def azurekeyvault():
credentials = ServicePrincipalCredentials(client_id=options.clientid, secret=options.clientsecret, tenant=options.tenantid)
client = KeyVaultClient(credentials)
vault_url = options.vaulturl
sourcesecret = options.secretnameforsourceconnectionstring
sinksecret = options.secretnameforsinkconnectionstring
source_bundle = client.get_secret(vault_url, sourcesecret, "")
sink_bundle = client.get_secret(vault_url, sinksecret, "")
sourceconnectionstring = source_bundle.value
sinkconnectionstring = sink_bundle.value
return sourceconnectionstring, sinkconnectionstring
def init():
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
SPLUNK_HOST = client.get_secret(VAULT_URL, 'splunk-host',secret_version=KeyVaultId.version_none).value
SPLUNK_TOKEN = client.get_secret(VAULT_URL, 'splunk-token',secret_version=KeyVaultId.version_none).value
EH_CONNECTION_STR = client.get_secret(VAULT_URL, 'eh-conn-str',secret_version=KeyVaultId.version_none).value
splunk = SplunkHandler(
host= SPLUNK_HOST,
port='8088',
token= SPLUNK_TOKEN,
index='main',
verify=False
)
init.ehclient = EventHubClient.from_connection_string(EH_CONNECTION_STR, receive_timeout=RECEIVE_TIMEOUT, retry_total=RETRY_TOTAL)
logging.getLogger('').addHandler(splunk)
def _get_database_uri():
if _is_app_service():
logger.info("Getting Production DB credentials from Keyvault")
credentials = MSIAuthentication()
key_vault_client = KeyVaultClient(credentials)
key_vault_uri = os.environ.get("KEY_VAULT_URI",
"PUT YOUR KV BASE URL HERE")
logger.info("Using KEY_VAULT_URI: {}".format(key_vault_uri))
result = key_vault_client.get_secret(
vault_base_url=key_vault_uri,
secret_name="database-url",
secret_version="" # empty string -> latest version
).value
logger.info("Secret info: {} {}".format(type(result),
len(result))) # XXX TEMP DEBUG
return result
else:
# TODO: this is just to allow the create_db script to be run locally on initial setup
# Really, the KV code above should be updated to work with other non-MSI credentials
if "DATABASE_URL" in os.environ:
logger.info("Using DATABASE_URL credentials")
return os.environ['DATABASE_URL']
else:
logger.info("Using local Testing Database")
return TestingConfig.SQLALCHEMY_DATABASE_URI
class KeyVault:
client = None
def login(self, credentials=None):
if credentials is None:
credentials = ServicePrincipalCredentials(
client_id='***********************', #appId
secret='***********************', #password
tenant='***********************')
self.client = KeyVaultClient(credentials)
def getSecret(self, secret_info=None):
vault_url = None
secret_id = None
secret_version = None
if secret_info is None:
vault_url = 'https://*****.vault.azure.net/'
secret_id = '**********'
secret_version = '*************'
else:
vault_url = secret_info.vault_uri
secret_id = secret_info.secret_id
secret_version = secret_info.secret_version
secret_bundle = self.client.get_secret(vault_url, secret_id,
secret_version)
secret = secret_bundle.value
return secret
def main(req: func.HttpRequest) -> func.HttpResponse:
req_body = req.get_json()
source_container = req_body.get("source_container")
source_blob_name = req_body.get("source_blob")
dest_folder = req_body.get("dest_folder")
dest_container = req_body.get("dest_container")
credentials = MSIAuthentication(resource='https://vault.azure.net')
kvclient = KeyVaultClient(credentials)
key = kvclient.get_secret("https://zhenzh-databricks-kv.vault.azure.net/",
"zhenzh-python-func-account-key", "").value
converter = Excel2Csv(
BlockBlobService(account_name='zhenzhadfblobsource', account_key=key))
if source_blob_name is None:
converter.convert_and_upload(source_container, dest_container, "raw",
"curated")
else:
converter.convert_and_upload_blob("apachelog-analysis",
"apachelog-analysis",
source_blob_name, dest_folder)
return json.dumps({"result": "Conversion Finished!"})
def get_secret_from_keyvault(resource_packet: str) -> str:
"""
Passes the information necessary to access the secret value as URI:ID:Version
Args:
resource_packet: Informnation packet with contents used for retrieving secret for KeyVault.
Returns: extracted secret value for the specified version of the secret
"""
# This method will raise an exception on failure. It has not been hardened in any way.
logger.info('INFO: Attempting to retrieve secret from KeyVault')
# Create MSI Authentication
credentials = MSIAuthentication()
# Obtain hooks into the KeyVault - establish a client
client = KeyVaultClient(credentials)
resource_uri, secret_id, secret_version = resource_packet.split("|")
# Retrieve the secret
secret_bundle = client.get_secret(resource_uri, secret_id, secret_version)
logger.info('INFO: Secret successfully retrieved from KeyVault')
# The secret is stored in a value field. Retrieve this and return to the caller
return secret_bundle.value
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
# set variables (todo: make environment variables of this)
server = "<<your logical sql sever name>>.database.windows.net"
database = "<<your sqldb name>>"
username = "******"
secretname = "<<your secretname in you key vault>>"
keyvaultname = "https://<<your key vault name>>.vault.azure.net/"
# get secrets from key vault
credentials = MSIAuthentication(resource='https://vault.azure.net')
kvclient = KeyVaultClient(credentials)
password = kvclient.get_secret(keyvaultname, secretname, "").value
# Make connection to database
connectionstring = 'DRIVER={ODBC Driver 17 for SQL Server};SERVER=' + server + ';DATABASE=' + database + ';UID=' + username + ';PWD=' + password
logging.info(connectionstring)
cnxn = pyodbc.connect(connectionstring)
cursor = cnxn.cursor()
# fire query
cursor.execute("SELECT @@version;")
row = cursor.fetchone()
logging.info((row[0]))
return func.HttpResponse(str(row[0]))
def secret(
self,
secretID=ID_ERR_MISSING_SID,
*args
): # secretID='__noSecret__' to catch if no secretID is provided
rc = {
'status': ID_STATUS_MISSING_SECRET,
'secretID': secretID
} # assume an error
if (
len(args) == 0 and not secretID == ID_ERR_MISSING_SID
): # if properly formatted args will be empty and secretID will be something other than ID_SEC_MISSING_SID
vaultClient = KeyVaultClient(
sbdVaultCreds
) # reauthenticate each time so if anything changed we will fail (is this a good idea?)
try:
sBundle = vaultClient.get_secret(
sbdVaultURL, secretID, ''
) # regarding the ''. . .should really use vC.get_secret_versions() but I fiddled with that all day and it seems broken (thanks Zach for the simple workaround!)
secretVal = sBundle.value
rc = {
'status': ID_STATUS_OK,
'secretID': secretID,
'secret': secretVal
}
except: # any exception just return error
rc = {
'status': ID_STATUS_SECRET_NOT_FOUND,
'secretID': secretID
}
return rc
def get_secret_value(secret):
managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID")
key_vault_url = os.environ.get("KEY_VAULT_URL")
credentials = MSIAuthentication(client_id = managed_identity_client_id)
key_vault_client = KeyVaultClient(credentials)
secret_value = key_vault_client.get_secret(key_vault_url,secret,"")
return secret_value.value
def main():
client_id = os.getenv('AZURE_CLIENT_ID')
service_principal_secret = os.getenv('AZURE_SECRET')
tenant = os.getenv('AZURE_TENANT')
secret_id = os.getenv('AZURE_SECRET_ID')
secret_version = os.getenv('AZURE_SECRET_VERSION')
vault_url = os.getenv('AZURE_VAULT_URL')
# Get Service Principal Credentials
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=service_principal_secret,
tenant=tenant)
# Auth with Service Principal
client = KeyVaultClient(credentials)
# Get Azure Secret from Azure Vault
# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# SECRET_VERSION is required, and can be obtained with the KeyVaultClient.get_secret_versions(self, vault_url, secret_id) API
secret_bundle = client.get_secret(vault_url, secret_id, secret_version)
secret = secret_bundle.value
file_path = '/codefresh/volume/env_vars_to_export'
with open(file_path, 'a') as file:
file.write("{}={}\n".format(secret_id, secret))
def main():
# Load Azure app defaults
try:
with open('azurermconfig.json') as config_file:
config_data = json.load(config_file)
except FileNotFoundError:
sys.exit("Error: Expecting azurermconfig.json in current folder")
tenant_id = config_data['tenantId']
app_id = config_data['appId']
app_secret = config_data['appSecret']
kv_name = config_data['keyvault']
key_vault_uri = f'https://{kv_name}.vault.azure.net/'
# get credentials
credentials = ServicePrincipalCredentials(client_id=app_id,
secret=app_secret,
tenant=tenant_id)
#token = credentials.token
#print('Token is: ' + token['access_token'])
# get a key vault client
client = KeyVaultClient(credentials)
# list the secrets
secrets = client.get_secrets(key_vault_uri)
print('Listing secrets')
for secret_item in secrets:
secret_name = secret_item.id.split('/secrets/', 1)[1]
secret_bundle = client.get_secret(key_vault_uri, secret_name, '')
print(f'{secret_name}: {secret_bundle.value}')
class KeyVaultWrapper(object):
def __init__(self):
credentials = MSIAuthentication(resource='https://vault.azure.net')
self.kvclient = KeyVaultClient(credentials)
def get_secret(self, vault_uri, secret_name, secret_version):
return self.kvclient.get_secret(vault_uri, secret_name,
secret_version).value
def get_secret_to_file(self, vault_uri, secret_name, secret_version,
filename):
with open(filename, 'wt+') as file:
file.write(self.get_secret(vault_uri, secret_name, secret_version))
def get_certificate_and_key(self, vault_uri, cert_name, cert_version):
secret = self.get_secret(vault_uri, cert_name, cert_version)
p12 = crypto.load_pkcs12(base64.b64decode(secret), "")
return [p12.get_certificate(), p12.get_privatekey()]
def get_certificate_and_key_to_file(self, vault_uri, cert_name,
cert_version, key_filename,
cert_filename):
[cert, key] = self.get_certificate_and_key(vault_uri, cert_name,
cert_version)
with open(cert_filename, 'wb+') as pem_file:
pem_file.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
with open(key_filename, 'wb+') as key_file:
key_file.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, key))
def auth_using_adal_callback(self):
"""
authenticates to the Azure Key Vault by providing a callback to authenticate using adal
"""
# create a vault to validate authentication with the KeyVaultClient
vault = self.create_vault()
import adal
# create an adal authentication context
auth_context = adal.AuthenticationContext('https://login.microsoftonline.com/%s' % self.config.tenant_id)
# create a callback to supply the token type and access token on request
def adal_callback(server, resource, scope):
token = auth_context.acquire_token_with_client_credentials(resource=resource,
client_id=self.config.client_id,
client_secret=self.config.client_secret)
return token['tokenType'], token['accessToken']
# create a KeyVaultAuthentication instance which will callback to the supplied adal_callback
auth = KeyVaultAuthentication(adal_callback)
# create the KeyVaultClient using the created KeyVaultAuthentication instance
client = KeyVaultClient(auth)
# set and get a secret from the vault to validate the client is authenticated
print('creating secret...')
print(client.set_secret(vault.properties.vault_uri, 'auth-sample-secret', 'client is authenticated to the vault'))
print('getting secret...')
print(client.get_secret(vault.properties.vault_uri, 'auth-sample-secret', secret_version=KeyVaultId.version_none))
def get_storage_account_key(accountname, client_id, secret_key, tenant_id,
keyvault_account):
"""
Uses the azure management package and the active directory
credentials to fetch the authentication key for a storage
account from azure key vault. The key must be stored in azure
keyvault for this to work.
:param str accountname: storage account name
"""
def auth_callback(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=secret_key,
tenant=tenant_id,
resource="https://vault.azure.net")
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
keyvault = "https://{}.vault.azure.net/".format(keyvault_account)
# passing in empty string for version returns latest key
try:
secret_bundle = client.get_secret(keyvault, accountname, "")
except KeyVaultErrorException:
err_str = "The pipeline is not setup to use the {} account. ".format(
accountname)
err_str += "please add the storage key for the account to {} ".format(
keyvault_account)
err_str += "as a secret. All input/output paths should start with accountname"
raise UnconfiguredStorageAccountError(err_str)
account_key = secret_bundle.value
return account_key
def main(argv):
if len(sys.argv) < 3:
raise ValueError(
'Expecting vault_url, client_id, clientSecretKey,tenant_id')
vault_url = sys.argv[1]
client_id = sys.argv[2]
secretKey = sys.argv[3]
tenant_id = sys.argv[4]
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=secretKey,
tenant=tenant_id,
resource=resource_uri)
client = KeyVaultClient(KeyVaultAuthentication(None, credentials))
token = credentials.token
token_type = token['token_type']
access_token = token['access_token']
secrets = client.get_secrets(vault_url)
secretsData = {}
for secret in secrets:
secretName = secret.id.rsplit('/', 1)[-1]
secretItem = client.get_secret(vault_url, secretName, '')
secretVersion = secretItem.id.rsplit('/', 1)[-1]
secretsData[secretName] = secretVersion
json_data = json.dumps(secretsData)
print(json_data)
def auth_using_service_principle_credentials(self):
"""
authenticates to the Azure Key Vault service using AAD service principle credentials
"""
# create a vault to validate authentication with the KeyVaultClient
vault = self.create_vault()
# create the service principle credentials used to authenticate the client
credentials = ServicePrincipalCredentials(
client_id=self.config.client_id,
secret=self.config.client_secret,
tenant=self.config.tenant_id)
# create the client using the created credentials
client = KeyVaultClient(credentials)
# set and get a secret from the vault to validate the client is authenticated
print('creating secret...')
secret_bundle = client.set_secret(
vault.properties.vault_uri, 'auth-sample-secret',
'client is authenticated to the vault')
print(secret_bundle)
print('getting secret...')
secret_bundle = client.get_secret(
vault.properties.vault_uri,
'auth-sample-secret',
secret_version=KeyVaultId.version_none)
print(secret_bundle)
def get_secret_values(self, secret_names):
"""Reads a list of secrets from Key Vault. Returns a dictionary.
Disabled secrets return an empty string for their value.
Inactive secrets (outside their activation date range, if defined)
return their actual value. We're not currently supporting activation
and deactivation dates.
"""
credentials = ServicePrincipalCredentials(
client_id=self._config["client_id"],
secret=self._config["app_secret"],
tenant=self._config["tenant_id"],
)
client = KeyVaultClient(credentials)
secret_values = {}
for secret_name in secret_names:
try:
secret_bundle = client.get_secret(
self._config["key_vault_uri"], secret_name, ""
)
secret_values[secret_name] = secret_bundle.value
except KeyVaultErrorException:
secret_values[secret_name] = ""
return secret_values
def handleHello():
try:
# get credentials
sys.stdout.write(keyVaultURL + "\n")
credentials = MSIAuthentication(resource="https://vault.azure.net")
# create a KeyVault client
sys.stdout.write("before kv client\n")
key_vault_client = KeyVaultClient(credentials)
# get the secret
sys.stdout.write("before secret\n")
secret = key_vault_client.get_secret(
keyVaultURL, # Your KeyVault URL
"hellomessage", # Name of your secret. If you followed the README 'secret' should exists
"" # The version of the secret. Empty string for latest
)
sys.stdout.write("after secret\n")
message = secret.value
res = jsonify({"Message:": message})
except Exception as e:
template = "An exception of type {0} occurred. Arguments:\n{1!r}"
message = template.format(type(e).__name__, e.args)
res = jsonify({"Message:": message})
res.status_code = 500
sys.stdout.flush()
return res
def kv_get_secret(secret_id):
client = KeyVaultClient(get_kv_credentials())
value_id = client.get_secret(KEY_VAULT, secret_id, "")
if (value_id is None):
return ("")
else:
print('Geting Secret %s with value %s' % (secret_id, value_id.value))
return (value_id.value)
def test_vault():
credentials = get_key_vault_credentials()
kv_client = KeyVaultClient(credentials)
key_vault_uri = KEY_VAULT_URI
secret = kv_client.get_secret(key_vault_uri, "test", "")
return "secret value = {}".format(secret.value)
def get_app_secret(vault_url, secret_name, secret_version=''):
""" Return (client_id, client_secret).
"""
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
resp = client.get_secret(vault_url, secret_name, secret_version)
secret = json.loads(resp.value)
return secret['client_id'], secret['client_secret']
def main():
# Twitter application key
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
_appkey = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appkey", "19bd289d86f449cbb98fd6a51cc63156")
_appsecret= client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appsecret", "510ceec80ef14af28dd961382be78e66")
_appaccesstoken = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appaccesstoken", "e24ad1dfef6b4392bd6277e9ac51e4b8")
_appaccesstokensecret = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Twitter-appaccesstokensecret", "e46bb6b253584ea59d1941bd7f9f1905")
_tweetTag= sys.argv[1] # like Azure
_tweetReadSince= sys.argv[2] #date from when you want to read tweets like '2018/07/28'
_PipelineRunId= sys.argv[3] #Azure Data Factory Pipeline ID 'testrun'
# Azure Storage Credential
_accountname=client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Storage-accountname", "0f9adaf2abb545b38757b37a0d63fc68")
_accountkey=client.get_secret("https://adfbookkeyvault.vault.azure.net/", "Storage-accountkey", "141200d435694c949a7c011bbf55d40a")
_InputContainerName='tweetcontainer'
# CosmosDB Credential
_cdbhost = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "cosmosdbURI", "7c885660bce64bd6ae7b44f1c925486c")
_cdbmasterkey = client.get_secret("https://adfbookkeyvault.vault.azure.net/", "cosmosdbPK", "f220ab6df8d240759435953af5d01e43")
#hashtag, tweetreadsince, filename includes pipeline id,
auth = tweepy.OAuthHandler(_appkey.value, _appsecret.value)
auth.set_access_token(_appaccesstoken.value, _appaccesstokensecret.value)
tweetapi = tweepy.API(auth,wait_on_rate_limit=True)
#local_path=os.path.expanduser("~/Documents")
local_file_name ="Tweets_" + _tweetTag + _PipelineRunId + ".csv"
full_path_to_file =os.path.join(os.getcwd(), local_file_name)
outFile = open(local_file_name,'a')
fieldnames = ['Tweet_Time', 'Tweet_Desc']
filewriter = csv.writer(outFile)
filewriter.writerow(fieldnames)
for tweet in tweepy.Cursor(tweetapi.search,q=_tweetTag,lang="en", since=_tweetReadSince).items(15):
try:
if tweet.text.encode('utf-8') != '' :
filewriter.writerow([tweet.created_at,tweet.text.encode('utf-8')])
insertintoCosmosDB (_cdbhost.value, _cdbmasterkey.value, tweet.created_at,tweet.text.encode('utf-8'))
except errors.DocumentDBError as e:
if e.status_code == 409:
pass
else:
raise errors.HTTPFailure(e.status_code)
print("Error while fetching and storing tweets!!!")
outFile.close()
break
try:
print full_path_to_file
print local_file_name
_blob_service = BlockBlobService(account_name=_accountname.value, account_key=_accountkey.value)
_blob_service.create_blob_from_path(_InputContainerName, local_file_name, full_path_to_file)
#print(local_file_name)
except:
print("Error while uploading file to Azure Blob Storage !!!")
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
credentials = MSIAuthentication(resource='https://vault.azure.net')
kvclient = KeyVaultClient(credentials)
key = kvclient.get_secret("https://mnanalyticssandbox-vault.vault.azure.net/", "sakey", "").value
converter = Excel2Csv(BlockBlobService(account_name='xlsxupload', account_key=key))
converter.convert_and_upload()
return json.dumps({"result": "Conversion Finished!"})
def fetch_google_creds_azure_kv():
credentials = MSIAuthentication()
key_vault_client = KeyVaultClient(credentials)
key_vault_uri = config.key_vault_uri()
key_vault_secret = config.key_vault_google_creds_key()
secret = key_vault_client.get_secret(
key_vault_uri, # Your KeyVault URL
key_vault_secret,
"")
return secret.value
def _retrieve_secrets(self, client: AzureKeyVaultClient, vault: str,
prefix: Optional[str]) -> List[Secret]:
secrets = list(client.get_secrets(vault))
secrets_ids = self._extract_keyvault_ids_from(secrets)
secrets_filtered = self._filter_keyvault_ids(secrets_ids, prefix)
app_secrets = [
Secret(_.databricks_secret_key,
client.get_secret(vault, _.keyvault_id, "").value)
for _ in secrets_filtered
]
return app_secrets
def main():
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument(
'--name', '-n', action='store', help='secret name to add')
arg_parser.add_argument(
'--value', '-v', action='store', help='secret value to add')
arg_parser.add_argument(
'--delete', '-d', action='store', help='secret name to delete')
arg_parser.add_argument(
'--keyvault', '-k', action='store', help='key vault name')
args = arg_parser.parse_args()
if args.name is None and args.delete is None:
sys.exit('Error: --name (-n) or --delete (-d) argument not provided.')
# Load Azure app defaults
try:
with open('azurermconfig.json') as config_file:
config_data = json.load(config_file)
except FileNotFoundError:
sys.exit("Error: Expecting azurermconfig.json in current folder")
tenant_id = config_data['tenantId']
app_id = config_data['appId']
app_secret = config_data['appSecret']
if args.keyvault is None:
kv_name = config_data['keyvault']
else:
kv_name = args.keyvault
key_vault_uri = f'https://{kv_name}.vault.azure.net/'
# get credentials
credentials = ServicePrincipalCredentials(client_id=app_id,
secret=app_secret,
tenant=tenant_id)
# instantiate a key vault client
client = KeyVaultClient(credentials)
try:
if args.value is not None: # add a secret
secret_bundle = client.set_secret(key_vault_uri, args.name, args.value)
print('Secret added:', secret_bundle.id)
elif args.delete is not None: # delete a secret
client.delete_secret(key_vault_uri, args.delete)
print('Secret deleted:', args.delete)
else: # get a secret
secret = client.get_secret(key_vault_uri, args.name, '')
print(secret.value)
except Exception as ex:
print(ex)
class SecretHelper():
"""helper class to retrieve credentials from Azure Key Valut"""
def __init__(self, client_id, secret, tenant, resource):
"""Initialize the connection to Key Vault"""
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=secret,
tenant=tenant,
resource=resource)
self.client = KeyVaultClient(credentials)
def get_secret(self, vault_base_url, secret_name, secret_version=""):
"""get a secret from Azure Key Vault"""
secret_bundle = self.client.get_secret(vault_base_url=vault_base_url,
secret_name=secret_name,
secret_version=secret_version)
return secret_bundle
def get_secret_json(self, vault_base_url, secret_name, secret_version=""):
"""get a secret from Azure Key Vault and return it as parsed json"""
secret_bundle = self.client.get_secret(vault_base_url=vault_base_url,
secret_name=secret_name,
secret_version=secret_version)
return json.loads(secret_bundle.value)
class KeyVaultHandler(): def __init__(self, vault_url): credentials = ServicePrincipalCredentials( client_id = service_principals["redditmends-app"]["clientID"], secret = service_principals["redditmends-app"]["secret"], tenant = service_principals["redditmends-app"]["tenantID"] ) self.client = KeyVaultClient(credentials) self.vault_url = vault_url def get_keyvault_secret(self, secret_id): secret_bundle = self.client.get_secret(self.vault_url, secret_id, secret_version = "") return secret_bundle.value
def getSecret(vaultUri: str, name: str) -> str:
"""
Gets a secret from Key Vault when using a Volume to mount /etc/kubernetes/azure.json
"""
def auth_callback(server, resource, scope):
credentials = getServicePrincipal()
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
# Don't specify version (the 3rd param) so we get the latest
secret_bundle = client.get_secret(vaultUri, name, "")
return secret_bundle.value
def auth_user_with_device_code(self):
"""
authenticates to the Azure Key Vault by providing a callback to authenticate using adal
"""
# create a vault to validate authentication with the KeyVaultClient
vault = self.create_vault()
import adal
# create an adal authentication context
auth_context = adal.AuthenticationContext(
'https://login.microsoftonline.com/%s' % self.config.tenant_id)
# using the XPlat command line client id as it is available across all tenants and subscriptions
# this would be replaced by your app id
xplat_client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
# create a callback to supply the token type and access token on request
def adal_callback(server, resource, scope):
user_code_info = auth_context.acquire_user_code(
resource, xplat_client_id)
print(user_code_info['message'])
token = auth_context.acquire_token_with_device_code(
resource=resource,
client_id=xplat_client_id,
user_code_info=user_code_info)
return token['tokenType'], token['accessToken']
# create a KeyVaultAuthentication instance which will callback to the supplied adal_callback
auth = KeyVaultAuthentication(adal_callback)
# create the KeyVaultClient using the created KeyVaultAuthentication instance
client = KeyVaultClient(auth)
# set and get a secret from the vault to validate the client is authenticated
print('creating secret...')
secret_bundle = client.set_secret(
vault.properties.vault_uri, 'auth-sample-secret',
'client is authenticated to the vault')
print(secret_bundle)
print('getting secret...')
secret_bundle = client.get_secret(
vault.properties.vault_uri,
'auth-sample-secret',
secret_version=KeyVaultId.version_none)
print(secret_bundle)
class AzureRMKeyVaultSecret(AzureRMModuleBase):
''' Module that creates or deletes secrets in Azure KeyVault '''
def __init__(self):
self.module_arg_spec = dict(
secret_name=dict(type='str', required=True),
secret_value=dict(type='str', aliases=['secret'], no_log=True),
keyvault_uri=dict(type='str', required=True),
state=dict(type='str', default='present', choices=['present', 'absent'])
)
required_if = [
('state', 'present', ['secret_value'])
]
self.results = dict(
changed=False,
state=dict()
)
self.secret_name = None
self.secret_value = None
self.keyvault_uri = None
self.state = None
self.data_creds = None
self.client = None
self.tags = None
super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec,
supports_check_mode=True,
required_if=required_if,
supports_tags=True)
def exec_module(self, **kwargs):
for key in list(self.module_arg_spec.keys()) + ['tags']:
setattr(self, key, kwargs[key])
# Create KeyVault Client using KeyVault auth class and auth_callback
self.client = KeyVaultClient(self.azure_credentials)
results = dict()
changed = False
try:
results['secret_id'] = self.get_secret(self.secret_name)
# Secret exists and will be deleted
if self.state == 'absent':
changed = True
except KeyVaultErrorException:
# Secret doesn't exist
if self.state == 'present':
changed = True
self.results['changed'] = changed
self.results['state'] = results
if not self.check_mode:
# Create secret
if self.state == 'present' and changed:
results['secret_id'] = self.create_secret(self.secret_name, self.secret_value, self.tags)
self.results['state'] = results
self.results['state']['status'] = 'Created'
# Delete secret
elif self.state == 'absent' and changed:
results['secret_id'] = self.delete_secret(self.secret_name)
self.results['state'] = results
self.results['state']['status'] = 'Deleted'
else:
if self.state == 'present' and changed:
self.results['state']['status'] = 'Created'
elif self.state == 'absent' and changed:
self.results['state']['status'] = 'Deleted'
return self.results
def get_secret(self, name, version=''):
''' Gets an existing secret '''
secret_bundle = self.client.get_secret(self.keyvault_uri, name, version)
if secret_bundle:
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def create_secret(self, name, secret, tags):
''' Creates a secret '''
secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags)
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def delete_secret(self, name):
''' Deletes a secret '''
deleted_secret = self.client.delete_secret(self.keyvault_uri, name)
secret_id = KeyVaultId.parse_secret_id(deleted_secret.id)
return secret_id.id
