def azurekeyvault(): credentials = ServicePrincipalCredentials(client_id=options.clientid, secret=options.clientsecret, tenant=options.tenantid) client = KeyVaultClient(credentials) vault_url = options.vaulturl sourcesecret = options.secretnameforsourceconnectionstring sinksecret = options.secretnameforsinkconnectionstring source_bundle = client.get_secret(vault_url, sourcesecret, "") sink_bundle = client.get_secret(vault_url, sinksecret, "") sourceconnectionstring = source_bundle.value sinkconnectionstring = sink_bundle.value return sourceconnectionstring, sinkconnectionstring
def init(): client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) SPLUNK_HOST = client.get_secret(VAULT_URL, 'splunk-host',secret_version=KeyVaultId.version_none).value SPLUNK_TOKEN = client.get_secret(VAULT_URL, 'splunk-token',secret_version=KeyVaultId.version_none).value EH_CONNECTION_STR = client.get_secret(VAULT_URL, 'eh-conn-str',secret_version=KeyVaultId.version_none).value splunk = SplunkHandler( host= SPLUNK_HOST, port='8088', token= SPLUNK_TOKEN, index='main', verify=False ) init.ehclient = EventHubClient.from_connection_string(EH_CONNECTION_STR, receive_timeout=RECEIVE_TIMEOUT, retry_total=RETRY_TOTAL) logging.getLogger('').addHandler(splunk)
def _get_database_uri(): if _is_app_service(): logger.info("Getting Production DB credentials from Keyvault") credentials = MSIAuthentication() key_vault_client = KeyVaultClient(credentials) key_vault_uri = os.environ.get("KEY_VAULT_URI", "PUT YOUR KV BASE URL HERE") logger.info("Using KEY_VAULT_URI: {}".format(key_vault_uri)) result = key_vault_client.get_secret( vault_base_url=key_vault_uri, secret_name="database-url", secret_version="" # empty string -> latest version ).value logger.info("Secret info: {} {}".format(type(result), len(result))) # XXX TEMP DEBUG return result else: # TODO: this is just to allow the create_db script to be run locally on initial setup # Really, the KV code above should be updated to work with other non-MSI credentials if "DATABASE_URL" in os.environ: logger.info("Using DATABASE_URL credentials") return os.environ['DATABASE_URL'] else: logger.info("Using local Testing Database") return TestingConfig.SQLALCHEMY_DATABASE_URI
class KeyVault: client = None def login(self, credentials=None): if credentials is None: credentials = ServicePrincipalCredentials( client_id='***********************', #appId secret='***********************', #password tenant='***********************') self.client = KeyVaultClient(credentials) def getSecret(self, secret_info=None): vault_url = None secret_id = None secret_version = None if secret_info is None: vault_url = 'https://*****.vault.azure.net/' secret_id = '**********' secret_version = '*************' else: vault_url = secret_info.vault_uri secret_id = secret_info.secret_id secret_version = secret_info.secret_version secret_bundle = self.client.get_secret(vault_url, secret_id, secret_version) secret = secret_bundle.value return secret
def main(req: func.HttpRequest) -> func.HttpResponse: req_body = req.get_json() source_container = req_body.get("source_container") source_blob_name = req_body.get("source_blob") dest_folder = req_body.get("dest_folder") dest_container = req_body.get("dest_container") credentials = MSIAuthentication(resource='https://vault.azure.net') kvclient = KeyVaultClient(credentials) key = kvclient.get_secret("https://zhenzh-databricks-kv.vault.azure.net/", "zhenzh-python-func-account-key", "").value converter = Excel2Csv( BlockBlobService(account_name='zhenzhadfblobsource', account_key=key)) if source_blob_name is None: converter.convert_and_upload(source_container, dest_container, "raw", "curated") else: converter.convert_and_upload_blob("apachelog-analysis", "apachelog-analysis", source_blob_name, dest_folder) return json.dumps({"result": "Conversion Finished!"})
def get_secret_from_keyvault(resource_packet: str) -> str: """ Passes the information necessary to access the secret value as URI:ID:Version Args: resource_packet: Informnation packet with contents used for retrieving secret for KeyVault. Returns: extracted secret value for the specified version of the secret """ # This method will raise an exception on failure. It has not been hardened in any way. logger.info('INFO: Attempting to retrieve secret from KeyVault') # Create MSI Authentication credentials = MSIAuthentication() # Obtain hooks into the KeyVault - establish a client client = KeyVaultClient(credentials) resource_uri, secret_id, secret_version = resource_packet.split("|") # Retrieve the secret secret_bundle = client.get_secret(resource_uri, secret_id, secret_version) logger.info('INFO: Secret successfully retrieved from KeyVault') # The secret is stored in a value field. Retrieve this and return to the caller return secret_bundle.value
def main(req: func.HttpRequest) -> func.HttpResponse: logging.info('Python HTTP trigger function processed a request.') # set variables (todo: make environment variables of this) server = "<<your logical sql sever name>>.database.windows.net" database = "<<your sqldb name>>" username = "******" secretname = "<<your secretname in you key vault>>" keyvaultname = "https://<<your key vault name>>.vault.azure.net/" # get secrets from key vault credentials = MSIAuthentication(resource='https://vault.azure.net') kvclient = KeyVaultClient(credentials) password = kvclient.get_secret(keyvaultname, secretname, "").value # Make connection to database connectionstring = 'DRIVER={ODBC Driver 17 for SQL Server};SERVER=' + server + ';DATABASE=' + database + ';UID=' + username + ';PWD=' + password logging.info(connectionstring) cnxn = pyodbc.connect(connectionstring) cursor = cnxn.cursor() # fire query cursor.execute("SELECT @@version;") row = cursor.fetchone() logging.info((row[0])) return func.HttpResponse(str(row[0]))
def secret( self, secretID=ID_ERR_MISSING_SID, *args ): # secretID='__noSecret__' to catch if no secretID is provided rc = { 'status': ID_STATUS_MISSING_SECRET, 'secretID': secretID } # assume an error if ( len(args) == 0 and not secretID == ID_ERR_MISSING_SID ): # if properly formatted args will be empty and secretID will be something other than ID_SEC_MISSING_SID vaultClient = KeyVaultClient( sbdVaultCreds ) # reauthenticate each time so if anything changed we will fail (is this a good idea?) try: sBundle = vaultClient.get_secret( sbdVaultURL, secretID, '' ) # regarding the ''. . .should really use vC.get_secret_versions() but I fiddled with that all day and it seems broken (thanks Zach for the simple workaround!) secretVal = sBundle.value rc = { 'status': ID_STATUS_OK, 'secretID': secretID, 'secret': secretVal } except: # any exception just return error rc = { 'status': ID_STATUS_SECRET_NOT_FOUND, 'secretID': secretID } return rc
def get_secret_value(secret): managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID") key_vault_url = os.environ.get("KEY_VAULT_URL") credentials = MSIAuthentication(client_id = managed_identity_client_id) key_vault_client = KeyVaultClient(credentials) secret_value = key_vault_client.get_secret(key_vault_url,secret,"") return secret_value.value
def main(): client_id = os.getenv('AZURE_CLIENT_ID') service_principal_secret = os.getenv('AZURE_SECRET') tenant = os.getenv('AZURE_TENANT') secret_id = os.getenv('AZURE_SECRET_ID') secret_version = os.getenv('AZURE_SECRET_VERSION') vault_url = os.getenv('AZURE_VAULT_URL') # Get Service Principal Credentials credentials = ServicePrincipalCredentials(client_id=client_id, secret=service_principal_secret, tenant=tenant) # Auth with Service Principal client = KeyVaultClient(credentials) # Get Azure Secret from Azure Vault # VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net' # SECRET_VERSION is required, and can be obtained with the KeyVaultClient.get_secret_versions(self, vault_url, secret_id) API secret_bundle = client.get_secret(vault_url, secret_id, secret_version) secret = secret_bundle.value file_path = '/codefresh/volume/env_vars_to_export' with open(file_path, 'a') as file: file.write("{}={}\n".format(secret_id, secret))
def main(): # Load Azure app defaults try: with open('azurermconfig.json') as config_file: config_data = json.load(config_file) except FileNotFoundError: sys.exit("Error: Expecting azurermconfig.json in current folder") tenant_id = config_data['tenantId'] app_id = config_data['appId'] app_secret = config_data['appSecret'] kv_name = config_data['keyvault'] key_vault_uri = f'https://{kv_name}.vault.azure.net/' # get credentials credentials = ServicePrincipalCredentials(client_id=app_id, secret=app_secret, tenant=tenant_id) #token = credentials.token #print('Token is: ' + token['access_token']) # get a key vault client client = KeyVaultClient(credentials) # list the secrets secrets = client.get_secrets(key_vault_uri) print('Listing secrets') for secret_item in secrets: secret_name = secret_item.id.split('/secrets/', 1)[1] secret_bundle = client.get_secret(key_vault_uri, secret_name, '') print(f'{secret_name}: {secret_bundle.value}')
class KeyVaultWrapper(object): def __init__(self): credentials = MSIAuthentication(resource='https://vault.azure.net') self.kvclient = KeyVaultClient(credentials) def get_secret(self, vault_uri, secret_name, secret_version): return self.kvclient.get_secret(vault_uri, secret_name, secret_version).value def get_secret_to_file(self, vault_uri, secret_name, secret_version, filename): with open(filename, 'wt+') as file: file.write(self.get_secret(vault_uri, secret_name, secret_version)) def get_certificate_and_key(self, vault_uri, cert_name, cert_version): secret = self.get_secret(vault_uri, cert_name, cert_version) p12 = crypto.load_pkcs12(base64.b64decode(secret), "") return [p12.get_certificate(), p12.get_privatekey()] def get_certificate_and_key_to_file(self, vault_uri, cert_name, cert_version, key_filename, cert_filename): [cert, key] = self.get_certificate_and_key(vault_uri, cert_name, cert_version) with open(cert_filename, 'wb+') as pem_file: pem_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert)) with open(key_filename, 'wb+') as key_file: key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
def auth_using_adal_callback(self): """ authenticates to the Azure Key Vault by providing a callback to authenticate using adal """ # create a vault to validate authentication with the KeyVaultClient vault = self.create_vault() import adal # create an adal authentication context auth_context = adal.AuthenticationContext('https://login.microsoftonline.com/%s' % self.config.tenant_id) # create a callback to supply the token type and access token on request def adal_callback(server, resource, scope): token = auth_context.acquire_token_with_client_credentials(resource=resource, client_id=self.config.client_id, client_secret=self.config.client_secret) return token['tokenType'], token['accessToken'] # create a KeyVaultAuthentication instance which will callback to the supplied adal_callback auth = KeyVaultAuthentication(adal_callback) # create the KeyVaultClient using the created KeyVaultAuthentication instance client = KeyVaultClient(auth) # set and get a secret from the vault to validate the client is authenticated print('creating secret...') print(client.set_secret(vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault')) print('getting secret...') print(client.get_secret(vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none))
def get_storage_account_key(accountname, client_id, secret_key, tenant_id, keyvault_account): """ Uses the azure management package and the active directory credentials to fetch the authentication key for a storage account from azure key vault. The key must be stored in azure keyvault for this to work. :param str accountname: storage account name """ def auth_callback(server, resource, scope): credentials = ServicePrincipalCredentials( client_id=client_id, secret=secret_key, tenant=tenant_id, resource="https://vault.azure.net") token = credentials.token return token['token_type'], token['access_token'] client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) keyvault = "https://{}.vault.azure.net/".format(keyvault_account) # passing in empty string for version returns latest key try: secret_bundle = client.get_secret(keyvault, accountname, "") except KeyVaultErrorException: err_str = "The pipeline is not setup to use the {} account. ".format( accountname) err_str += "please add the storage key for the account to {} ".format( keyvault_account) err_str += "as a secret. All input/output paths should start with accountname" raise UnconfiguredStorageAccountError(err_str) account_key = secret_bundle.value return account_key
def main(argv): if len(sys.argv) < 3: raise ValueError( 'Expecting vault_url, client_id, clientSecretKey,tenant_id') vault_url = sys.argv[1] client_id = sys.argv[2] secretKey = sys.argv[3] tenant_id = sys.argv[4] credentials = ServicePrincipalCredentials(client_id=client_id, secret=secretKey, tenant=tenant_id, resource=resource_uri) client = KeyVaultClient(KeyVaultAuthentication(None, credentials)) token = credentials.token token_type = token['token_type'] access_token = token['access_token'] secrets = client.get_secrets(vault_url) secretsData = {} for secret in secrets: secretName = secret.id.rsplit('/', 1)[-1] secretItem = client.get_secret(vault_url, secretName, '') secretVersion = secretItem.id.rsplit('/', 1)[-1] secretsData[secretName] = secretVersion json_data = json.dumps(secretsData) print(json_data)
def auth_using_service_principle_credentials(self): """ authenticates to the Azure Key Vault service using AAD service principle credentials """ # create a vault to validate authentication with the KeyVaultClient vault = self.create_vault() # create the service principle credentials used to authenticate the client credentials = ServicePrincipalCredentials( client_id=self.config.client_id, secret=self.config.client_secret, tenant=self.config.tenant_id) # create the client using the created credentials client = KeyVaultClient(credentials) # set and get a secret from the vault to validate the client is authenticated print('creating secret...') secret_bundle = client.set_secret( vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault') print(secret_bundle) print('getting secret...') secret_bundle = client.get_secret( vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none) print(secret_bundle)
def get_secret_values(self, secret_names): """Reads a list of secrets from Key Vault. Returns a dictionary. Disabled secrets return an empty string for their value. Inactive secrets (outside their activation date range, if defined) return their actual value. We're not currently supporting activation and deactivation dates. """ credentials = ServicePrincipalCredentials( client_id=self._config["client_id"], secret=self._config["app_secret"], tenant=self._config["tenant_id"], ) client = KeyVaultClient(credentials) secret_values = {} for secret_name in secret_names: try: secret_bundle = client.get_secret( self._config["key_vault_uri"], secret_name, "" ) secret_values[secret_name] = secret_bundle.value except KeyVaultErrorException: secret_values[secret_name] = "" return secret_values
def handleHello(): try: # get credentials sys.stdout.write(keyVaultURL + "\n") credentials = MSIAuthentication(resource="https://vault.azure.net") # create a KeyVault client sys.stdout.write("before kv client\n") key_vault_client = KeyVaultClient(credentials) # get the secret sys.stdout.write("before secret\n") secret = key_vault_client.get_secret( keyVaultURL, # Your KeyVault URL "hellomessage", # Name of your secret. If you followed the README 'secret' should exists "" # The version of the secret. Empty string for latest ) sys.stdout.write("after secret\n") message = secret.value res = jsonify({"Message:": message}) except Exception as e: template = "An exception of type {0} occurred. Arguments:\n{1!r}" message = template.format(type(e).__name__, e.args) res = jsonify({"Message:": message}) res.status_code = 500 sys.stdout.flush() return res
def kv_get_secret(secret_id): client = KeyVaultClient(get_kv_credentials()) value_id = client.get_secret(KEY_VAULT, secret_id, "") if (value_id is None): return ("") else: print('Geting Secret %s with value %s' % (secret_id, value_id.value)) return (value_id.value)
def test_vault(): credentials = get_key_vault_credentials() kv_client = KeyVaultClient(credentials) key_vault_uri = KEY_VAULT_URI secret = kv_client.get_secret(key_vault_uri, "test", "") return "secret value = {}".format(secret.value)
def get_app_secret(vault_url, secret_name, secret_version=''): """ Return (client_id, client_secret). """ client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) resp = client.get_secret(vault_url, secret_name, secret_version) secret = json.loads(resp.value) return secret['client_id'], secret['client_secret']
def main(): # Twitter application key client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) _appkey = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appkey", "19bd289d86f449cbb98fd6a51cc63156") _appsecret= client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appsecret", "510ceec80ef14af28dd961382be78e66") _appaccesstoken = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appaccesstoken", "e24ad1dfef6b4392bd6277e9ac51e4b8") _appaccesstokensecret = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appaccesstokensecret", "e46bb6b253584ea59d1941bd7f9f1905") _tweetTag= sys.argv[1] # like Azure _tweetReadSince= sys.argv[2] #date from when you want to read tweets like '2018/07/28' _PipelineRunId= sys.argv[3] #Azure Data Factory Pipeline ID 'testrun' # Azure Storage Credential _accountname=client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Storage-accountname", "0f9adaf2abb545b38757b37a0d63fc68") _accountkey=client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Storage-accountkey", "141200d435694c949a7c011bbf55d40a") _InputContainerName='tweetcontainer' # CosmosDB Credential _cdbhost = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "cosmosdbURI", "7c885660bce64bd6ae7b44f1c925486c") _cdbmasterkey = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "cosmosdbPK", "f220ab6df8d240759435953af5d01e43") #hashtag, tweetreadsince, filename includes pipeline id, auth = tweepy.OAuthHandler(_appkey.value, _appsecret.value) auth.set_access_token(_appaccesstoken.value, _appaccesstokensecret.value) tweetapi = tweepy.API(auth,wait_on_rate_limit=True) #local_path=os.path.expanduser("~/Documents") local_file_name ="Tweets_" + _tweetTag + _PipelineRunId + ".csv" full_path_to_file =os.path.join(os.getcwd(), local_file_name) outFile = open(local_file_name,'a') fieldnames = ['Tweet_Time', 'Tweet_Desc'] filewriter = csv.writer(outFile) filewriter.writerow(fieldnames) for tweet in tweepy.Cursor(tweetapi.search,q=_tweetTag,lang="en", since=_tweetReadSince).items(15): try: if tweet.text.encode('utf-8') != '' : filewriter.writerow([tweet.created_at,tweet.text.encode('utf-8')]) insertintoCosmosDB (_cdbhost.value, _cdbmasterkey.value, tweet.created_at,tweet.text.encode('utf-8')) except errors.DocumentDBError as e: if e.status_code == 409: pass else: raise errors.HTTPFailure(e.status_code) print("Error while fetching and storing tweets!!!") outFile.close() break try: print full_path_to_file print local_file_name _blob_service = BlockBlobService(account_name=_accountname.value, account_key=_accountkey.value) _blob_service.create_blob_from_path(_InputContainerName, local_file_name, full_path_to_file) #print(local_file_name) except: print("Error while uploading file to Azure Blob Storage !!!")
def main(req: func.HttpRequest) -> func.HttpResponse: logging.info('Python HTTP trigger function processed a request.') credentials = MSIAuthentication(resource='https://vault.azure.net') kvclient = KeyVaultClient(credentials) key = kvclient.get_secret("https://mnanalyticssandbox-vault.vault.azure.net/", "sakey", "").value converter = Excel2Csv(BlockBlobService(account_name='xlsxupload', account_key=key)) converter.convert_and_upload() return json.dumps({"result": "Conversion Finished!"})
def fetch_google_creds_azure_kv(): credentials = MSIAuthentication() key_vault_client = KeyVaultClient(credentials) key_vault_uri = config.key_vault_uri() key_vault_secret = config.key_vault_google_creds_key() secret = key_vault_client.get_secret( key_vault_uri, # Your KeyVault URL key_vault_secret, "") return secret.value
def _retrieve_secrets(self, client: AzureKeyVaultClient, vault: str, prefix: Optional[str]) -> List[Secret]: secrets = list(client.get_secrets(vault)) secrets_ids = self._extract_keyvault_ids_from(secrets) secrets_filtered = self._filter_keyvault_ids(secrets_ids, prefix) app_secrets = [ Secret(_.databricks_secret_key, client.get_secret(vault, _.keyvault_id, "").value) for _ in secrets_filtered ] return app_secrets
def main(): arg_parser = argparse.ArgumentParser() arg_parser.add_argument( '--name', '-n', action='store', help='secret name to add') arg_parser.add_argument( '--value', '-v', action='store', help='secret value to add') arg_parser.add_argument( '--delete', '-d', action='store', help='secret name to delete') arg_parser.add_argument( '--keyvault', '-k', action='store', help='key vault name') args = arg_parser.parse_args() if args.name is None and args.delete is None: sys.exit('Error: --name (-n) or --delete (-d) argument not provided.') # Load Azure app defaults try: with open('azurermconfig.json') as config_file: config_data = json.load(config_file) except FileNotFoundError: sys.exit("Error: Expecting azurermconfig.json in current folder") tenant_id = config_data['tenantId'] app_id = config_data['appId'] app_secret = config_data['appSecret'] if args.keyvault is None: kv_name = config_data['keyvault'] else: kv_name = args.keyvault key_vault_uri = f'https://{kv_name}.vault.azure.net/' # get credentials credentials = ServicePrincipalCredentials(client_id=app_id, secret=app_secret, tenant=tenant_id) # instantiate a key vault client client = KeyVaultClient(credentials) try: if args.value is not None: # add a secret secret_bundle = client.set_secret(key_vault_uri, args.name, args.value) print('Secret added:', secret_bundle.id) elif args.delete is not None: # delete a secret client.delete_secret(key_vault_uri, args.delete) print('Secret deleted:', args.delete) else: # get a secret secret = client.get_secret(key_vault_uri, args.name, '') print(secret.value) except Exception as ex: print(ex)
class SecretHelper(): """helper class to retrieve credentials from Azure Key Valut""" def __init__(self, client_id, secret, tenant, resource): """Initialize the connection to Key Vault""" credentials = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant, resource=resource) self.client = KeyVaultClient(credentials) def get_secret(self, vault_base_url, secret_name, secret_version=""): """get a secret from Azure Key Vault""" secret_bundle = self.client.get_secret(vault_base_url=vault_base_url, secret_name=secret_name, secret_version=secret_version) return secret_bundle def get_secret_json(self, vault_base_url, secret_name, secret_version=""): """get a secret from Azure Key Vault and return it as parsed json""" secret_bundle = self.client.get_secret(vault_base_url=vault_base_url, secret_name=secret_name, secret_version=secret_version) return json.loads(secret_bundle.value)
class KeyVaultHandler(): def __init__(self, vault_url): credentials = ServicePrincipalCredentials( client_id = service_principals["redditmends-app"]["clientID"], secret = service_principals["redditmends-app"]["secret"], tenant = service_principals["redditmends-app"]["tenantID"] ) self.client = KeyVaultClient(credentials) self.vault_url = vault_url def get_keyvault_secret(self, secret_id): secret_bundle = self.client.get_secret(self.vault_url, secret_id, secret_version = "") return secret_bundle.value
def getSecret(vaultUri: str, name: str) -> str: """ Gets a secret from Key Vault when using a Volume to mount /etc/kubernetes/azure.json """ def auth_callback(server, resource, scope): credentials = getServicePrincipal() token = credentials.token return token['token_type'], token['access_token'] client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) # Don't specify version (the 3rd param) so we get the latest secret_bundle = client.get_secret(vaultUri, name, "") return secret_bundle.value
def auth_user_with_device_code(self): """ authenticates to the Azure Key Vault by providing a callback to authenticate using adal """ # create a vault to validate authentication with the KeyVaultClient vault = self.create_vault() import adal # create an adal authentication context auth_context = adal.AuthenticationContext( 'https://login.microsoftonline.com/%s' % self.config.tenant_id) # using the XPlat command line client id as it is available across all tenants and subscriptions # this would be replaced by your app id xplat_client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46' # create a callback to supply the token type and access token on request def adal_callback(server, resource, scope): user_code_info = auth_context.acquire_user_code( resource, xplat_client_id) print(user_code_info['message']) token = auth_context.acquire_token_with_device_code( resource=resource, client_id=xplat_client_id, user_code_info=user_code_info) return token['tokenType'], token['accessToken'] # create a KeyVaultAuthentication instance which will callback to the supplied adal_callback auth = KeyVaultAuthentication(adal_callback) # create the KeyVaultClient using the created KeyVaultAuthentication instance client = KeyVaultClient(auth) # set and get a secret from the vault to validate the client is authenticated print('creating secret...') secret_bundle = client.set_secret( vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault') print(secret_bundle) print('getting secret...') secret_bundle = client.get_secret( vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none) print(secret_bundle)
class AzureRMKeyVaultSecret(AzureRMModuleBase): ''' Module that creates or deletes secrets in Azure KeyVault ''' def __init__(self): self.module_arg_spec = dict( secret_name=dict(type='str', required=True), secret_value=dict(type='str', aliases=['secret'], no_log=True), keyvault_uri=dict(type='str', required=True), state=dict(type='str', default='present', choices=['present', 'absent']) ) required_if = [ ('state', 'present', ['secret_value']) ] self.results = dict( changed=False, state=dict() ) self.secret_name = None self.secret_value = None self.keyvault_uri = None self.state = None self.data_creds = None self.client = None self.tags = None super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec, supports_check_mode=True, required_if=required_if, supports_tags=True) def exec_module(self, **kwargs): for key in list(self.module_arg_spec.keys()) + ['tags']: setattr(self, key, kwargs[key]) # Create KeyVault Client using KeyVault auth class and auth_callback self.client = KeyVaultClient(self.azure_credentials) results = dict() changed = False try: results['secret_id'] = self.get_secret(self.secret_name) # Secret exists and will be deleted if self.state == 'absent': changed = True except KeyVaultErrorException: # Secret doesn't exist if self.state == 'present': changed = True self.results['changed'] = changed self.results['state'] = results if not self.check_mode: # Create secret if self.state == 'present' and changed: results['secret_id'] = self.create_secret(self.secret_name, self.secret_value, self.tags) self.results['state'] = results self.results['state']['status'] = 'Created' # Delete secret elif self.state == 'absent' and changed: results['secret_id'] = self.delete_secret(self.secret_name) self.results['state'] = results self.results['state']['status'] = 'Deleted' else: if self.state == 'present' and changed: self.results['state']['status'] = 'Created' elif self.state == 'absent' and changed: self.results['state']['status'] = 'Deleted' return self.results def get_secret(self, name, version=''): ''' Gets an existing secret ''' secret_bundle = self.client.get_secret(self.keyvault_uri, name, version) if secret_bundle: secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def create_secret(self, name, secret, tags): ''' Creates a secret ''' secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags) secret_id = KeyVaultId.parse_secret_id(secret_bundle.id) return secret_id.id def delete_secret(self, name): ''' Deletes a secret ''' deleted_secret = self.client.delete_secret(self.keyvault_uri, name) secret_id = KeyVaultId.parse_secret_id(deleted_secret.id) return secret_id.id