def get_keyvault_client(self):
# Don't use MSI credentials if the auth_source isn't set to MSI. The below will Always result in credentials when running on an Azure VM.
if self.module.params['auth_source'] == 'msi':
try:
self.log("Get KeyVaultClient from MSI")
resource = self.azure_auth._cloud_environment.suffixes.keyvault_dns.split('.', 1).pop()
credentials = MSIAuthentication(resource="https://{0}".format(resource))
return KeyVaultClient(credentials)
except Exception:
self.log("Get KeyVaultClient from service principal")
# Create KeyVault Client using KeyVault auth class and auth_callback
def auth_callback(server, resource, scope):
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
return KeyVaultClient(KeyVaultAuthentication(auth_callback))
def __init__(self, config=None):
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken
from msrestazure.azure_active_directory import ServicePrincipalCredentials
super(StorageAccountSample, self).__init__(config=config)
self.keyvault_sp_client = KeyVaultClient(
ServicePrincipalCredentials(client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id))
# the key vault storage methods, storage_account_set and regenerate_storage_account_key
# must be called by an authenticated user (not a service principal) so we create a secondary
# client which authenticates a user using device code authentication
# create a KeyVaultClient that authenticates as the user
def authenticate_user(server, resource, scope, scheme):
token = self.get_user_token(resource=resource)
return AccessToken(scheme=token['tokenType'],
token=token['accessToken'],
key=None)
self.keyvault_user_client = KeyVaultClient(
KeyVaultAuthentication(authorization_callback=authenticate_user))
self._user_id = None
self._user_oid = None
def get_keyvault_client(self):
try:
self.log("Get KeyVaultClient from MSI")
credentials = MSIAuthentication(resource='https://vault.azure.net')
return KeyVaultClient(credentials)
except Exception:
self.log("Get KeyVaultClient from service principal")
# Create KeyVault Client using KeyVault auth class and auth_callback
def auth_callback(server, resource, scope):
if self.credentials['client_id'] is None or self.credentials[
'secret'] is None:
self.fail(
'Please specify client_id, secret and tenant to access azure Key Vault.'
)
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
return KeyVaultClient(KeyVaultAuthentication(auth_callback))
class ProductionConfig(Config):
CACHE_TYPE = "filesystem"
CACHE_DIR = os.environ.get("TRACKER_CACHE_DIR", "./.cache")
CACHE_DEFAULT_TIMEOUT = int(os.environ.get("TRACKER_CACHE_TIMEOUT", A_DAY))
if os.environ.get('TRACKER_ENV', None) == "production":
if os.environ.get("TRACKER_KEYVAULT_URI",
None) is None or os.environ.get(
"SECRET_NAME_RO", None) is None:
# Error and crash hard: Production should be configured as expected.
LOGGER.error(
"KeyVault uri or secret name missing from local environment.")
sys.exit(4)
kv_uri = os.environ.get("TRACKER_KEYVAULT_URI")
kv_secret = os.environ.get("SECRET_NAME_RO")
kv_creds = MSIAuthentication(resource='https://vault.azure.net')
kv_client = KeyVaultClient(kv_creds)
MONGO_URI = kv_client.get_secret(kv_uri, kv_secret, "").value
@staticmethod
def init_app(app):
Config.init_app(app)
import logging
from logging.handlers import SysLogHandler
handler = SysLogHandler(
address=os.environ.get("TRACKER_SYSLOG", "/dev/log"))
handler.setLevel(logging.ERROR)
app.logger.addHandler(handler)
def sign(key_hash):
p2sig = ''
response = None
try:
data = request.get_json(force=True)
if key_hash in config['keys']:
info('Found key_hash {} in config'.format(key_hash))
key = config['keys'][key_hash]
kvclient = KeyVaultClient(
MSIAuthentication(resource='https://vault.azure.net'))
info('Calling remote-signer method {}'.format(data))
p2sig = RemoteSigner(kvclient, key['kv_keyname'], config,
request.environ['REMOTE_ADDR'], data).sign()
response = jsonify({'signature': p2sig})
info('Response is {}'.format(response))
else:
warning("Couldn't find key {}".format(key_hash))
response = Response('Key not found', status=404)
except Exception as e:
data = {'error': str(e)}
error('Exception thrown during request: {}'.format(str(e)))
response = app.response_class(response=json.dumps(data),
status=500,
mimetype='application/json')
info('Returning flask response {}'.format(response))
return response
def auth_using_adal_callback(self):
"""
authenticates to the Azure Key Vault by providing a callback to authenticate using adal
"""
# create a vault to validate authentication with the KeyVaultClient
vault = self.create_vault()
import adal
# create an adal authentication context
auth_context = adal.AuthenticationContext('https://login.microsoftonline.com/%s' % self.config.tenant_id)
# create a callback to supply the token type and access token on request
def adal_callback(server, resource, scope):
token = auth_context.acquire_token_with_client_credentials(resource=resource,
client_id=self.config.client_id,
client_secret=self.config.client_secret)
return token['tokenType'], token['accessToken']
# create a KeyVaultAuthentication instance which will callback to the supplied adal_callback
auth = KeyVaultAuthentication(adal_callback)
# create the KeyVaultClient using the created KeyVaultAuthentication instance
client = KeyVaultClient(auth)
# set and get a secret from the vault to validate the client is authenticated
print('creating secret...')
print(client.set_secret(vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault'))
print('getting secret...')
print(client.get_secret(vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none))
def __init__(self,
vault_base_url: str = None,
client_id: str = None,
secret: str = None,
tenant: str = None):
self.vault_base_url = vault_base_url
self.client_id = client_id
self.secret = secret
self.tenant = tenant
try:
if self.vault_base_url is None:
self.vault_base_url = os.environ["AZURE_VAULT_BASE_URL"]
if self.client_id is None:
self.client_id = os.environ['AZURE_CLIENT_ID']
if self.secret is None:
self.secret = os.environ['AZURE_SECRET_KEY']
if self.tenant is None:
self.tenant = os.environ['AZURE_TENANT_ID']
except KeyError as e:
print("Did you forget to set the environment variable?", e)
sys.exit(1)
self.client = KeyVaultClient(KeyVaultAuthentication(_auth_callback))
def main(req: func.HttpRequest) -> func.HttpResponse:
req_body = req.get_json()
source_container = req_body.get("source_container")
source_blob_name = req_body.get("source_blob")
dest_folder = req_body.get("dest_folder")
dest_container = req_body.get("dest_container")
credentials = MSIAuthentication(resource='https://vault.azure.net')
kvclient = KeyVaultClient(credentials)
key = kvclient.get_secret("https://zhenzh-databricks-kv.vault.azure.net/",
"zhenzh-python-func-account-key", "").value
converter = Excel2Csv(
BlockBlobService(account_name='zhenzhadfblobsource', account_key=key))
if source_blob_name is None:
converter.convert_and_upload(source_container, dest_container, "raw",
"curated")
else:
converter.convert_and_upload_blob("apachelog-analysis",
"apachelog-analysis",
source_blob_name, dest_folder)
return json.dumps({"result": "Conversion Finished!"})
def auth_using_service_principle_credentials(self):
"""
authenticates to the Azure Key Vault service using AAD service principle credentials
"""
# create a vault to validate authentication with the KeyVaultClient
vault = self.create_vault()
# create the service principle credentials used to authenticate the client
credentials = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
# create the client using the created credentials
client = KeyVaultClient(credentials)
# set and get a secret from the vault to validate the client is authenticated
print('creating secret...')
secret_bundle = client.set_secret(
vault.properties.vault_uri, 'auth-sample-secret',
'client is authenticated to the vault')
print(secret_bundle)
print('getting secret...')
secret_bundle = client.get_secret(
vault.properties.vault_uri,
'auth-sample-secret',
secret_version=KeyVaultId.version_none)
print(secret_bundle)
def handleHello():
try:
# get credentials
sys.stdout.write(keyVaultURL + "\n")
credentials = MSIAuthentication(resource="https://vault.azure.net")
# create a KeyVault client
sys.stdout.write("before kv client\n")
key_vault_client = KeyVaultClient(credentials)
# get the secret
sys.stdout.write("before secret\n")
secret = key_vault_client.get_secret(
keyVaultURL, # Your KeyVault URL
"hellomessage", # Name of your secret. If you followed the README 'secret' should exists
"" # The version of the secret. Empty string for latest
)
sys.stdout.write("after secret\n")
message = secret.value
res = jsonify({"Message:": message})
except Exception as e:
template = "An exception of type {0} occurred. Arguments:\n{1!r}"
message = template.format(type(e).__name__, e.args)
res = jsonify({"Message:": message})
res.status_code = 500
sys.stdout.flush()
return res
def from_config(cls, client_id, client_secret, tenant_id, vault_uri, resource=None):
# type: (str, str, str, str) -> AzureAuthentication
"""
Class method that creates an instance of this class, using the passed arguments
:param client_id: id of the KeyVault client
:param client_secret: authentication key for the KeyVault client
:param tenant_id: directory ID of the Azure subscription where the KeyVault is defined
:param vault_uri: URL of the KeyVault account
:param resource: azure uri resource. default https://management.core.windows.net/
:return: an instance of this class
"""
try:
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource=resource or DEFAULT_AUTHENTICATION_RESOURCE
)
kv_client = KeyVaultClient(KeyVaultAuthentication(credentials=credentials))
except AuthenticationError:
raise AzureAuthenticationException("The credentials provided to access KeyVault are not correct.")
return cls(
kv_client=kv_client,
vault_uri=vault_uri,
credentials=credentials
)
def _get_database_uri():
if _is_app_service():
logger.info("Getting Production DB credentials from Keyvault")
credentials = MSIAuthentication()
key_vault_client = KeyVaultClient(credentials)
key_vault_uri = os.environ.get("KEY_VAULT_URI",
"PUT YOUR KV BASE URL HERE")
logger.info("Using KEY_VAULT_URI: {}".format(key_vault_uri))
result = key_vault_client.get_secret(
vault_base_url=key_vault_uri,
secret_name="database-url",
secret_version="" # empty string -> latest version
).value
logger.info("Secret info: {} {}".format(type(result),
len(result))) # XXX TEMP DEBUG
return result
else:
# TODO: this is just to allow the create_db script to be run locally on initial setup
# Really, the KV code above should be updated to work with other non-MSI credentials
if "DATABASE_URL" in os.environ:
logger.info("Using DATABASE_URL credentials")
return os.environ['DATABASE_URL']
else:
logger.info("Using local Testing Database")
return TestingConfig.SQLALCHEMY_DATABASE_URI
def _get_client(self):
if os.getenv("USE_MSI", "false").lower() == "true":
_logger.info('Using MSI')
if "MSI_CLIENT_ID" in os.environ:
msi_client_id = os.environ["MSI_CLIENT_ID"]
_logger.info('Using client_id: %s', msi_client_id)
credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME, client_id=msi_client_id)
elif "MSI_OBJECT_ID" in os.environ:
msi_object_id = os.environ["MSI_OBJECT_ID"]
_logger.info('Using object_id: %s', msi_object_id)
credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME, object_id=msi_object_id)
elif "MSI_RESOURCE_ID" in os.environ:
msi_resource_id = os.environ["MSI_RESOURCE_ID"]
_logger.info('Using resource_id: %s', msi_resource_id)
credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME, msi_res_id=msi_resource_id)
else:
credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME)
else:
self._parse_sp_file()
authority = '/'.join([AZURE_AUTHORITY_SERVER.rstrip('/'), self.tenant_id])
_logger.info('Using authority: %s', authority)
context = AuthenticationContext(authority)
_logger.info('Using vault resource name: %s and client id: %s', VAULT_RESOURCE_NAME, self.client_id)
credentials = AdalAuthentication(context.acquire_token_with_client_credentials, VAULT_RESOURCE_NAME,
self.client_id, self.client_secret)
return KeyVaultClient(credentials)
def login(self, credentials=None):
if credentials is None:
credentials = ServicePrincipalCredentials(
client_id='***********************', #appId
secret='***********************', #password
tenant='***********************')
self.client = KeyVaultClient(credentials)
def main(argv):
if len(sys.argv) < 3:
raise ValueError(
'Expecting vault_url, client_id, clientSecretKey,tenant_id')
vault_url = sys.argv[1]
client_id = sys.argv[2]
secretKey = sys.argv[3]
tenant_id = sys.argv[4]
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=secretKey,
tenant=tenant_id,
resource=resource_uri)
client = KeyVaultClient(KeyVaultAuthentication(None, credentials))
token = credentials.token
token_type = token['token_type']
access_token = token['access_token']
secrets = client.get_secrets(vault_url)
secretsData = {}
for secret in secrets:
secretName = secret.id.rsplit('/', 1)[-1]
secretItem = client.get_secret(vault_url, secretName, '')
secretVersion = secretItem.id.rsplit('/', 1)[-1]
secretsData[secretName] = secretVersion
json_data = json.dumps(secretsData)
print(json_data)
def get_secret_value(secret):
managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID")
key_vault_url = os.environ.get("KEY_VAULT_URL")
credentials = MSIAuthentication(client_id = managed_identity_client_id)
key_vault_client = KeyVaultClient(credentials)
secret_value = key_vault_client.get_secret(key_vault_url,secret,"")
return secret_value.value
def main():
client_id = os.getenv('AZURE_CLIENT_ID')
service_principal_secret = os.getenv('AZURE_SECRET')
tenant = os.getenv('AZURE_TENANT')
secret_id = os.getenv('AZURE_SECRET_ID')
secret_version = os.getenv('AZURE_SECRET_VERSION')
vault_url = os.getenv('AZURE_VAULT_URL')
# Get Service Principal Credentials
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=service_principal_secret,
tenant=tenant)
# Auth with Service Principal
client = KeyVaultClient(credentials)
# Get Azure Secret from Azure Vault
# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# SECRET_VERSION is required, and can be obtained with the KeyVaultClient.get_secret_versions(self, vault_url, secret_id) API
secret_bundle = client.get_secret(vault_url, secret_id, secret_version)
secret = secret_bundle.value
file_path = '/codefresh/volume/env_vars_to_export'
with open(file_path, 'a') as file:
file.write("{}={}\n".format(secret_id, secret))
def setup_sample(self):
"""
Provides common setup for Key Vault samples, such as creating rest clients, creating a sample resource group
if needed, and ensuring proper access for the service principal.
:return: None
"""
if not self._setup_complete:
self.mgmt_creds = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
self.data_creds = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
self.resource_mgmt_client = ResourceManagementClient(
self.mgmt_creds, self.config.subscription_id)
# ensure the service principle has key vault as a valid provider
self.resource_mgmt_client.providers.register('Microsoft.KeyVault')
# ensure the intended resource group exists
self.resource_mgmt_client.resource_groups.create_or_update(
self.config.group_name, {'location': self.config.location})
self.keyvault_mgmt_client = KeyVaultManagementClient(
self.mgmt_creds, self.config.subscription_id)
self.keyvault_data_client = KeyVaultClient(self.data_creds)
self._setup_complete = True
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
# set variables (todo: make environment variables of this)
server = "<<your logical sql sever name>>.database.windows.net"
database = "<<your sqldb name>>"
username = "******"
secretname = "<<your secretname in you key vault>>"
keyvaultname = "https://<<your key vault name>>.vault.azure.net/"
# get secrets from key vault
credentials = MSIAuthentication(resource='https://vault.azure.net')
kvclient = KeyVaultClient(credentials)
password = kvclient.get_secret(keyvaultname, secretname, "").value
# Make connection to database
connectionstring = 'DRIVER={ODBC Driver 17 for SQL Server};SERVER=' + server + ';DATABASE=' + database + ';UID=' + username + ';PWD=' + password
logging.info(connectionstring)
cnxn = pyodbc.connect(connectionstring)
cursor = cnxn.cursor()
# fire query
cursor.execute("SELECT @@version;")
row = cursor.fetchone()
logging.info((row[0]))
return func.HttpResponse(str(row[0]))
def get_secret_from_keyvault(resource_packet: str) -> str:
"""
Passes the information necessary to access the secret value as URI:ID:Version
Args:
resource_packet: Informnation packet with contents used for retrieving secret for KeyVault.
Returns: extracted secret value for the specified version of the secret
"""
# This method will raise an exception on failure. It has not been hardened in any way.
logger.info('INFO: Attempting to retrieve secret from KeyVault')
# Create MSI Authentication
credentials = MSIAuthentication()
# Obtain hooks into the KeyVault - establish a client
client = KeyVaultClient(credentials)
resource_uri, secret_id, secret_version = resource_packet.split("|")
# Retrieve the secret
secret_bundle = client.get_secret(resource_uri, secret_id, secret_version)
logger.info('INFO: Secret successfully retrieved from KeyVault')
# The secret is stored in a value field. Retrieve this and return to the caller
return secret_bundle.value
def keyvault_private_data_plane_factory_v7_2_preview(cli_ctx, _):
from azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1 import (
KeyVaultAuthentication, KeyVaultClient)
from azure.cli.core.util import should_disable_connection_verify
version = str(get_api_version(cli_ctx, ResourceType.DATA_PRIVATE_KEYVAULT))
def get_token(server, resource, scope): # pylint: disable=unused-argument
return Profile(cli_ctx=cli_ctx).get_raw_token(
resource=resource,
subscription=cli_ctx.data.get('subscription_id'))[0]
client = KeyVaultClient(KeyVaultAuthentication(get_token),
api_version=version)
# HACK, work around the fact that KeyVault library does't take confiuration object on constructor
# which could be used to turn off the verifiaction. Remove this once we migrate to new data plane library
# pylint: disable=protected-access
if hasattr(client, '_client') and hasattr(client._client, 'config'):
verify = not should_disable_connection_verify()
client._client.config.connection.verify = verify
else:
logger.info(
'Could not find the configuration object to turn off the verification if needed'
)
return client
def main():
# Load Azure app defaults
try:
with open('azurermconfig.json') as config_file:
config_data = json.load(config_file)
except FileNotFoundError:
sys.exit("Error: Expecting azurermconfig.json in current folder")
tenant_id = config_data['tenantId']
app_id = config_data['appId']
app_secret = config_data['appSecret']
kv_name = config_data['keyvault']
key_vault_uri = f'https://{kv_name}.vault.azure.net/'
# get credentials
credentials = ServicePrincipalCredentials(client_id=app_id,
secret=app_secret,
tenant=tenant_id)
#token = credentials.token
#print('Token is: ' + token['access_token'])
# get a key vault client
client = KeyVaultClient(credentials)
# list the secrets
secrets = client.get_secrets(key_vault_uri)
print('Listing secrets')
for secret_item in secrets:
secret_name = secret_item.id.split('/secrets/', 1)[1]
secret_bundle = client.get_secret(key_vault_uri, secret_name, '')
print(f'{secret_name}: {secret_bundle.value}')
def get_secret_values(self, secret_names):
"""Reads a list of secrets from Key Vault. Returns a dictionary.
Disabled secrets return an empty string for their value.
Inactive secrets (outside their activation date range, if defined)
return their actual value. We're not currently supporting activation
and deactivation dates.
"""
credentials = ServicePrincipalCredentials(
client_id=self._config["client_id"],
secret=self._config["app_secret"],
tenant=self._config["tenant_id"],
)
client = KeyVaultClient(credentials)
secret_values = {}
for secret_name in secret_names:
try:
secret_bundle = client.get_secret(
self._config["key_vault_uri"], secret_name, ""
)
secret_values[secret_name] = secret_bundle.value
except KeyVaultErrorException:
secret_values[secret_name] = ""
return secret_values
def get_storage_account_key(accountname, client_id, secret_key, tenant_id,
keyvault_account):
"""
Uses the azure management package and the active directory
credentials to fetch the authentication key for a storage
account from azure key vault. The key must be stored in azure
keyvault for this to work.
:param str accountname: storage account name
"""
def auth_callback(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=secret_key,
tenant=tenant_id,
resource="https://vault.azure.net")
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
keyvault = "https://{}.vault.azure.net/".format(keyvault_account)
# passing in empty string for version returns latest key
try:
secret_bundle = client.get_secret(keyvault, accountname, "")
except KeyVaultErrorException:
err_str = "The pipeline is not setup to use the {} account. ".format(
accountname)
err_str += "please add the storage key for the account to {} ".format(
keyvault_account)
err_str += "as a secret. All input/output paths should start with accountname"
raise UnconfiguredStorageAccountError(err_str)
account_key = secret_bundle.value
return account_key
def __init__(self, client_id, secret, tenant, resource):
"""Initialize the connection to Key Vault"""
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=secret,
tenant=tenant,
resource=resource)
self.client = KeyVaultClient(credentials)
def secret(
self,
secretID=ID_ERR_MISSING_SID,
*args
): # secretID='__noSecret__' to catch if no secretID is provided
rc = {
'status': ID_STATUS_MISSING_SECRET,
'secretID': secretID
} # assume an error
if (
len(args) == 0 and not secretID == ID_ERR_MISSING_SID
): # if properly formatted args will be empty and secretID will be something other than ID_SEC_MISSING_SID
vaultClient = KeyVaultClient(
sbdVaultCreds
) # reauthenticate each time so if anything changed we will fail (is this a good idea?)
try:
sBundle = vaultClient.get_secret(
sbdVaultURL, secretID, ''
) # regarding the ''. . .should really use vC.get_secret_versions() but I fiddled with that all day and it seems broken (thanks Zach for the simple workaround!)
secretVal = sBundle.value
rc = {
'status': ID_STATUS_OK,
'secretID': secretID,
'secret': secretVal
}
except: # any exception just return error
rc = {
'status': ID_STATUS_SECRET_NOT_FOUND,
'secretID': secretID
}
return rc
def __init__(self, config):
self._auth = KeyVaultAuth(config, CLIENT_ID)
self._config = config
self._mgmt_client = KeyVaultManagementClient(
self._auth.get_arm_creds(), config.subscription_id)
self._data_client = KeyVaultClient(self._auth.get_keyvault_creds())
self._selected_vault = None
self._current_index = None
def _get_keyvault_client():
from azure.cli.core._profile import Profile
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
def _get_token(server, resource, scope): # pylint: disable=unused-argument
return Profile().get_login_credentials(resource)[0]._token_retriever() # pylint: disable=protected-access
return KeyVaultClient(KeyVaultAuthentication(_get_token))
def kv_get_secret(secret_id):
client = KeyVaultClient(get_kv_credentials())
value_id = client.get_secret(KEY_VAULT, secret_id, "")
if (value_id is None):
return ("")
else:
print('Geting Secret %s with value %s' % (secret_id, value_id.value))
return (value_id.value)
def test_vault():
credentials = get_key_vault_credentials()
kv_client = KeyVaultClient(credentials)
key_vault_uri = KEY_VAULT_URI
secret = kv_client.get_secret(key_vault_uri, "test", "")
return "secret value = {}".format(secret.value)
