def create(self, secrets: Secrets) -> AADTokenCredentials:
_cloud = cloud.get_or_raise(secrets['azure_cloud'])
result = AADTokenCredentials(
{"accessToken": secrets['access_token']},
secrets['client_id'],
cloud_environment=_cloud)
return result
def create(self, secrets: Secrets) -> ServicePrincipalCredentials:
_cloud = cloud.get_or_raise(secrets.get('azure_cloud'))
result = ServicePrincipalCredentials(
client_id=secrets.get('client_id'),
secret=secrets.get('client_secret'),
tenant=secrets.get('tenant_id'),
cloud_environment=_cloud
)
return result
def test_get_env_by_name_bad():
with pytest.raises(InterruptExecution):
data = secrets_provider.provide_secrets_invalid_cloud()
cloud.get_or_raise(data.get("azure_cloud")) \
.endpoints.resource_manager
def test_get_env_by_name_usgov():
data = secrets_provider.provide_secrets_us_gov()
result = cloud.get_or_raise(data.get("azure_cloud")) \
.endpoints.resource_manager
assert result == AZURE_US_GOV_CLOUD.endpoints.resource_manager
def test_get_env_by_name_public():
data = secrets_provider.provide_secrets_public()
result = cloud.get_or_raise(data.get("azure_cloud")) \
.endpoints.resource_manager
assert result == AZURE_PUBLIC_CLOUD.endpoints.resource_manager
def test_resolve_cloud_env_by_name_default():
data = secrets_provider.provide_secrets_via_service_principal()
result = cloud.get_or_raise(data.get("azure_cloud")) \
.endpoints.resource_manager
assert result == AZURE_PUBLIC_CLOUD.endpoints.resource_manager
def load_secrets(experiment_secrets: Secrets):
"""Load secrets from experiments or azure credential file.
:param experiment_secrets: Secrets provided in experiment file
:returns: a secret object
Load secrets from multiple sources that can contain different format
such as azure credential file or experiment secrets section.
The latter takes precedence over azure credential file.
Function returns following dictionary object:
```python
{
# always available
"cloud": "variable contains msrest cloud object"
# optional - available if user authenticate with service principal
"client_id": "variable contains client id",
"client_secret": "variable contains client secret",
"tenant_id": "variable contains tenant id",
# optional - available if user authenticate with existing token
"access_token": "variable contains access token",
}
```
:Loading secrets from experiment file:
Function will try to load following secrets from the experiment file:
```json
{
"azure": {
"client_id": "AZURE_CLIENT_ID",
"client_secret": "AZURE_CLIENT_SECRET",
"tenant_id": "AZURE_TENANT_ID",
"access_token": "AZURE_ACCESS_TOKEN"
}
}
```
:Loading secrets from azure credential file:
If experiment file contains no secrets, function will try to load secrets
from the azure credential file. Path to the file should be set under
AZURE_AUTH_LOCATION environment variable.
Function will try to load following secrets from azure credential file:
```json
{
"clientId": "AZURE_CLIENT_ID",
"clientSecret": "AZURE_CLIENT_SECRET",
"tenantId": "AZURE_TENANT_ID",
"resourceManagerEndpointUrl": "AZURE_RESOURCE_MANAGER_ENDPOINT",
...
}
```
More info about azure credential file may be found:
https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate
"""
# 1: lookup for secrets in experiment file
if experiment_secrets:
return {
'client_id': experiment_secrets.get('client_id'),
'client_secret': experiment_secrets.get('client_secret'),
'tenant_id': experiment_secrets.get('tenant_id'),
# load cloud object
'cloud': cloud.get_or_raise(experiment_secrets.get('azure_cloud')),
'access_token': experiment_secrets.get('access_token'),
}
# 2: lookup for credentials in azure auth file
az_auth_file = _load_azure_auth_file()
if az_auth_file:
rm_endpoint = az_auth_file.get('resourceManagerEndpointUrl')
return {
'client_id': az_auth_file.get('clientId'),
'client_secret': az_auth_file.get('clientSecret'),
'tenant_id': az_auth_file.get('tenantId'),
# load cloud object
'cloud': azure_cloud.get_cloud_from_metadata_endpoint(rm_endpoint),
# access token is not supported for credential files
'access_token': None,
}
# no secretes
logger.warn("Unable to load Azure credentials.")
return {}
