def _add_vault(self): name = input('\nenter vault name:') all_perms = Permissions() all_perms.keys = [KeyPermissions.all] all_perms.secrets = [SecretPermissions.all] all_perms.certificates = [CertificatePermissions.all] user_policy = AccessPolicyEntry(self._config.tenant_id, self._config.user_oid, all_perms) app_policy = AccessPolicyEntry(CLIENT_TENANT_ID, CLIENT_OID, all_perms) access_policies = [user_policy, app_policy] properties = VaultProperties(self._config.tenant_id, Sku(name='standard'), access_policies) properties.enabled_for_deployment = True properties.enabled_for_disk_encryption = True properties.enabled_for_template_deployment = True vault = VaultCreateOrUpdateParameters(self._config.location, properties) self._mgmt_client.vaults.create_or_update(self._config.resource_group, name, vault) print('vault %s created\n' % name)
def update_key_vault_access_policy( self, keyvault_client, resource_group_name, key_vault_name, tenant_id, app_object_id, stg_object_id, ): """Updates Key Vault Access Policy :param keyvault_client: Instance of the Azure KeyVaultManagementClient. :param resource_group_name: The name of the resource group. :param key_vault_name: Name of the Key Vault. :param region: The location in which the Key Vault exists. :param tenant_id: Azure tenant Id :param app_object_id: Object Id of the application :param stg_principal_id: Principal Id of the Storage Account :type keyvault_client: object :type resource_group_name: str :type key_vault_name: str :type region: str :type tenant_id: str :type app_object_id: str :type stg_principal_id: str :returns: None :rtype: None """ access_policy_storage = AccessPolicyEntry( tenant_id=tenant_id, object_id=stg_object_id, permissions=Permissions( keys=[ KeyPermissions.GET, KeyPermissions.UNWRAP_KEY, KeyPermissions.WRAP_KEY, ], ), ) access_policy_app = AccessPolicyEntry( tenant_id=tenant_id, object_id=app_object_id, permissions=Permissions(keys=[KeyPermissions.GET, KeyPermissions.CREATE]), ) access_policy = [access_policy_app, access_policy_storage] logging.info("Updating Key Vault Access Policy") logging.info("executing keyvault_client.vaults.update_access_policy") logging.info(f" resource_group_name={resource_group_name}") logging.info(f" vault_name={key_vault_name}") keyvault_client.vaults.update_access_policy( resource_group_name=resource_group_name, vault_name=key_vault_name, operation_kind=AccessPolicyUpdateKind.ADD, parameters=VaultAccessPolicyParameters( properties=VaultAccessPolicyProperties(access_policies=access_policy), ), )
def create(self): secret_permissions = ['all'] permissions = Permissions(secrets=secret_permissions) access_policy = AccessPolicyEntry( tenant_id=self.config.tenant_id, object_id=self.config.client_object_id, permissions=permissions) sku = Sku(name="standard") properties = VaultProperties(tenant_id=self.config.tenant_id, sku=sku, access_policies=[access_policy]) vault_paramerters = VaultCreateOrUpdateParameters( location="eastus", properties=properties) client = self._get_kv_client() result = client.vaults.create_or_update( resource_group_name=self.config.resource_group_name, vault_name=self.config.key_vault_name, parameters=vault_paramerters) _poll_for_complete(result)
def create_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ vault_name = KeyVaultSampleBase.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_namne, vault_name, parameters) return vault
def set_policy(client, resource_group_name, vault_name, object_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None, certificate_permissions=None): """ Update security policy settings for a Key Vault. """ from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters object_id = _object_id_args_helper(object_id, spn, upn) vault = client.get(resource_group_name=resource_group_name, vault_name=vault_name) # Find the existing policy to set policy = next((p for p in vault.properties.access_policies if object_id.lower() == p.object_id.lower() and vault.properties.tenant_id.lower() == p.tenant_id.lower()), None) if not policy: # Add new policy as none found vault.properties.access_policies.append(AccessPolicyEntry( tenant_id=vault.properties.tenant_id, object_id=object_id, permissions=Permissions(keys=key_permissions, secrets=secret_permissions, certificates=certificate_permissions))) else: # Modify existing policy. # If key_permissions is not set, use prev. value (similarly with secret_permissions). keys = policy.permissions.keys if key_permissions is None else key_permissions secrets = policy.permissions.secrets if secret_permissions is None else secret_permissions certs = policy.permissions.certificates \ if certificate_permissions is None else certificate_permissions policy.permissions = Permissions(keys=keys, secrets=secrets, certificates=certs) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=VaultCreateOrUpdateParameters( location=vault.location, tags=vault.tags, properties=vault.properties))
def create_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions() permissions.keys = KEY_PERMISSIONS_ALL permissions.secrets = SECRET_PERMISSIONS_ALL permissions.certificates = CERTIFICATE_PERMISSIONS_ALL policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) vault = self.keyvault_mgmt_client.vaults.create_or_update(self.config.group_name, vault_name, parameters) # wait for vault DNS entry to be created # see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172 self._poll_for_vault_connection(vault.properties.vault_uri) print('created vault {} {}'.format(vault_name, vault.properties.vault_uri)) return vault
def create_keyvault(client, resource_group_name, vault_name, location=None, sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=None, tags=None): from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters from azure.cli.core._profile import Profile, CLOUD from azure.graphrbac.models import GraphErrorException profile = Profile() cred, _, tenant_id = profile.get_login_credentials( resource=CLOUD.endpoints.active_directory_graph_resource_id) graph_client = GraphRbacManagementClient( cred, tenant_id, base_url=CLOUD.endpoints.active_directory_graph_resource_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions(keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore ], secrets=[SecretPermissions.all], certificates=[CertificatePermissions.all]) try: object_id = _get_current_user_object_id(graph_client) except GraphErrorException: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError( 'Cannot create vault.\nUnable to query active directory for information ' 'about the current user.\nYou may try the --no-self-perms flag to ' 'create a vault without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def create_resource(self, name, **kwargs): if self.is_live: # create a vault with the management client group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.settings.TENANT_ID, object_id=self.test_class_instance.settings.CLIENT_OID, permissions=self.permissions, ) ] properties = VaultProperties( tenant_id=self.test_class_instance.settings.TENANT_ID, sku=Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self.enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None, ) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.management_client = self.create_mgmt_client(KeyVaultManagementClient) vault = self.management_client.vaults.create_or_update(group, name, parameters).result() vault_uri = vault.properties.vault_uri else: # playback => we need only the uri used in the recording vault_uri = "https://{}.vault.azure.net/".format(name) vault_credentials = self.test_class_instance.settings.get_credentials(resource="https://vault.azure.net") client = VaultClient(vault_uri, vault_credentials) return {self.parameter_name: client}
def create_resource(self, name, **kwargs): self.client_oid = self.test_class_instance.set_value_to_scrub( 'CLIENT_OID', CLIENT_OID) group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.settings.TENANT_ID, object_id=self.client_oid, permissions=self.permissions) ] properties = VaultProperties( tenant_id=self.test_class_instance.settings.TENANT_ID, sku=Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self. enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None) if self.is_live: self.client = self.create_mgmt_client(KeyVaultManagementClient) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.resource = self.client.vaults.create_or_update( group, name, parameters).result() else: properties.vault_uri = 'https://{}.vault.azure.net/'.format(name) self.resource = FakeVault(name=name, location=self.location, properties=properties) return {self.parameter_name: self.resource}
def _get_params(self): """Build the vault parameters block.""" oid = _user_oid(self.auth_client.legacy.token) sec_perms_all = [perm.value for perm in SecretPermissions] key_perms_all = [perm.value for perm in KeyPermissions] cert_perms_all = [perm.value for perm in CertificatePermissions] permissions = Permissions() permissions.keys = key_perms_all permissions.secrets = sec_perms_all permissions.certificates = cert_perms_all policy = AccessPolicyEntry(tenant_id=self.tenant_id, object_id=oid, permissions=permissions) properties = VaultProperties( tenant_id=self.tenant_id, sku=Sku(name="standard", family="A"), access_policies=[policy], ) parameters = VaultCreateOrUpdateParameters(location=self.azure_region, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True return parameters
def create_vault(self): self.keyvault_mgmt_client.vaults.create_or_update() vault_name = KeyVaultSample.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_namne, vault_name, parameters) return vault
def create_keyvault( client, resource_group_name, vault_name, location, #pylint:disable=too-many-arguments sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=False, tags=None): from azure.cli.core._profile import Profile profile = Profile() cred, _, tenant_id = profile.get_login_credentials( resource=get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID]) graph_client = GraphRbacManagementClient(cred, tenant_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions(keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore ], secrets=[SecretPermissions.all], certificates=[CertificatePermissions.all]) object_id = _get_current_user_object_id(graph_client) if not object_id: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError('Cannot create vault.\n' 'Unable to query active directory for information '\ 'about the current user.\n' 'You may try the --no-self-perms flag to create a vault'\ ' without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def create_keyvault( client, resource_group_name, vault_name, location, #pylint:disable=too-many-arguments sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=False, tags=None): from azure.cli.core._profile import Profile profile = Profile() cred, _, tenant_id = profile.get_login_credentials(for_graph_client=True) graph_client = GraphRbacManagementClient(cred, tenant_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: # TODO Use the enums instead of strings when new keyvault SDK is released # https://github.com/Azure/azure-sdk-for-python/blob/dev/azure-mgmt-keyvault/ # azure/mgmt/keyvault/models/key_vault_management_client_enums.py permissions = Permissions(keys=[ 'get', 'create', 'delete', 'list', 'update', 'import', 'backup', 'restore' ], secrets=['all']) object_id = _get_current_user_object_id(graph_client) if not object_id: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError('Cannot create vault.\n' 'Unable to query active directory for information '\ 'about the current user.\n' 'You may try the --no-self-perms flag to create a vault'\ ' without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def create_resource(self, name, **kwargs): self.client_oid = self.test_class_instance.set_value_to_scrub( "CLIENT_OID", CLIENT_OID) if self.is_live: group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.get_settings_value( "TENANT_ID"), object_id=self.client_oid, permissions=self.permissions, ) ] properties = VaultProperties( tenant_id=self.test_class_instance.get_settings_value( "TENANT_ID"), sku=Sku(name=self.sku, family=SkuFamily.A) if SkuFamily else Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self. enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None, ) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.client = self.create_mgmt_client(KeyVaultManagementClient) # ARM may return not found at first even though the resource group has been created retries = 4 for i in range(retries): try: vault = self.client.vaults.begin_create_or_update( group, name, parameters).result() break except Exception as ex: if "VaultAlreadyExists" in str(ex): raise NameInUseError(name) if "ReservedResourceName" in str(ex): raise ReservedResourceNameError(name) if "ResourceGroupNotFound" not in str( ex) or i == retries - 1: raise time.sleep(3) self.test_class_instance.scrubber.register_name_pair( name, self.resource_moniker) vault_uri = vault.properties.vault_uri else: # playback => we need only the uri used in the recording vault_uri = "https://{}.vault.azure.net/".format(name) return {self.parameter_name: vault_uri}
def create_vault_with_network(self): """ Creates a key vault with network access limited by a NetworkRuleSet """ vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions(keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) # Network ACL definitions # The only action supported for virtual network and IP rules is "allow". # To deny an address, set the default action to 'deny' and do not explicitly allow the address. network_acls = NetworkRuleSet( # allow bypass of network ACL rules by other azure services. Valid values are azure_services or none bypass=NetworkRuleBypassOptions.azure_services, # the action to take if access attempt doesn't match any rule. Valid values are allow or deny default_action=NetworkRuleAction.deny, # IP rules (allowed IPv4 addresses / ranges) ip_rules=[IPRule(value='0.0.0.0/0') ], # Allow access from a IP address range # Virtual network rules(Allows access to Azure Virtual Networks by their Azure Resource ID) virtual_network_rules=[ # To specifically allow access to a vnet, uncomment the line below and replace the id with the correct # resource id for your vnet # VirtualNetworkRule(id='/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1') ]) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy], network_acls=network_acls) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) self.vault = self.mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault_name, parameters=parameters).result()
def create_resource(self, name, **kwargs): self.client_oid = self.test_class_instance.set_value_to_scrub( 'CLIENT_OID', CLIENT_OID) if self.is_live: # create a vault with the management client group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.settings.TENANT_ID, object_id=self.client_oid, permissions=self.permissions, ) ] properties = VaultProperties( tenant_id=self.test_class_instance.settings.TENANT_ID, sku=Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self. enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None, ) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.management_client = self.create_mgmt_client( KeyVaultManagementClient) # ARM may return not found at first even though the resource group has been created retries = 4 for i in range(retries): try: vault = self.management_client.vaults.create_or_update( group, name, parameters).result() except Exception as ex: if "ResourceGroupNotFound" not in str( ex) or i == retries - 1: raise time.sleep(3) vault_uri = vault.properties.vault_uri else: # playback => we need only the uri used in the recording vault_uri = "https://{}.vault.azure.net/".format(name) client = self.create_vault_client(vault_uri) return {self.parameter_name: client}
def get_sample_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ if not self.config.vault: keyvault_mgmt_client = KeyVaultManagementClient( self.mgmt_client_creds, self.config.subscription_id) if self.config.vault_name: vault = keyvault_mgmt_client.vaults.get( resource_group_name=self.config.group_name, vault_name=self.config.vault_name) else: vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions( keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) vault = keyvault_mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault_name, parameters=parameters).result() self.config.vault = vault return self.config.vault
def create_soft_delete_enabled_vault(self): """ creates a key vault which has soft delete enabled so that the vault as well as all of its keys, certificates and secrets are recoverable """ vault_name = get_name('vault') permissions = Permissions() permissions.keys = KEY_PERMISSIONS_ALL permissions.secrets = SECRET_PERMISSIONS_ALL permissions.certificates = CERTIFICATE_PERMISSIONS_ALL policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True # this vault property controls whether recovery functionality is available on the vault itself as well as # all keys, certificates and secrets in the vault as well # NOTE: This value should only None or True, setting the value to false will cause a service validation error # once soft delete has been enabled on the vault it cannot be disabled parameters.properties.enable_soft_delete = True print('creating soft delete enabled vault: {}'.format(vault_name)) # create the vault vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, vault_name, parameters) # wait for vault DNS entry to be created # see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172 self._poll_for_vault_connection(vault.properties.vault_uri) print('vault {} created enable_soft_delete={}'.format( vault.name, vault.properties.enable_soft_delete))
def grant_access_to_sample_vault(self, vault, oid): keyvault_mgmt_client = KeyVaultManagementClient( credentials=self.mgmt_client_creds, subscription_id=self.config.subscription_id) # setup vault permissions for the access policy for the oid permissions = Permissions(keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=oid, permissions=permissions) vault.properties.access_policies.append(policy) return keyvault_mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault.name, parameters=vault).result()
def create_recoverable_vault_sample(self): """ Provides a sample for creating a key vault which has recovery enable so that the vault as well as all of its keys, certificates and secrets are recoverable :return: a key vault which has been created with recovery enabled :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ self.setup_sample() vault_name = KeyVaultSampleBase.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True # this vault property controls whether recovery functionality is available on the vault itself as well as # all keys, certificates and secrets in the vault as well parameters.properties.enable_soft_delete = True # create the vault vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, vault_name, parameters) print(vault) return vault
def create_vault(self, group_name, vault_name, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True, enabled_for_template_deployment=True, enable_soft_delete=None, sku=None): creds = self.settings.get_credentials() access_policies = [AccessPolicyEntry(tenant_id=self.settings.TENANT_ID, object_id=self.settings.CLIENT_OID, permissions=permissions or self.default_permissions)] properties = VaultProperties(tenant_id=self.settings.TENANT_ID, sku=Sku(sku or SkuName.premium.value), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete) parameters = VaultCreateOrUpdateParameters(location='westus', properties=properties) vault = self.mgmt_client.vaults.create_or_update(group_name, vault_name, parameters) if not self.is_playback(): self.sleep(10) return vault
def set_policy( client, resource_group_name, vault_name, #pylint:disable=too-many-arguments object_id=None, spn=None, upn=None, perms_to_keys=None, perms_to_secrets=None): object_id = _object_id_args_helper(object_id, spn, upn) vault = client.get(resource_group_name=resource_group_name, vault_name=vault_name) # Find the existing policy to set policy = next((p for p in vault.properties.access_policies \ if object_id.lower() == p.object_id.lower() and \ vault.properties.tenant_id.lower() == p.tenant_id.lower()), None) if not policy: # Add new policy as none found vault.properties.access_policies.append( AccessPolicyEntry( tenant_id=vault.properties.tenant_id, object_id=object_id, permissions=Permissions(keys=perms_to_keys, secrets=perms_to_secrets))) else: # Modify existing policy. # If perms_to_keys is not set, use prev. value (similarly with perms_to_secrets). keys = policy.permissions.keys if perms_to_keys is None else perms_to_keys secrets = policy.permissions.secrets if perms_to_secrets is None else perms_to_secrets policy.permissions = Permissions(keys=keys, secrets=secrets) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=VaultCreateOrUpdateParameters( location=vault.location, tags=vault.tags, properties=vault.properties))
def create_key_vault( self, keyvault_client, resource_group_name, key_vault_name, region, tenant_id, app_object_id, stg_principal_id, ): """Creates a Key Vault :param keyvault_client: Instance of the Azure KeyVaultManagementClient. :param resource_group_name: The name of the resource group. :param key_vault_name: Name of the Key Vault. :param region: location of the Key Vault. :param tenant_id: Azure tenant Id :param app_object_id: Object Id of the application :param stg_principal_id: Principal Id of the Storage Account :type keyvault_client: object :type resource_group_name: str :type key_vault_name: str :type region: str :type tenant_id: str :type app_object_id: str :type stg_principal_id: str :returns: Vault object :rtype: object """ access_policy_storage_account = AccessPolicyEntry( tenant_id=tenant_id, object_id=stg_principal_id, permissions=Permissions(keys=[ KeyPermissions.GET, KeyPermissions.UNWRAP_KEY, KeyPermissions.WRAP_KEY, ], ), ) access_policy_app = AccessPolicyEntry( tenant_id=tenant_id, object_id=app_object_id, permissions=Permissions(keys=[ KeyPermissions.GET, KeyPermissions.LIST, KeyPermissions.CREATE, KeyPermissions.UPDATE, KeyPermissions.DELETE, KeyPermissions.BACKUP, KeyPermissions.RESTORE, KeyPermissions.RECOVER, ], ), ) key_vault_properties = VaultCreateOrUpdateParameters( location=region, tags={"Created By": "CHSS"}, properties=VaultProperties( tenant_id=tenant_id, sku=Sku( family="A", name="standard", ), access_policies=[ access_policy_storage_account, access_policy_app ], soft_delete_retention_in_days=90, enabled_for_disk_encryption=False, enabled_for_deployment=False, enabled_for_template_deployment=False, enable_soft_delete=True, enable_purge_protection=True, ), ) logging.info("creating a key vault") logging.info("executing keyvault_client.vaults.begin_create_or_update") logging.info(f" resource_group_name={resource_group_name}") logging.info(f" vault_name={key_vault_name}") vault = keyvault_client.vaults.begin_create_or_update( resource_group_name=resource_group_name, vault_name=key_vault_name, parameters=key_vault_properties, ).result() return vault
def create_keyvault( cmd, client, # pylint: disable=too-many-locals resource_group_name, vault_name, location=None, sku=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, enable_soft_delete=None, no_self_perms=None, tags=None): from azure.mgmt.keyvault.models import ( VaultCreateOrUpdateParameters, Permissions, KeyPermissions, SecretPermissions, CertificatePermissions, StoragePermissions, AccessPolicyEntry, Sku, VaultProperties) from azure.cli.core._profile import Profile from azure.graphrbac.models import GraphErrorException from azure.graphrbac import GraphRbacManagementClient profile = Profile(cli_ctx=cmd.cli_ctx) cred, _, tenant_id = profile.get_login_credentials( resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) graph_client = GraphRbacManagementClient( cred, tenant_id, base_url=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions( keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore, KeyPermissions.recover ], secrets=[ SecretPermissions.get, SecretPermissions.list, SecretPermissions.set, SecretPermissions.delete, SecretPermissions.backup, SecretPermissions.restore, SecretPermissions.recover ], certificates=[ CertificatePermissions.get, CertificatePermissions.list, CertificatePermissions.delete, CertificatePermissions.create, CertificatePermissions.import_enum, CertificatePermissions.update, CertificatePermissions.managecontacts, CertificatePermissions.getissuers, CertificatePermissions.listissuers, CertificatePermissions.setissuers, CertificatePermissions.deleteissuers, CertificatePermissions.manageissuers, CertificatePermissions.recover ], storage=[ StoragePermissions.get, StoragePermissions.list, StoragePermissions.delete, StoragePermissions.set, StoragePermissions.update, StoragePermissions.regeneratekey, StoragePermissions.setsas, StoragePermissions.listsas, StoragePermissions.getsas, StoragePermissions.deletesas ]) try: object_id = _get_current_user_object_id(graph_client) except GraphErrorException: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError( 'Cannot create vault.\nUnable to query active directory for information ' 'about the current user.\nYou may try the --no-self-perms flag to ' 'create a vault without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def test_create_kafka_cluster_with_disk_encryption(self, resource_group, location, storage_account, storage_account_key, vault): # create managed identities for Azure resources. msi_name = self.get_resource_name('hdipyuai') msi_principal_id = "00000000-0000-0000-0000-000000000000" msi_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/{}/providers/microsoft.managedidentity/userassignedidentities/{}".format( resource_group.name, msi_name) if self.is_live: msi = self.msi_client.user_assigned_identities.create_or_update(resource_group.name, msi_name, location) msi_id = msi.id msi_principal_id = msi.principal_id # add managed identity to vault required_permissions = Permissions( keys=[KeyPermissions.get, KeyPermissions.wrap_key, KeyPermissions.unwrap_key], secrets=[SecretPermissions.get, SecretPermissions.set, SecretPermissions.delete]) vault.properties.access_policies.append( AccessPolicyEntry(tenant_id=self.tenant_id, object_id=msi_principal_id, permissions=required_permissions) ) update_params = VaultCreateOrUpdateParameters(location=location, properties=vault.properties) vault = self.vault_mgmt_client.vaults.begin_create_or_update(resource_group.name, vault.name, update_params).result() self.assertIsNotNone(vault) # create keyclient key_client_credential = self.settings.get_azure_core_credentials(scope="https://vault.azure.net/.default") self.vault_client = KeyClient(vault_url=vault.properties.vault_uri, credential=key_client_credential) # create key key_name = self.get_resource_name('hdipykey1') vault_key = self.vault_client.create_key(key_name, 'RSA') # create a new key for test rotate new_key_name = self.get_resource_name('hdipykey2') new_vault_key = self.vault_client.create_key(new_key_name, 'RSA') # create HDInsight cluster with Kafka disk encryption rg_name = resource_group.name cluster_name = self.get_resource_name('hdisdk-kafka-byok') create_params = self.get_cluster_create_params(location, cluster_name, storage_account, storage_account_key) create_params.properties.cluster_definition.kind = 'Kafka' workernode = next(item for item in create_params.properties.compute_profile.roles if item.name == 'workernode') workernode.data_disks_groups = [ DataDisksGroups( disks_per_node=8 ) ] create_params.identity = ClusterIdentity( type=ResourceIdentityType.user_assigned, user_assigned_identities={msi_id: ClusterIdentityUserAssignedIdentitiesValue()} ) create_params.properties.disk_encryption_properties = DiskEncryptionProperties( vault_uri=vault_key.properties.vault_url, key_name=vault_key.name, key_version=vault_key.properties.version, msi_resource_id=msi_id ) cluster = self.hdinsight_client.clusters.begin_create(resource_group.name, cluster_name, create_params).result() self.validate_cluster(cluster_name, create_params, cluster) # check disk encryption properties self.assertIsNotNone(cluster.properties.disk_encryption_properties) self.assertEqual(create_params.properties.disk_encryption_properties.vault_uri, cluster.properties.disk_encryption_properties.vault_uri) self.assertEqual(create_params.properties.disk_encryption_properties.key_name, cluster.properties.disk_encryption_properties.key_name) self.assertEqual(create_params.properties.disk_encryption_properties.msi_resource_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower()) rotate_params = ClusterDiskEncryptionParameters( vault_uri=new_vault_key.properties.vault_url, key_name=new_vault_key.name, key_version=new_vault_key.properties.version ) # rotate cluster key self.hdinsight_client.clusters.rotate_disk_encryption_key(rg_name, cluster_name, rotate_params).wait() cluster = self.hdinsight_client.clusters.get(rg_name, cluster_name) # check disk encryption properties self.assertIsNotNone(cluster.properties.disk_encryption_properties) self.assertEqual(rotate_params.vault_uri, cluster.properties.disk_encryption_properties.vault_uri) self.assertEqual(rotate_params.key_name, cluster.properties.disk_encryption_properties.key_name) self.assertEqual(msi_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower())