def get_credentials(**kwargs): # Put your credentials here in the "real" file #return UserPassCredentials( # '*****@*****.**', # 'Password' #) # Needed to play recorded tests return BasicTokenAuthentication(token={'access_token': 'faked_token'})
def _authenticate(self): keyvault_client_id = self._auth_params.get('keyvault_client_id') keyvault_secret_id = self._auth_params.get('keyvault_secret_id') # If user provided KeyVault secret, we will pull auth params information from it if keyvault_secret_id: self._auth_params.update( json.loads( get_keyvault_secret(keyvault_client_id, keyvault_secret_id))) client_id = self._auth_params.get('client_id') client_secret = self._auth_params.get('client_secret') access_token = self._auth_params.get('access_token') tenant_id = self._auth_params.get('tenant_id') use_msi = self._auth_params.get('use_msi') subscription_id = self._auth_params.get('subscription_id') if access_token and subscription_id: self.log.info("Creating session with Token Authentication") self.subscription_id = subscription_id self.credentials = BasicTokenAuthentication( token={'access_token': access_token}) self._is_token_auth = True elif client_id and client_secret and tenant_id and subscription_id: self.log.info( "Creating session with Service Principal Authentication") self.subscription_id = subscription_id self.credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource=self.resource_namespace) self.tenant_id = tenant_id elif use_msi and subscription_id: self.log.info("Creating session with MSI Authentication") self.subscription_id = subscription_id if client_id: self.credentials = MSIAuthentication( client_id=client_id, resource=self.resource_namespace) else: self.credentials = MSIAuthentication( resource=self.resource_namespace) elif self._auth_params.get('enable_cli_auth'): self.log.info("Creating session with Azure CLI Authentication") self._is_cli_auth = True try: (self.credentials, self.subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=self.resource_namespace) except Exception: self.log.error('Unable to authenticate with Azure') self.log.info("Session using Subscription ID: %s" % self.subscription_id)
def _initialize_session(self): """ Creates a session using available authentication type. Auth priority: 1. Token Auth 2. Tenant Auth 3. Azure CLI Auth """ # Only run once if self.credentials is not None: return tenant_auth_variables = [ 'AZURE_TENANT_ID', 'AZURE_SUBSCRIPTION_ID', 'AZURE_CLIENT_ID', 'AZURE_CLIENT_SECRET' ] token_auth_variables = ['AZURE_ACCESS_TOKEN', 'AZURE_SUBSCRIPTION_ID'] if all(k in os.environ for k in token_auth_variables): # Token authentication self.credentials = BasicTokenAuthentication( token={ 'access_token': os.environ['AZURE_ACCESS_TOKEN'] }) self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID'] self.log.info("Creating session with Token Authentication") elif all(k in os.environ for k in tenant_auth_variables): # Tenant (service principal) authentication self.credentials = ServicePrincipalCredentials( client_id=os.environ['AZURE_CLIENT_ID'], secret=os.environ['AZURE_CLIENT_SECRET'], tenant=os.environ['AZURE_TENANT_ID'] ) self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID'] self.tenant_id = os.environ['AZURE_TENANT_ID'] self.log.info("Creating session with Service Principal Authentication") else: # Azure CLI authentication (self.credentials, self.subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id) self.log.info("Creating session with Azure CLI Authentication") # Let provided id parameter override everything else if self.subscription_id_override is not None: self.subscription_id = self.subscription_id_override self.log.info("Session using Subscription ID: %s" % self.subscription_id) if self.credentials is None: self.log.error('Unable to locate credentials for Azure session.')
def authenticate(self): # type: () -> TokenProvider.AuthenticationResult credential = BasicTokenAuthentication( token={'access_token': self.access_token}) decoded = jwt.decode(credential.token['access_token'], verify=False) return TokenProvider.AuthenticationResult( credential=credential, subscription_id=self.subscription_id, tenant_id=decoded['tid'])
def _create_azure_sdk_mgmt_client( self, client_class, **kwargs): if not self.is_live_mode: credentials = BasicTokenAuthentication( token = { 'access_token':'faked_token' }) if 'subscription_id' in kwargs: client = client_class( credentials, kwargs['subscription_id']) else: client = client_class( credentials) client.config.long_running_operation_timeout = 0 else: if kwargs is not None and \ len(kwargs) > 0 and \ 'client_id' in kwargs and \ kwargs['client_id'] is not None and \ 'secret' in kwargs and \ kwargs['secret'] is not None: # Secrets passed, let's authenticate the SDK using the values passed. credentials = \ ServicePrincipalCredentials( client_id=kwargs['client_id'], secret=kwargs['secret'], tenant=kwargs['tenant_id']) if 'subscription_id' in kwargs: client = client_class( credentials, kwargs['subscription_id']) else: client = client_class(credentials) else: from azure.common.client_factory import get_client_from_cli_profile # No credentials passed, let's attempt to get the credentials from az login if 'subscription_id' in kwargs: client = get_client_from_cli_profile( client_class, subscription_id=kwargs['subscription_id']) else: client = get_client_from_cli_profile( client_class) return client
def getAccessKey(self) -> str: self.tracer.info("getting access key for Storage Queue") storageclient = StorageManagementClient(credentials = BasicTokenAuthentication(self.token), subscription_id = self.subscriptionId) # Retrieve keys from storage accounts storageKeys = storageclient.storage_accounts.list_keys(resource_group_name = self.resourceGroup, account_name = self.accountName) if storageKeys is None or len(storageKeys.keys) == 0 : self.log.error("could not retrieve storage keys of the storage account %s" % self.accountName) return None return storageKeys.keys[0].value
def __init__(self, args): self._args = args self._compute_client = None self._resource_client = None self._network_client = None self.debug = False if args.debug: self.debug = True self.credentials = self._get_credentials(args) if not self.credentials: self.fail("Failed to get credentials. Either pass as parameters, set environment variables, " "or define a profile in ~/.azure/credentials.") if self.credentials.get('subscription_id', None) is None: self.fail("Credentials did not include a subscription_id value.") self.log("setting subscription_id") self.subscription_id = self.credentials['subscription_id'] if self.credentials.get('client_id') is not None and \ self.credentials.get('secret') is not None and \ self.credentials.get('tenant') is not None: self.azure_credentials = ServicePrincipalCredentials(client_id=self.credentials['client_id'], secret=self.credentials['secret'], tenant=self.credentials['tenant']) elif self.credentials.get('ad_user') is not None and \ self.credentials.get('password') is not None and \ self.credentials.get('client_id') is not None and \ self.credentials.get('authority') is not None: # ADAL support # Default value for resource resource = self.credentials['resource'] if resource is None: resource = 'https://management.core.windows.net/' # Get context context = adal.AuthenticationContext(self.credentials['authority']) # Get token raw_token = context.acquire_token_with_username_password(resource, self.credentials['ad_user'], self.credentials['password'], self.credentials['client_id']) # From CamelCase to underscore token = {} for key, value in raw_token.items(): token[re.sub( '(?<!^)(?=[A-Z])', '_', key).lower()] = value # Get azure credentials self.azure_credentials = BasicTokenAuthentication(token) elif self.credentials.get('ad_user') is not None and self.credentials.get('password') is not None: self.azure_credentials = UserPassCredentials(self.credentials['ad_user'], self.credentials['password']) else: self.fail("Failed to authenticate with provided credentials. Some attributes were missing. " "Credentials must include client_id, secret and tenant or ad_user and password.")
def get_credentials(**kwargs): # Put your credentials here in the "real" file #return UserPassCredentials( # '*****@*****.**', # 'Password' #) # note that UserCredential does not work any longer. Must use a ServicePrincipal. # for deprecated APIs I believe will still work. # return ServicePrincipalCredentials( # client_id = '<AAD App client id>', # secret = '<secret for the aad app>', # tenant = '<microsoft aad tenant id>' # ) # Needed to play recorded tests return BasicTokenAuthentication(token={'access_token': 'faked_token'})
def getAccessKey(self): """ Get the access key to the storage queue """ storageclient = StorageManagementClient( credentials=BasicTokenAuthentication(self.token), subscription_id=self.subscriptionId) storageKeys = storageclient.storage_accounts.list_keys( resource_group_name=self.resourceGroup, account_name=self.accountName) if storageKeys is None or len(storageKeys.keys) <= 0: print("Could not retrive storage keys of the storage account{0}". format(self.accountName)) return None return storageKeys.keys[0].value
def __init__(self, subscription_id=None): self.log = logging.getLogger('custodian.azure.session') self._provider_cache = {} self.subscription_id = subscription_id tenant_auth_variables = [ 'AZURE_TENANT_ID', 'AZURE_SUBSCRIPTION_ID', 'AZURE_CLIENT_ID', 'AZURE_CLIENT_SECRET' ] token_auth_variables = ['AZURE_ACCESS_TOKEN', 'AZURE_SUBSCRIPTION_ID'] # If the user has specified they want to auth with Azure CLI # then load up the cached CLI credentials if 'AZURE_CLI_AUTH' in os.environ: (self.credentials, subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=AZURE_PUBLIC_CLOUD.endpoints. active_directory_resource_id) if self.subscription_id is None: self.subscription_id = subscription_id return # Try to do token auth which supports unit tests or other integrations # which want to pass an existing token if all(k in os.environ for k in token_auth_variables): self.credentials = BasicTokenAuthentication( token={'access_token': os.environ['AZURE_ACCESS_TOKEN']}) if self.subscription_id is None: self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID'] return # Set credentials with environment variables if all # required variables are present if all(k in os.environ for k in tenant_auth_variables): self.credentials = ServicePrincipalCredentials( client_id=os.environ['AZURE_CLIENT_ID'], secret=os.environ['AZURE_CLIENT_SECRET'], tenant=os.environ['AZURE_TENANT_ID']) if self.subscription_id is None: self.subscription_id = os.environ['AZURE_SUBSCRIPTION_ID'] self.tenant_id = os.environ['AZURE_TENANT_ID'] return self.log.error('Unable to locate credentials for Azure session.')
def legacy_credentials(self, scope): # Track 2 SDKs use tuple token = self.get_token((scope + '.default')) return BasicTokenAuthentication(token={'access_token': token.token})
def _initialize_session(self): """ Creates a session using available authentication type. Auth priority: 1. Token Auth 2. Tenant Auth 3. Azure CLI Auth """ # Only run once if self.credentials is not None: return tenant_auth_variables = [ constants.ENV_TENANT_ID, constants.ENV_SUB_ID, constants.ENV_CLIENT_ID, constants.ENV_CLIENT_SECRET ] token_auth_variables = [ constants.ENV_ACCESS_TOKEN, constants.ENV_SUB_ID ] msi_auth_variables = [constants.ENV_USE_MSI, constants.ENV_SUB_ID] if self.authorization_file: self.credentials, self.subscription_id = self.load_auth_file( self.authorization_file) self.log.info("Creating session with authorization file") elif all(k in os.environ for k in token_auth_variables): # Token authentication self.credentials = BasicTokenAuthentication( token={'access_token': os.environ[constants.ENV_ACCESS_TOKEN]}) self.subscription_id = os.environ[constants.ENV_SUB_ID] self.log.info("Creating session with Token Authentication") self._is_token_auth = True elif all(k in os.environ for k in tenant_auth_variables): # Tenant (service principal) authentication self.credentials = ServicePrincipalCredentials( client_id=os.environ[constants.ENV_CLIENT_ID], secret=os.environ[constants.ENV_CLIENT_SECRET], tenant=os.environ[constants.ENV_TENANT_ID], resource=self.resource_namespace) self.subscription_id = os.environ[constants.ENV_SUB_ID] self.tenant_id = os.environ[constants.ENV_TENANT_ID] self.log.info( "Creating session with Service Principal Authentication") elif all(k in os.environ for k in msi_auth_variables): # MSI authentication if constants.ENV_CLIENT_ID in os.environ: self.credentials = MSIAuthentication( client_id=os.environ[constants.ENV_CLIENT_ID], resource=self.resource_namespace) else: self.credentials = MSIAuthentication( resource=self.resource_namespace) self.subscription_id = os.environ[constants.ENV_SUB_ID] self.log.info("Creating session with MSI Authentication") else: # Azure CLI authentication self._is_cli_auth = True (self.credentials, self.subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=self.resource_namespace) self.log.info("Creating session with Azure CLI Authentication") # Let provided id parameter override everything else if self.subscription_id_override is not None: self.subscription_id = self.subscription_id_override self.log.info("Session using Subscription ID: %s" % self.subscription_id) if self.credentials is None: self.log.error('Unable to locate credentials for Azure session.')
def main(): argument_spec = dict(azure_url=dict(default=AZURE_URL), subscription_id=dict(required=False), client_secret=dict(no_log=True), client_id=dict(), tenant_or_domain=dict(), security_token=dict(aliases=['access_token'], no_log=True), resource_group_name=dict(required=True), state=dict(default='present', choices=['present', 'absent']), template=dict(default=None, type='dict'), parameters=dict(default=None, type='dict'), template_link=dict(default=None), parameters_link=dict(default=None), location=dict(default="West US")) module = AnsibleModule( argument_spec=argument_spec, mutually_exclusive=[['template_link', 'template'], ['parameters_link', 'parameters']], ) if not HAS_DEPS: module.fail_json(msg='requests and azure are required for this module') conn_info = get_azure_connection_info(module) if conn_info['security_token'] is None and \ (conn_info['client_id'] is None or conn_info['client_secret'] is None or conn_info[ 'tenant_or_domain'] is None): module.fail_json( msg= 'security token or client_id, client_secret and tenant_or_domain is required' ) if conn_info['security_token'] is None: conn_info['security_token'] = get_token(conn_info['tenant_or_domain'], conn_info['client_id'], conn_info['client_secret']) if conn_info['security_token'] is None: module.fail_json( msg= 'failed to retrieve a security token from Azure Active Directory') credentials = BasicTokenAuthentication( token={'access_token': conn_info['security_token']}) subscription_id = module.params.get('subscription_id') resource_client = ResourceManagementClient( ResourceManagementClientConfiguration(credentials, subscription_id)) network_client = NetworkManagementClient( NetworkManagementClientConfiguration(credentials, subscription_id)) conn_info['deployment_name'] = 'ansible-arm' if module.params.get('state') == 'present': deployment = deploy_template(module, resource_client, conn_info) data = dict(name=deployment.name, group_name=conn_info['resource_group_name'], id=deployment.id, outputs=deployment.properties.outputs, instances=get_instances(network_client, conn_info['resource_group_name'], deployment), changed=True, msg='deployment created') dir(data) module.exit_json(**data) else: destroy_resource_group(module, resource_client, conn_info) module.exit_json(changed=True, msg='deployment deleted')
def get_arm_creds(self): return BasicTokenAuthentication( self.get_creds(AZURE_MANAGEMENT_RESOURCE2))
def _authenticate(self): try: keyvault_client_id = self._auth_params.get('keyvault_client_id') keyvault_secret_id = self._auth_params.get('keyvault_secret_id') # If user provided KeyVault secret, we will pull auth params information from it if keyvault_secret_id: self._auth_params.update( json.loads( get_keyvault_secret(keyvault_client_id, keyvault_secret_id))) client_id = self._auth_params.get('client_id') client_secret = self._auth_params.get('client_secret') access_token = self._auth_params.get('access_token') tenant_id = self._auth_params.get('tenant_id') use_msi = self._auth_params.get('use_msi') subscription_id = self._auth_params.get('subscription_id') if access_token and subscription_id: log.info("Creating session with Token Authentication") self.subscription_id = subscription_id self.credentials = BasicTokenAuthentication( token={'access_token': access_token}) self._is_token_auth = True elif client_id and client_secret and tenant_id and subscription_id: log.info( "Creating session with Service Principal Authentication") self.subscription_id = subscription_id self.credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource=self.resource_namespace) self.tenant_id = tenant_id elif use_msi and subscription_id: log.info("Creating session with MSI Authentication") self.subscription_id = subscription_id if client_id: self.credentials = MSIAuthentication( client_id=client_id, resource=self.resource_namespace) else: self.credentials = MSIAuthentication( resource=self.resource_namespace) elif self._auth_params.get('enable_cli_auth'): log.info("Creating session with Azure CLI Authentication") self._is_cli_auth = True (self.credentials, self.subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=self.resource_namespace) log.info("Session using Subscription ID: %s" % self.subscription_id) except AuthenticationError as e: log.error('Azure Authentication Failure\n' 'Error: {0}'.format( json.dumps(e.inner_exception.error_response, indent=2))) sys.exit(1) except HTTPError as e: if keyvault_client_id and keyvault_secret_id: log.error( 'Azure Authentication Failure\n' 'Error: Cannot retrieve SP credentials from the Key Vault ' '(KV uses MSI to access) with client id: {0}'.format( keyvault_client_id)) elif use_msi: log.error( 'Azure Authentication Failure\n' 'Error: Could not authenticate using managed service identity {0}' .format(client_id if client_id else '(system identity)')) else: log.error('Azure Authentication Failure: %s' % e.response) sys.exit(1) except CLIError as e: log.error( 'Azure Authentication Failure\n' 'Error: Could not authenticate with Azure CLI credentials: {0}' .format(e)) sys.exit(1) except Exception as e: log.error('Azure Authentication Failure\n' 'Error: {0}'.format(e)) sys.exit(1)
def get_credentials(): return BasicTokenAuthentication(token={'access_token': 'faked_token'})
def fake_credentials(): return ( BasicTokenAuthentication({'access_token': 'fake_token'}), DUMMY_UUID )
def __init__(self, derived_arg_spec, bypass_checks=False, no_log=False, check_invalid_arguments=True, mutually_exclusive=None, required_together=None, required_one_of=None, add_file_common_args=False, supports_check_mode=False, required_if=None, supports_tags=True, facts_module=False): merged_arg_spec = dict() merged_arg_spec.update(AZURE_COMMON_ARGS) if supports_tags: merged_arg_spec.update(AZURE_TAG_ARGS) if derived_arg_spec: merged_arg_spec.update(derived_arg_spec) merged_required_if = list(AZURE_COMMON_REQUIRED_IF) if required_if: merged_required_if += required_if self.module = AnsibleModule( argument_spec=merged_arg_spec, bypass_checks=bypass_checks, no_log=no_log, check_invalid_arguments=check_invalid_arguments, mutually_exclusive=mutually_exclusive, required_together=required_together, required_one_of=required_one_of, add_file_common_args=add_file_common_args, supports_check_mode=supports_check_mode, required_if=merged_required_if) if not HAS_MSRESTAZURE: self.fail( "Do you have msrestazure installed? Try `pip install msrestazure`" "- {0}".format(HAS_MSRESTAZURE_EXC)) if not HAS_AZURE: self.fail( "Do you have azure>={1} installed? Try `pip install 'azure>={1}' --upgrade`" "- {0}".format(HAS_AZURE_EXC, AZURE_MIN_RELEASE)) self._network_client = None self._storage_client = None self._resource_client = None self._compute_client = None self._ignore_register = True self.check_mode = self.module.check_mode self.facts_module = facts_module # self.debug = self.module.params.get('debug') # authenticate self.credentials = self._get_credentials(self.module.params) if not self.credentials: self.fail( "Failed to get credentials. Either pass as parameters, set environment variables, " "or define a profile in ~/.azure/credentials.") if self.credentials.get('subscription_id', None) is None: self.fail("Credentials did not include a subscription_id value.") self.log("setting subscription_id") self.subscription_id = self.credentials['subscription_id'] if self.credentials.get('client_id') is not None and \ self.credentials.get('secret') is not None and \ self.credentials.get('tenant') is not None: self.azure_credentials = ServicePrincipalCredentials( client_id=self.credentials['client_id'], secret=self.credentials['secret'], tenant=self.credentials['tenant']) elif self.credentials.get('ad_user') is not None and \ self.credentials.get('password') is not None and \ self.credentials.get('client_id') is not None and \ self.credentials.get('authority') is not None: # ADAL support # Default value for resource resource = self.credentials['resource'] if self.credentials['resource'] is None: resource = 'https://management.core.windows.net/' # Get context context = adal.AuthenticationContext(self.credentials['authority']) # Get token raw_token = context.acquire_token_with_username_password( resource, self.credentials['ad_user'], self.credentials['password'], self.credentials['client_id']) # From CamelCase to underscore token = {} for key, value in raw_token.items(): token[re.sub('(?<!^)(?=[A-Z])', '_', key).lower()] = value # Get azure credentials self.azure_credentials = BasicTokenAuthentication(token) # In that case, we don't need to register self._ignore_register = False elif self.credentials.get( 'ad_user') is not None and self.credentials.get( 'password') is not None: self.azure_credentials = UserPassCredentials( self.credentials['ad_user'], self.credentials['password']) else: self.fail( "Failed to authenticate with provided credentials. Some attributes were missing. " "Credentials must include client_id, secret and tenant or ad_user and password." ) # common parameter validation if self.module.params.get('tags'): self.validate_tags(self.module.params['tags']) res = self.exec_module(**self.module.params) self.module.exit_json(**res)