def get_account_details(creds): subscription_client = SubscriptionClient(creds) model = AccountDetails() model.subscriptions = list(subscription_client.subscriptions.list()) model.tenants = list(subscription_client.tenants.list()) return model
def __init__(self, *args, **kwargs): super(Azure, self).__init__(*args, **kwargs) self._subscription_id = CONFIG.AZURE_SUBSCRIPTION_ID self._credentials = ServicePrincipalCredentials( client_id=CONFIG.AZURE_CLIENT_ID, secret=CONFIG.AZURE_SECRET, tenant=CONFIG.AZURE_TENANT) self._subscription_client = SubscriptionClient(self._credentials) self._compute_client = ComputeManagementClient(self._credentials, self._subscription_id) self._resource_client = ResourceManagementClient( self._credentials, self._subscription_id) self._network_client = NetworkManagementClient(self._credentials, self._subscription_id) self._monitor_client = MonitorClient(self._credentials, self._subscription_id) self._resource_groups = [] for resource_group in self._resource_client.resource_groups.list(): self._resource_groups.append(resource_group.name) for location in self._subscription_client.subscriptions.list_locations( self._subscription_id): self._regions.append(location.name) self._check_region()
def cae_test(self, credential): client = SubscriptionClient(credential, base_url=self.cae_settings["arm_url"]) # get an access token for ARM list(client.subscriptions.list()) first_token = credential.get_token(self.cae_settings["arm_scope"]) if self.is_live: validate_ssm_token(first_token.token) # revoking sessions revokes access and refresh tokens self.disable_recording = True graph_token = credential.get_token("User.ReadWrite") response = credential._client.post( self.cae_settings["graph_url"].rstrip("/") + "/v1.0/me/revokeSignInSessions", headers={"Authorization": "Bearer " + graph_token.token}, ) self.disable_recording = False assert 200 <= response.status_code < 300, "session revocation failed: " + response.text( ) # wait for the resource provider to observe the revocation event time.sleep(400) # The client should authorize this request with a revoked token, and receive a challenge. # Silent authentication will fail because the refresh token has been revoked. list(client.subscriptions.list()) # the credential should have reauthenticated the user and acquired a new access token second_token = credential.get_token(self.cae_settings["arm_scope"]) assert second_token.token != first_token.token
def create_arm_client_factory(config): if arm_client_factory: return arm_client_factory(config) else: return allow_debug_connection( SubscriptionClient( config, base_url=CLOUD.endpoints.resource_manager))
def __init__(self, auth_context_factory, adal_token_cache, arm_client_factory=None): from azure.mgmt.resource.subscriptions import SubscriptionClient self._adal_token_cache = adal_token_cache self._auth_context_factory = auth_context_factory self.user_id = None # will figure out after log user in self._arm_client_factory = arm_client_factory or \ (lambda config: SubscriptionClient(config, base_url=CLOUD.endpoints.resource_manager)) #pylint: disable=unnecessary-lambda
def get_subscriptions(credentials): subscriptions_client = SubscriptionClient(credentials) subscriptions = subscriptions_client.subscriptions.list() subscription_list = [] for subscription in subscriptions: subscription_list.append(subscription) return subscription_list
def get_sub_list(context, sub_list=None): sub_client = SubscriptionClient( context.auth.resource_cred, base_url=context.cloudContext.cloud.endpoints.resource_manager) tens = [ten for ten in sub_client.tenants.list()] ten_asset = { "tenantId": tens[0].tenant_id, "category": tens[0].tenant_category, "country": tens[0].country, "countryCode": tens[0].country_code, "name": tens[0].display_name, "domains": tens[0].domains, "subscriptions": [] } subs = [sub for sub in sub_client.subscriptions.list()] if sub_list: subs = filter(lambda s: s.subscription_id in sub_list_filter, subs) sub_ids = [sub.subscription_id for sub in subs] for sub in subs: client = ResourceManagementClient( context.auth.resource_cred, sub.subscription_id, base_url=context.cloudContext.cloud.endpoints.resource_manager) resource_groups = [rg for rg in client.resource_groups.list()] sub_asset = { "name": sub.display_name, "state": sub.state.value, "id": sub.id, "subscriptionId": sub.subscription_id, "managedBy": [tenant.tenant_id for tenant in sub.managed_by_tenants] or "", "tags": [[k, v] for k, v in sub.tags.items()] if isinstance( sub.tags, dict) else [], "resourceGroups": [{ "id": rg.id, "name": rg.name, "location": rg.location, "type": rg.type, "managedBy": rg.managed_by or "", "tags": [[k, v] for k, v in sub.tags.items()] if isinstance( sub.tags, dict) else None } for rg in resource_groups] } if sub.subscription_policies.spending_limit: sub_asset[ "spendingLimit"] = sub.subscription_policies.spending_limit.value ten_asset["subscriptions"].append(sub_asset) Recorder.writestr("subdata.json", json.dumps([ten_asset], sort_keys=True)) return sub_ids
def __init__(self, auth_context_factory, adal_token_cache, arm_client_factory=None): self._adal_token_cache = adal_token_cache self._auth_context_factory = auth_context_factory self.user_id = None # will figure out after log user in self._arm_client_factory = arm_client_factory or \ (lambda config: SubscriptionClient(config)) #pylint: disable=unnecessary-lambda
def _get_client(self): """ :return: Azure SubscriptionClient object """ if self._client is None: self._client = SubscriptionClient(self._config.service_principal) return self._client
def get_subscriptions(cls, credentials, email_client): """ Gets the list of subscriptions that app has access to. """ subscription_client = SubscriptionClient(credentials) subscriptions = subscription_client.subscriptions.list() return [ cls(credentials, sub["subscription_id"], email_client) for sub in [sub_itr.__dict__ for sub_itr in subscriptions] ]
def retrieve_accounts(self): if not self.__token_service.logged_in_user: raise UserNotLoggedInError() accounts = [] sub_client = SubscriptionClient(self.__token_service.credentials) for sub in sub_client.subscriptions.list(): dla_client = DataLakeAnalyticsAccountManagementClient(self.__token_service.credentials, sub.subscription_id) accounts.extend([AdlaAccount(account.name) for account in dla_client.accounts.list()]) return accounts
def _subscription_id(subscription_name: str = None) -> str: subscription_list = SubscriptionClient(_credential()).subscriptions.list() if subscription_name is None: return next(subscription_list).subscription_id for sub in subscription_list: if sub.display_name == subscription_name: return sub.subscription_id raise ValueError( f"Could not find a subscription with name {subscription_name}")
def _get_msi_credentials(self, subscription_id_param=None): credentials = MSIAuthentication() try: # try to get the subscription in MSI to test whether MSI is enabled subscription_client = SubscriptionClient(credentials) subscription = next(subscription_client.subscriptions.list()) subscription_id = str(subscription.subscription_id) return { 'credentials': credentials, 'subscription_id': subscription_id_param or subscription_id } except Exception as exc: return None
def _get_msi_credentials(self, subscription_id_param=None): credentials = MSIAuthentication() subscription_id_param = subscription_id_param or os.environ.get(AZURE_CREDENTIAL_ENV_MAPPING['subscription_id'], None) try: # try to get the subscription in MSI to test whether MSI is enabled subscription_client = SubscriptionClient(credentials) subscription = next(subscription_client.subscriptions.list()) subscription_id = str(subscription.subscription_id) return { 'credentials': credentials, 'subscription_id': subscription_id_param or subscription_id } except Exception as exc: return None
def make_azure_items(all_credentials): """Make simplestreams Items for existing Azure images. All versions of all images matching IMAGE_SPEC will be returned. all_credentials is a dict of credentials in the credentials.yaml structure, used to create Azure credentials. """ subscription_id, credentials = get_azure_credentials(all_credentials) sub_client = SubscriptionClient(credentials) client = ComputeManagementClient(credentials, subscription_id) locations = sub_client.subscriptions.list_locations(subscription_id) items = find_ubuntu_items(client, locations) items.extend(find_spec_items(client, locations)) return items
def _get_msi_credentials(self, subscription_id_param=None): credentials = MSIAuthentication() subscription_id = subscription_id_param or os.environ.get( AZURE_CREDENTIAL_ENV_MAPPING['subscription_id'], None) if not subscription_id: try: # use the first subscription of the MSI subscription_client = SubscriptionClient(credentials) subscription = next(subscription_client.subscriptions.list()) subscription_id = str(subscription.subscription_id) except Exception as exc: self.fail( "Failed to get MSI token: {0}. " "Please check whether your machine enabled MSI or grant access to any subscription." .format(str(exc))) return {'credentials': credentials, 'subscription_id': subscription_id}
def available_subscriptions(self): """Retrieve the currently available subscriptions to populate the subscription selection drop down. """ if not self.subscription_client: self.subscription_client = SubscriptionClient( self.mgmtCredentials, base_url=self.aad_environment_provider.getResourceManager( self.aad_environment_id)) all_subscriptions = self._call( self.subscription_client.subscriptions.list) self.subscriptions = [] for subscription in all_subscriptions: self.subscriptions.append(subscription) self.count = len(self.subscriptions) return self.subscriptions
def main(output): """ Generate a c7n-org subscriptions config file """ client = SubscriptionClient(Session().get_credentials()) subs = [sub.serialize(True) for sub in client.subscriptions.list()] results = [] for sub in subs: sub_info = { 'subscription_id': sub['subscriptionId'], 'name': sub['displayName'] } results.append(sub_info) print(yaml_dump({'subscriptions': results}), file=output)
def get_tenant_id(subscription_id): # Get the default ARM App Only Access Token tenant_id = 'common' credentials = get_app_credentials(g.resource_arm, tenant_id) subscriptions_client = SubscriptionClient(credentials) # Try to get information about the subscription, expect an error try: subscriptions_client.subscriptions.get(subscription_id) except Exception as e: # If Error says the token is from the wrong tenant, parse the correct tenant, and return it if 'InvalidAuthenticationTokenTenant' in str(e): tenant_id = re.findall( "Please use the authority \(URL\) 'https\:\/\/login\.windows\.net\/(.*)'", str(e))[0] return tenant_id
def test_cae(credential): print("testing CAE with " + credential.__class__.__name__) # Enable NetworkTraceLoggingPolicy by setting logging_enable client = SubscriptionClient(credential, base_url=ARM_URL, logging_enable=True) # verify the credential can get a valid access token list(client.subscriptions.list()) first_token = credential.get_token(ARM_SCOPE) print("acquired access token for ARM:") print(first_token.token) # verify it's a CAE token, i.e. that it can be revoked _, payload, _ = first_token.token.split(".") decoded_payload = base64.urlsafe_b64decode(payload + "==").decode() parsed_payload = json.loads(decoded_payload) assert ( # ssm == Smart Session Management parsed_payload.get("xms_ssm") == "1" ), "CAE isn't enabled for the tenant or user, or MSAL didn't claim client capability CP1" # revoking the user's sessions will revoke access and refresh tokens graph_token = credential.get_token("User.ReadWrite") response = requests.post( "https://graph.microsoft.com/v1.0/me/revokeSignInSessions", headers={"Authorization": "Bearer " + graph_token.token}, ) response.raise_for_status() print("revoked user's sessions") print("waiting for ARM to revoke tokens...") # usually takes <5 minutes retry_delay = 10 for i in range(600 // retry_delay): list(client.subscriptions.list()) current_token = credential.get_token(ARM_SCOPE) if current_token.token != first_token.token: print("silently completed a claims challenge") return time.sleep(retry_delay) print("...%i seconds" % ((i + 1) * retry_delay)) print("inconclusive test -- the first ARM token hasn't been revoked")
def retrieve_accounts(self, page_index, page_account_number): if (not self.__token_service.logged_in_user): raise UserNotLoggedInError() accounts = [] sub_client = SubscriptionClient(self.__token_service.credentials) for sub in sub_client.subscriptions.list(): dla_client = DataLakeAnalyticsAccountManagementClient( self.__token_service.credentials, sub.subscription_id) accounts.extend([ AdlaAccount(account.name) for account in dla_client.account.list() ]) accounts.sort(key=lambda account: getattr(account, "name")) skipped_account_number = page_index * page_account_number return accounts[skipped_account_number:skipped_account_number + page_account_number]
def _configure_post_auth(self): self.mgmtCredentials = AADTokenCredentials( self.mgmt_auth_token, cloud_environment=self.aad_environment_provider. getEnvironmentForId(self.aad_environment_id), tenant=self.aad_tenant_name) self.batchCredentials = AADTokenCredentials( self.batch_auth_token, cloud_environment=self.aad_environment_provider. getEnvironmentForId(self.aad_environment_id), tenant=self.aad_tenant_name) if self.can_init_from_config: self.init_from_config() self.ui.init_from_config() else: self.subscription_client = SubscriptionClient( self.mgmtCredentials, base_url=self.aad_environment_provider.getResourceManager( self.aad_environment_id)) self.ui.init_post_auth()
from azure.mgmt.resource.resources import ResourceManagementClient from azure_identity_credential_adapter import AzureIdentityCredentialAdapter credentials = AzureIdentityCredentialAdapter() LOCATION = 'westus' print('Retrieving AppMetadata') r = requests.get("http://localhost:5000/appmetadata") app_metadata = r.json() print('Retrieving Subscriptions') subscription_client = SubscriptionClient(credentials) subscriptions = subscription_client.subscriptions.list() for subscription in subscriptions: resource_client = ResourceManagementClient(credentials, subscription.subscription_id) resources_with_appid_tag = resource_client.resource_groups.list( filter="tagName eq 'appid'") for resource in resources_with_appid_tag: print(f'Syncing {resource.name}') app_metadatum = next( (x for x in app_metadata if x['id'] == resource.tags['appid']), None)
def __init__(self, config: AzureCredentialConfig): self._client = SubscriptionClient(config.credentials)
def subscription_client(self): if not self._subscription_client: self._subscription_client = SubscriptionClient(self._credentials) return self._subscription_client
# Credentials may be kept in a separate file outside of source control. from _deploy.deploy_credentials import CREDENTIALS, SUBSCRIPTION_ID except ImportError: pass if not CREDENTIALS: print("The provided credentials were invalid.", file=sys.stderr) print("Review deploy.py and update deployment settings as necessary.", file=sys.stderr) sys.exit(1) if not SUBSCRIPTION_ID: # Display a list of available subscriptions if SUBSCRIPTION_ID was not given from azure.mgmt.resource.subscriptions import SubscriptionClient sc = SubscriptionClient(CREDENTIALS) print( 'SUBSCRIPTION_ID was not provided. Select an id from the following list.' ) for sub in sc.subscriptions.list(): print(' {}: {}'.format(sub.subscription_id, sub.display_name)) sys.exit(1) #endregion ################################################# from azure.mgmt.resource.resources import ResourceManagementClient from azure.mgmt.resource.resources.models import ResourceGroup, DeploymentProperties, DeploymentMode from _deploy.deploy_helpers import get_package, print_operation_results, Site
def subscriptions() -> List[str]: """Returns list of all Azure subscriptions logged in user has read access to.""" return [ sub.display_name for sub in SubscriptionClient(_credential()).subscriptions.list() ]