageclient.storage_accounts.list_keys(
resource_group_name=self.resourceGroup,
account_name=self.accountName)
if storageKeys is None or len(storageKeys.keys) <= 0:
print("Could not retrive storage keys of the storage account{0}".
format(self.accountName))
return None
return storageKeys.keys[0].value
def __init__(self, subscription_id=None):
self.log = logging.getLogger('custodian.azure.session')
self._provider_cache = {}
self.subscription_id = subscription_id
tenant_auth_variables = [
'AZURE_TENANT_ID', 'AZURE_SUBSCRIPTION_ID', 'AZURE_CLIENT_ID',
'AZURE_CLIENT_SECRET'
]
token_auth_variables = ['AZURE_ACCESS_TOKEN', 'AZURE_SUBSCRIPTION_ID']
# If the user has specified they want to auth with Azure CLI
# then load up the cached CLI credentials
if 'AZURE_CLI_AUTH' in os.environ:
(self.credentials, subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=AZURE_PUBLIC_CLOUD.endpoints.
active_directory_resource_id)
if self.subscription_id is None:
self.subscription_id = subscription_id
return
# Try to do token auth which supports unit tests or other integrations
# which want to pass an existing token
if all(k in os.environ for k in token_auth_variables):
self.credentials = BasicTokenAuthentication(
token={'access_token': os.environ['AZURE_ACCESS_TOKEN']})
if self.subscription_id is None:
self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID']
return
# Set credentials with environment variables if all
# required variables are present
if all(k in os.environ for k in tenant_auth_variables):
self.credentials = ServicePrincipalCredentials(
client_id=os.environ['AZURE_CLIENT_ID'],
secret=os.environ['AZURE_CLIENT_SECRET'],
tenant=os.environ['AZURE_TENANT_ID'])
if self.subscription_id is None:
self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID']
self.tenant_id = os.environ['AZURE_TENANT_ID']
return
self.log.error('Unable to locate credentials for Azure session.')
def legacy_credentials(self, scope):
# Track 2 SDKs use tuple
token = self.get_token((scope + '.default'))
return BasicTokenAuthentication(token={'access_token': token.token})
def _initialize_session(self):
"""
Creates a session using available authentication type.
Auth priority:
1. Token Auth
2. Tenant Auth
3. Azure CLI Auth
"""
# Only run once
if self.credentials is not None:
return
tenant_auth_variables = [
constants.ENV_TENANT_ID, constants.ENV_SUB_ID,
constants.ENV_CLIENT_ID, constants.ENV_CLIENT_SECRET
]
token_auth_variables = [
constants.ENV_ACCESS_TOKEN, constants.ENV_SUB_ID
]
msi_auth_variables = [constants.ENV_USE_MSI, constants.ENV_SUB_ID]
if self.authorization_file:
self.credentials, self.subscription_id = self.load_auth_file(
self.authorization_file)
self.log.info("Creating session with authorization file")
elif all(k in os.environ for k in token_auth_variables):
# Token authentication
self.credentials = BasicTokenAuthentication(
token={'access_token': os.environ[constants.ENV_ACCESS_TOKEN]})
self.subscription_id = os.environ[constants.ENV_SUB_ID]
self.log.info("Creating session with Token Authentication")
self._is_token_auth = True
elif all(k in os.environ for k in tenant_auth_variables):
# Tenant (service principal) authentication
self.credentials = ServicePrincipalCredentials(
client_id=os.environ[constants.ENV_CLIENT_ID],
secret=os.environ[constants.ENV_CLIENT_SECRET],
tenant=os.environ[constants.ENV_TENANT_ID],
resource=self.resource_namespace)
self.subscription_id = os.environ[constants.ENV_SUB_ID]
self.tenant_id = os.environ[constants.ENV_TENANT_ID]
self.log.info(
"Creating session with Service Principal Authentication")
elif all(k in os.environ for k in msi_auth_variables):
# MSI authentication
if constants.ENV_CLIENT_ID in os.environ:
self.credentials = MSIAuthentication(
client_id=os.environ[constants.ENV_CLIENT_ID],
resource=self.resource_namespace)
else:
self.credentials = MSIAuthentication(
resource=self.resource_namespace)
self.subscription_id = os.environ[constants.ENV_SUB_ID]
self.log.info("Creating session with MSI Authentication")
else:
# Azure CLI authentication
self._is_cli_auth = True
(self.credentials, self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=self.resource_namespace)
self.log.info("Creating session with Azure CLI Authentication")
# Let provided id parameter override everything else
if self.subscription_id_override is not None:
self.subscription_id = self.subscription_id_override
self.log.info("Session using Subscription ID: %s" %
self.subscription_id)
if self.credentials is None:
self.log.error('Unable to locate credentials for Azure session.')
def main():
argument_spec = dict(azure_url=dict(default=AZURE_URL),
subscription_id=dict(required=False),
client_secret=dict(no_log=True),
client_id=dict(),
tenant_or_domain=dict(),
security_token=dict(aliases=['access_token'],
no_log=True),
resource_group_name=dict(required=True),
state=dict(default='present',
choices=['present', 'absent']),
template=dict(default=None, type='dict'),
parameters=dict(default=None, type='dict'),
template_link=dict(default=None),
parameters_link=dict(default=None),
location=dict(default="West US"))
module = AnsibleModule(
argument_spec=argument_spec,
mutually_exclusive=[['template_link', 'template'],
['parameters_link', 'parameters']],
)
if not HAS_DEPS:
module.fail_json(msg='requests and azure are required for this module')
conn_info = get_azure_connection_info(module)
if conn_info['security_token'] is None and \
(conn_info['client_id'] is None or conn_info['client_secret'] is None or conn_info[
'tenant_or_domain'] is None):
module.fail_json(
msg=
'security token or client_id, client_secret and tenant_or_domain is required'
)
if conn_info['security_token'] is None:
conn_info['security_token'] = get_token(conn_info['tenant_or_domain'],
conn_info['client_id'],
conn_info['client_secret'])
if conn_info['security_token'] is None:
module.fail_json(
msg=
'failed to retrieve a security token from Azure Active Directory')
credentials = BasicTokenAuthentication(
token={'access_token': conn_info['security_token']})
subscription_id = module.params.get('subscription_id')
resource_client = ResourceManagementClient(
ResourceManagementClientConfiguration(credentials, subscription_id))
network_client = NetworkManagementClient(
NetworkManagementClientConfiguration(credentials, subscription_id))
conn_info['deployment_name'] = 'ansible-arm'
if module.params.get('state') == 'present':
deployment = deploy_template(module, resource_client, conn_info)
data = dict(name=deployment.name,
group_name=conn_info['resource_group_name'],
id=deployment.id,
outputs=deployment.properties.outputs,
instances=get_instances(network_client,
conn_info['resource_group_name'],
deployment),
changed=True,
msg='deployment created')
dir(data)
module.exit_json(**data)
else:
destroy_resource_group(module, resource_client, conn_info)
module.exit_json(changed=True, msg='deployment deleted')
def get_arm_creds(self):
return BasicTokenAuthentication(
self.get_creds(AZURE_MANAGEMENT_RESOURCE2))
def _authenticate(self):
try:
keyvault_client_id = self._auth_params.get('keyvault_client_id')
keyvault_secret_id = self._auth_params.get('keyvault_secret_id')
# If user provided KeyVault secret, we will pull auth params information from it
if keyvault_secret_id:
self._auth_params.update(
json.loads(
get_keyvault_secret(keyvault_client_id,
keyvault_secret_id)))
client_id = self._auth_params.get('client_id')
client_secret = self._auth_params.get('client_secret')
access_token = self._auth_params.get('access_token')
tenant_id = self._auth_params.get('tenant_id')
use_msi = self._auth_params.get('use_msi')
subscription_id = self._auth_params.get('subscription_id')
if access_token and subscription_id:
log.info("Creating session with Token Authentication")
self.subscription_id = subscription_id
self.credentials = BasicTokenAuthentication(
token={'access_token': access_token})
self._is_token_auth = True
elif client_id and client_secret and tenant_id and subscription_id:
log.info(
"Creating session with Service Principal Authentication")
self.subscription_id = subscription_id
self.credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource=self.resource_namespace)
self.tenant_id = tenant_id
elif use_msi and subscription_id:
log.info("Creating session with MSI Authentication")
self.subscription_id = subscription_id
if client_id:
self.credentials = MSIAuthentication(
client_id=client_id, resource=self.resource_namespace)
else:
self.credentials = MSIAuthentication(
resource=self.resource_namespace)
elif self._auth_params.get('enable_cli_auth'):
log.info("Creating session with Azure CLI Authentication")
self._is_cli_auth = True
(self.credentials, self.subscription_id,
self.tenant_id) = Profile().get_login_credentials(
resource=self.resource_namespace)
log.info("Session using Subscription ID: %s" %
self.subscription_id)
except AuthenticationError as e:
log.error('Azure Authentication Failure\n'
'Error: {0}'.format(
json.dumps(e.inner_exception.error_response,
indent=2)))
sys.exit(1)
except HTTPError as e:
if keyvault_client_id and keyvault_secret_id:
log.error(
'Azure Authentication Failure\n'
'Error: Cannot retrieve SP credentials from the Key Vault '
'(KV uses MSI to access) with client id: {0}'.format(
keyvault_client_id))
elif use_msi:
log.error(
'Azure Authentication Failure\n'
'Error: Could not authenticate using managed service identity {0}'
.format(client_id if client_id else '(system identity)'))
else:
log.error('Azure Authentication Failure: %s' % e.response)
sys.exit(1)
except CLIError as e:
log.error(
'Azure Authentication Failure\n'
'Error: Could not authenticate with Azure CLI credentials: {0}'
.format(e))
sys.exit(1)
except Exception as e:
log.error('Azure Authentication Failure\n' 'Error: {0}'.format(e))
sys.exit(1)
def get_credentials():
return BasicTokenAuthentication(token={'access_token': 'faked_token'})
def fake_credentials():
return (
BasicTokenAuthentication({'access_token': 'fake_token'}),
DUMMY_UUID
)
def __init__(self,
derived_arg_spec,
bypass_checks=False,
no_log=False,
check_invalid_arguments=True,
mutually_exclusive=None,
required_together=None,
required_one_of=None,
add_file_common_args=False,
supports_check_mode=False,
required_if=None,
supports_tags=True,
facts_module=False):
merged_arg_spec = dict()
merged_arg_spec.update(AZURE_COMMON_ARGS)
if supports_tags:
merged_arg_spec.update(AZURE_TAG_ARGS)
if derived_arg_spec:
merged_arg_spec.update(derived_arg_spec)
merged_required_if = list(AZURE_COMMON_REQUIRED_IF)
if required_if:
merged_required_if += required_if
self.module = AnsibleModule(
argument_spec=merged_arg_spec,
bypass_checks=bypass_checks,
no_log=no_log,
check_invalid_arguments=check_invalid_arguments,
mutually_exclusive=mutually_exclusive,
required_together=required_together,
required_one_of=required_one_of,
add_file_common_args=add_file_common_args,
supports_check_mode=supports_check_mode,
required_if=merged_required_if)
if not HAS_MSRESTAZURE:
self.fail(
"Do you have msrestazure installed? Try `pip install msrestazure`"
"- {0}".format(HAS_MSRESTAZURE_EXC))
if not HAS_AZURE:
self.fail(
"Do you have azure>={1} installed? Try `pip install 'azure>={1}' --upgrade`"
"- {0}".format(HAS_AZURE_EXC, AZURE_MIN_RELEASE))
self._network_client = None
self._storage_client = None
self._resource_client = None
self._compute_client = None
self._ignore_register = True
self.check_mode = self.module.check_mode
self.facts_module = facts_module
# self.debug = self.module.params.get('debug')
# authenticate
self.credentials = self._get_credentials(self.module.params)
if not self.credentials:
self.fail(
"Failed to get credentials. Either pass as parameters, set environment variables, "
"or define a profile in ~/.azure/credentials.")
if self.credentials.get('subscription_id', None) is None:
self.fail("Credentials did not include a subscription_id value.")
self.log("setting subscription_id")
self.subscription_id = self.credentials['subscription_id']
if self.credentials.get('client_id') is not None and \
self.credentials.get('secret') is not None and \
self.credentials.get('tenant') is not None:
self.azure_credentials = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=self.credentials['tenant'])
elif self.credentials.get('ad_user') is not None and \
self.credentials.get('password') is not None and \
self.credentials.get('client_id') is not None and \
self.credentials.get('authority') is not None:
# ADAL support
# Default value for resource
resource = self.credentials['resource']
if self.credentials['resource'] is None:
resource = 'https://management.core.windows.net/'
# Get context
context = adal.AuthenticationContext(self.credentials['authority'])
# Get token
raw_token = context.acquire_token_with_username_password(
resource, self.credentials['ad_user'],
self.credentials['password'], self.credentials['client_id'])
# From CamelCase to underscore
token = {}
for key, value in raw_token.items():
token[re.sub('(?<!^)(?=[A-Z])', '_', key).lower()] = value
# Get azure credentials
self.azure_credentials = BasicTokenAuthentication(token)
# In that case, we don't need to register
self._ignore_register = False
elif self.credentials.get(
'ad_user') is not None and self.credentials.get(
'password') is not None:
self.azure_credentials = UserPassCredentials(
self.credentials['ad_user'], self.credentials['password'])
else:
self.fail(
"Failed to authenticate with provided credentials. Some attributes were missing. "
"Credentials must include client_id, secret and tenant or ad_user and password."
)
# common parameter validation
if self.module.params.get('tags'):
self.validate_tags(self.module.params['tags'])
res = self.exec_module(**self.module.params)
self.module.exit_json(**res)