def get_keyvault_client(self): # Don't use MSI credentials if the auth_source isn't set to MSI. The below will Always result in credentials when running on an Azure VM. if self.module.params['auth_source'] == 'msi': try: self.log("Get KeyVaultClient from MSI") resource = self.azure_auth._cloud_environment.suffixes.keyvault_dns.split('.', 1).pop() credentials = MSIAuthentication(resource="https://{0}".format(resource)) return KeyVaultClient(credentials) except Exception: self.log("Get KeyVaultClient from service principal") # Create KeyVault Client using KeyVault auth class and auth_callback def auth_callback(server, resource, scope): if self.credentials['client_id'] is None or self.credentials['secret'] is None: self.fail('Please specify client_id, secret and tenant to access azure Key Vault.') tenant = self.credentials.get('tenant') if not self.credentials['tenant']: tenant = "common" authcredential = ServicePrincipalCredentials( client_id=self.credentials['client_id'], secret=self.credentials['secret'], tenant=tenant, cloud_environment=self._cloud_environment, resource="https://vault.azure.net") token = authcredential.token return token['token_type'], token['access_token'] return KeyVaultClient(KeyVaultAuthentication(auth_callback))
def __init__(self, config=None): from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, AccessToken from msrestazure.azure_active_directory import ServicePrincipalCredentials super(StorageAccountSample, self).__init__(config=config) self.keyvault_sp_client = KeyVaultClient( ServicePrincipalCredentials(client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id)) # the key vault storage methods, storage_account_set and regenerate_storage_account_key # must be called by an authenticated user (not a service principal) so we create a secondary # client which authenticates a user using device code authentication # create a KeyVaultClient that authenticates as the user def authenticate_user(server, resource, scope, scheme): token = self.get_user_token(resource=resource) return AccessToken(scheme=token['tokenType'], token=token['accessToken'], key=None) self.keyvault_user_client = KeyVaultClient( KeyVaultAuthentication(authorization_callback=authenticate_user)) self._user_id = None self._user_oid = None
def get_keyvault_client(self): try: self.log("Get KeyVaultClient from MSI") credentials = MSIAuthentication(resource='https://vault.azure.net') return KeyVaultClient(credentials) except Exception: self.log("Get KeyVaultClient from service principal") # Create KeyVault Client using KeyVault auth class and auth_callback def auth_callback(server, resource, scope): if self.credentials['client_id'] is None or self.credentials[ 'secret'] is None: self.fail( 'Please specify client_id, secret and tenant to access azure Key Vault.' ) tenant = self.credentials.get('tenant') if not self.credentials['tenant']: tenant = "common" authcredential = ServicePrincipalCredentials( client_id=self.credentials['client_id'], secret=self.credentials['secret'], tenant=tenant, cloud_environment=self._cloud_environment, resource="https://vault.azure.net") token = authcredential.token return token['token_type'], token['access_token'] return KeyVaultClient(KeyVaultAuthentication(auth_callback))
class ProductionConfig(Config): CACHE_TYPE = "filesystem" CACHE_DIR = os.environ.get("TRACKER_CACHE_DIR", "./.cache") CACHE_DEFAULT_TIMEOUT = int(os.environ.get("TRACKER_CACHE_TIMEOUT", A_DAY)) if os.environ.get('TRACKER_ENV', None) == "production": if os.environ.get("TRACKER_KEYVAULT_URI", None) is None or os.environ.get( "SECRET_NAME_RO", None) is None: # Error and crash hard: Production should be configured as expected. LOGGER.error( "KeyVault uri or secret name missing from local environment.") sys.exit(4) kv_uri = os.environ.get("TRACKER_KEYVAULT_URI") kv_secret = os.environ.get("SECRET_NAME_RO") kv_creds = MSIAuthentication(resource='https://vault.azure.net') kv_client = KeyVaultClient(kv_creds) MONGO_URI = kv_client.get_secret(kv_uri, kv_secret, "").value @staticmethod def init_app(app): Config.init_app(app) import logging from logging.handlers import SysLogHandler handler = SysLogHandler( address=os.environ.get("TRACKER_SYSLOG", "/dev/log")) handler.setLevel(logging.ERROR) app.logger.addHandler(handler)
def sign(key_hash): p2sig = '' response = None try: data = request.get_json(force=True) if key_hash in config['keys']: info('Found key_hash {} in config'.format(key_hash)) key = config['keys'][key_hash] kvclient = KeyVaultClient( MSIAuthentication(resource='https://vault.azure.net')) info('Calling remote-signer method {}'.format(data)) p2sig = RemoteSigner(kvclient, key['kv_keyname'], config, request.environ['REMOTE_ADDR'], data).sign() response = jsonify({'signature': p2sig}) info('Response is {}'.format(response)) else: warning("Couldn't find key {}".format(key_hash)) response = Response('Key not found', status=404) except Exception as e: data = {'error': str(e)} error('Exception thrown during request: {}'.format(str(e))) response = app.response_class(response=json.dumps(data), status=500, mimetype='application/json') info('Returning flask response {}'.format(response)) return response
def auth_using_adal_callback(self): """ authenticates to the Azure Key Vault by providing a callback to authenticate using adal """ # create a vault to validate authentication with the KeyVaultClient vault = self.create_vault() import adal # create an adal authentication context auth_context = adal.AuthenticationContext('https://login.microsoftonline.com/%s' % self.config.tenant_id) # create a callback to supply the token type and access token on request def adal_callback(server, resource, scope): token = auth_context.acquire_token_with_client_credentials(resource=resource, client_id=self.config.client_id, client_secret=self.config.client_secret) return token['tokenType'], token['accessToken'] # create a KeyVaultAuthentication instance which will callback to the supplied adal_callback auth = KeyVaultAuthentication(adal_callback) # create the KeyVaultClient using the created KeyVaultAuthentication instance client = KeyVaultClient(auth) # set and get a secret from the vault to validate the client is authenticated print('creating secret...') print(client.set_secret(vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault')) print('getting secret...') print(client.get_secret(vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none))
def __init__(self, vault_base_url: str = None, client_id: str = None, secret: str = None, tenant: str = None): self.vault_base_url = vault_base_url self.client_id = client_id self.secret = secret self.tenant = tenant try: if self.vault_base_url is None: self.vault_base_url = os.environ["AZURE_VAULT_BASE_URL"] if self.client_id is None: self.client_id = os.environ['AZURE_CLIENT_ID'] if self.secret is None: self.secret = os.environ['AZURE_SECRET_KEY'] if self.tenant is None: self.tenant = os.environ['AZURE_TENANT_ID'] except KeyError as e: print("Did you forget to set the environment variable?", e) sys.exit(1) self.client = KeyVaultClient(KeyVaultAuthentication(_auth_callback))
def main(req: func.HttpRequest) -> func.HttpResponse: req_body = req.get_json() source_container = req_body.get("source_container") source_blob_name = req_body.get("source_blob") dest_folder = req_body.get("dest_folder") dest_container = req_body.get("dest_container") credentials = MSIAuthentication(resource='https://vault.azure.net') kvclient = KeyVaultClient(credentials) key = kvclient.get_secret("https://zhenzh-databricks-kv.vault.azure.net/", "zhenzh-python-func-account-key", "").value converter = Excel2Csv( BlockBlobService(account_name='zhenzhadfblobsource', account_key=key)) if source_blob_name is None: converter.convert_and_upload(source_container, dest_container, "raw", "curated") else: converter.convert_and_upload_blob("apachelog-analysis", "apachelog-analysis", source_blob_name, dest_folder) return json.dumps({"result": "Conversion Finished!"})
def auth_using_service_principle_credentials(self): """ authenticates to the Azure Key Vault service using AAD service principle credentials """ # create a vault to validate authentication with the KeyVaultClient vault = self.create_vault() # create the service principle credentials used to authenticate the client credentials = ServicePrincipalCredentials( client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id) # create the client using the created credentials client = KeyVaultClient(credentials) # set and get a secret from the vault to validate the client is authenticated print('creating secret...') secret_bundle = client.set_secret( vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault') print(secret_bundle) print('getting secret...') secret_bundle = client.get_secret( vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none) print(secret_bundle)
def handleHello(): try: # get credentials sys.stdout.write(keyVaultURL + "\n") credentials = MSIAuthentication(resource="https://vault.azure.net") # create a KeyVault client sys.stdout.write("before kv client\n") key_vault_client = KeyVaultClient(credentials) # get the secret sys.stdout.write("before secret\n") secret = key_vault_client.get_secret( keyVaultURL, # Your KeyVault URL "hellomessage", # Name of your secret. If you followed the README 'secret' should exists "" # The version of the secret. Empty string for latest ) sys.stdout.write("after secret\n") message = secret.value res = jsonify({"Message:": message}) except Exception as e: template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(e).__name__, e.args) res = jsonify({"Message:": message}) res.status_code = 500 sys.stdout.flush() return res
def from_config(cls, client_id, client_secret, tenant_id, vault_uri, resource=None): # type: (str, str, str, str) -> AzureAuthentication """ Class method that creates an instance of this class, using the passed arguments :param client_id: id of the KeyVault client :param client_secret: authentication key for the KeyVault client :param tenant_id: directory ID of the Azure subscription where the KeyVault is defined :param vault_uri: URL of the KeyVault account :param resource: azure uri resource. default https://management.core.windows.net/ :return: an instance of this class """ try: credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource=resource or DEFAULT_AUTHENTICATION_RESOURCE ) kv_client = KeyVaultClient(KeyVaultAuthentication(credentials=credentials)) except AuthenticationError: raise AzureAuthenticationException("The credentials provided to access KeyVault are not correct.") return cls( kv_client=kv_client, vault_uri=vault_uri, credentials=credentials )
def _get_database_uri(): if _is_app_service(): logger.info("Getting Production DB credentials from Keyvault") credentials = MSIAuthentication() key_vault_client = KeyVaultClient(credentials) key_vault_uri = os.environ.get("KEY_VAULT_URI", "PUT YOUR KV BASE URL HERE") logger.info("Using KEY_VAULT_URI: {}".format(key_vault_uri)) result = key_vault_client.get_secret( vault_base_url=key_vault_uri, secret_name="database-url", secret_version="" # empty string -> latest version ).value logger.info("Secret info: {} {}".format(type(result), len(result))) # XXX TEMP DEBUG return result else: # TODO: this is just to allow the create_db script to be run locally on initial setup # Really, the KV code above should be updated to work with other non-MSI credentials if "DATABASE_URL" in os.environ: logger.info("Using DATABASE_URL credentials") return os.environ['DATABASE_URL'] else: logger.info("Using local Testing Database") return TestingConfig.SQLALCHEMY_DATABASE_URI
def _get_client(self): if os.getenv("USE_MSI", "false").lower() == "true": _logger.info('Using MSI') if "MSI_CLIENT_ID" in os.environ: msi_client_id = os.environ["MSI_CLIENT_ID"] _logger.info('Using client_id: %s', msi_client_id) credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME, client_id=msi_client_id) elif "MSI_OBJECT_ID" in os.environ: msi_object_id = os.environ["MSI_OBJECT_ID"] _logger.info('Using object_id: %s', msi_object_id) credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME, object_id=msi_object_id) elif "MSI_RESOURCE_ID" in os.environ: msi_resource_id = os.environ["MSI_RESOURCE_ID"] _logger.info('Using resource_id: %s', msi_resource_id) credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME, msi_res_id=msi_resource_id) else: credentials = MSIAuthentication(resource=VAULT_RESOURCE_NAME) else: self._parse_sp_file() authority = '/'.join([AZURE_AUTHORITY_SERVER.rstrip('/'), self.tenant_id]) _logger.info('Using authority: %s', authority) context = AuthenticationContext(authority) _logger.info('Using vault resource name: %s and client id: %s', VAULT_RESOURCE_NAME, self.client_id) credentials = AdalAuthentication(context.acquire_token_with_client_credentials, VAULT_RESOURCE_NAME, self.client_id, self.client_secret) return KeyVaultClient(credentials)
def login(self, credentials=None): if credentials is None: credentials = ServicePrincipalCredentials( client_id='***********************', #appId secret='***********************', #password tenant='***********************') self.client = KeyVaultClient(credentials)
def main(argv): if len(sys.argv) < 3: raise ValueError( 'Expecting vault_url, client_id, clientSecretKey,tenant_id') vault_url = sys.argv[1] client_id = sys.argv[2] secretKey = sys.argv[3] tenant_id = sys.argv[4] credentials = ServicePrincipalCredentials(client_id=client_id, secret=secretKey, tenant=tenant_id, resource=resource_uri) client = KeyVaultClient(KeyVaultAuthentication(None, credentials)) token = credentials.token token_type = token['token_type'] access_token = token['access_token'] secrets = client.get_secrets(vault_url) secretsData = {} for secret in secrets: secretName = secret.id.rsplit('/', 1)[-1] secretItem = client.get_secret(vault_url, secretName, '') secretVersion = secretItem.id.rsplit('/', 1)[-1] secretsData[secretName] = secretVersion json_data = json.dumps(secretsData) print(json_data)
def get_secret_value(secret): managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID") key_vault_url = os.environ.get("KEY_VAULT_URL") credentials = MSIAuthentication(client_id = managed_identity_client_id) key_vault_client = KeyVaultClient(credentials) secret_value = key_vault_client.get_secret(key_vault_url,secret,"") return secret_value.value
def main(): client_id = os.getenv('AZURE_CLIENT_ID') service_principal_secret = os.getenv('AZURE_SECRET') tenant = os.getenv('AZURE_TENANT') secret_id = os.getenv('AZURE_SECRET_ID') secret_version = os.getenv('AZURE_SECRET_VERSION') vault_url = os.getenv('AZURE_VAULT_URL') # Get Service Principal Credentials credentials = ServicePrincipalCredentials(client_id=client_id, secret=service_principal_secret, tenant=tenant) # Auth with Service Principal client = KeyVaultClient(credentials) # Get Azure Secret from Azure Vault # VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net' # SECRET_VERSION is required, and can be obtained with the KeyVaultClient.get_secret_versions(self, vault_url, secret_id) API secret_bundle = client.get_secret(vault_url, secret_id, secret_version) secret = secret_bundle.value file_path = '/codefresh/volume/env_vars_to_export' with open(file_path, 'a') as file: file.write("{}={}\n".format(secret_id, secret))
def setup_sample(self): """ Provides common setup for Key Vault samples, such as creating rest clients, creating a sample resource group if needed, and ensuring proper access for the service principal. :return: None """ if not self._setup_complete: self.mgmt_creds = ServicePrincipalCredentials( client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id) self.data_creds = ServicePrincipalCredentials( client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id) self.resource_mgmt_client = ResourceManagementClient( self.mgmt_creds, self.config.subscription_id) # ensure the service principle has key vault as a valid provider self.resource_mgmt_client.providers.register('Microsoft.KeyVault') # ensure the intended resource group exists self.resource_mgmt_client.resource_groups.create_or_update( self.config.group_name, {'location': self.config.location}) self.keyvault_mgmt_client = KeyVaultManagementClient( self.mgmt_creds, self.config.subscription_id) self.keyvault_data_client = KeyVaultClient(self.data_creds) self._setup_complete = True
def main(req: func.HttpRequest) -> func.HttpResponse: logging.info('Python HTTP trigger function processed a request.') # set variables (todo: make environment variables of this) server = "<<your logical sql sever name>>.database.windows.net" database = "<<your sqldb name>>" username = "******" secretname = "<<your secretname in you key vault>>" keyvaultname = "https://<<your key vault name>>.vault.azure.net/" # get secrets from key vault credentials = MSIAuthentication(resource='https://vault.azure.net') kvclient = KeyVaultClient(credentials) password = kvclient.get_secret(keyvaultname, secretname, "").value # Make connection to database connectionstring = 'DRIVER={ODBC Driver 17 for SQL Server};SERVER=' + server + ';DATABASE=' + database + ';UID=' + username + ';PWD=' + password logging.info(connectionstring) cnxn = pyodbc.connect(connectionstring) cursor = cnxn.cursor() # fire query cursor.execute("SELECT @@version;") row = cursor.fetchone() logging.info((row[0])) return func.HttpResponse(str(row[0]))
def get_secret_from_keyvault(resource_packet: str) -> str: """ Passes the information necessary to access the secret value as URI:ID:Version Args: resource_packet: Informnation packet with contents used for retrieving secret for KeyVault. Returns: extracted secret value for the specified version of the secret """ # This method will raise an exception on failure. It has not been hardened in any way. logger.info('INFO: Attempting to retrieve secret from KeyVault') # Create MSI Authentication credentials = MSIAuthentication() # Obtain hooks into the KeyVault - establish a client client = KeyVaultClient(credentials) resource_uri, secret_id, secret_version = resource_packet.split("|") # Retrieve the secret secret_bundle = client.get_secret(resource_uri, secret_id, secret_version) logger.info('INFO: Secret successfully retrieved from KeyVault') # The secret is stored in a value field. Retrieve this and return to the caller return secret_bundle.value
def keyvault_private_data_plane_factory_v7_2_preview(cli_ctx, _): from azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1 import ( KeyVaultAuthentication, KeyVaultClient) from azure.cli.core.util import should_disable_connection_verify version = str(get_api_version(cli_ctx, ResourceType.DATA_PRIVATE_KEYVAULT)) def get_token(server, resource, scope): # pylint: disable=unused-argument return Profile(cli_ctx=cli_ctx).get_raw_token( resource=resource, subscription=cli_ctx.data.get('subscription_id'))[0] client = KeyVaultClient(KeyVaultAuthentication(get_token), api_version=version) # HACK, work around the fact that KeyVault library does't take confiuration object on constructor # which could be used to turn off the verifiaction. Remove this once we migrate to new data plane library # pylint: disable=protected-access if hasattr(client, '_client') and hasattr(client._client, 'config'): verify = not should_disable_connection_verify() client._client.config.connection.verify = verify else: logger.info( 'Could not find the configuration object to turn off the verification if needed' ) return client
def main(): # Load Azure app defaults try: with open('azurermconfig.json') as config_file: config_data = json.load(config_file) except FileNotFoundError: sys.exit("Error: Expecting azurermconfig.json in current folder") tenant_id = config_data['tenantId'] app_id = config_data['appId'] app_secret = config_data['appSecret'] kv_name = config_data['keyvault'] key_vault_uri = f'https://{kv_name}.vault.azure.net/' # get credentials credentials = ServicePrincipalCredentials(client_id=app_id, secret=app_secret, tenant=tenant_id) #token = credentials.token #print('Token is: ' + token['access_token']) # get a key vault client client = KeyVaultClient(credentials) # list the secrets secrets = client.get_secrets(key_vault_uri) print('Listing secrets') for secret_item in secrets: secret_name = secret_item.id.split('/secrets/', 1)[1] secret_bundle = client.get_secret(key_vault_uri, secret_name, '') print(f'{secret_name}: {secret_bundle.value}')
def get_secret_values(self, secret_names): """Reads a list of secrets from Key Vault. Returns a dictionary. Disabled secrets return an empty string for their value. Inactive secrets (outside their activation date range, if defined) return their actual value. We're not currently supporting activation and deactivation dates. """ credentials = ServicePrincipalCredentials( client_id=self._config["client_id"], secret=self._config["app_secret"], tenant=self._config["tenant_id"], ) client = KeyVaultClient(credentials) secret_values = {} for secret_name in secret_names: try: secret_bundle = client.get_secret( self._config["key_vault_uri"], secret_name, "" ) secret_values[secret_name] = secret_bundle.value except KeyVaultErrorException: secret_values[secret_name] = "" return secret_values
def get_storage_account_key(accountname, client_id, secret_key, tenant_id, keyvault_account): """ Uses the azure management package and the active directory credentials to fetch the authentication key for a storage account from azure key vault. The key must be stored in azure keyvault for this to work. :param str accountname: storage account name """ def auth_callback(server, resource, scope): credentials = ServicePrincipalCredentials( client_id=client_id, secret=secret_key, tenant=tenant_id, resource="https://vault.azure.net") token = credentials.token return token['token_type'], token['access_token'] client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) keyvault = "https://{}.vault.azure.net/".format(keyvault_account) # passing in empty string for version returns latest key try: secret_bundle = client.get_secret(keyvault, accountname, "") except KeyVaultErrorException: err_str = "The pipeline is not setup to use the {} account. ".format( accountname) err_str += "please add the storage key for the account to {} ".format( keyvault_account) err_str += "as a secret. All input/output paths should start with accountname" raise UnconfiguredStorageAccountError(err_str) account_key = secret_bundle.value return account_key
def __init__(self, client_id, secret, tenant, resource): """Initialize the connection to Key Vault""" credentials = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant, resource=resource) self.client = KeyVaultClient(credentials)
def secret( self, secretID=ID_ERR_MISSING_SID, *args ): # secretID='__noSecret__' to catch if no secretID is provided rc = { 'status': ID_STATUS_MISSING_SECRET, 'secretID': secretID } # assume an error if ( len(args) == 0 and not secretID == ID_ERR_MISSING_SID ): # if properly formatted args will be empty and secretID will be something other than ID_SEC_MISSING_SID vaultClient = KeyVaultClient( sbdVaultCreds ) # reauthenticate each time so if anything changed we will fail (is this a good idea?) try: sBundle = vaultClient.get_secret( sbdVaultURL, secretID, '' ) # regarding the ''. . .should really use vC.get_secret_versions() but I fiddled with that all day and it seems broken (thanks Zach for the simple workaround!) secretVal = sBundle.value rc = { 'status': ID_STATUS_OK, 'secretID': secretID, 'secret': secretVal } except: # any exception just return error rc = { 'status': ID_STATUS_SECRET_NOT_FOUND, 'secretID': secretID } return rc
def __init__(self, config): self._auth = KeyVaultAuth(config, CLIENT_ID) self._config = config self._mgmt_client = KeyVaultManagementClient( self._auth.get_arm_creds(), config.subscription_id) self._data_client = KeyVaultClient(self._auth.get_keyvault_creds()) self._selected_vault = None self._current_index = None
def _get_keyvault_client(): from azure.cli.core._profile import Profile from azure.keyvault import KeyVaultClient, KeyVaultAuthentication def _get_token(server, resource, scope): # pylint: disable=unused-argument return Profile().get_login_credentials(resource)[0]._token_retriever() # pylint: disable=protected-access return KeyVaultClient(KeyVaultAuthentication(_get_token))
def kv_get_secret(secret_id): client = KeyVaultClient(get_kv_credentials()) value_id = client.get_secret(KEY_VAULT, secret_id, "") if (value_id is None): return ("") else: print('Geting Secret %s with value %s' % (secret_id, value_id.value)) return (value_id.value)
def test_vault(): credentials = get_key_vault_credentials() kv_client = KeyVaultClient(credentials) key_vault_uri = KEY_VAULT_URI secret = kv_client.get_secret(key_vault_uri, "test", "") return "secret value = {}".format(secret.value)