def test_managed_identity_live(live_managed_identity_config):
credential = ManagedIdentityCredential(
client_id=live_managed_identity_config["client_id"])
# do something with Key Vault to verify the credential can get a valid token
client = SecretClient(live_managed_identity_config["vault_url"],
credential,
logging_enable=True)
secret = client.set_secret("managed-identity-test-secret", "value")
client.begin_delete_secret(secret.name)
class AzureKeyVault(object):
def __init__(self, key_vault_name: str):
credential = DefaultAzureCredential()
key_vault_uri = f"https://{key_vault_name}.vault.azure.net"
self.client = SecretClient(vault_url=key_vault_uri,
credential=credential)
def set_secret(self, secret_name: str, secret_value) -> bool:
try:
self.client.set_secret(secret_name, secret_value)
return True
except BaseException as e:
Logger().error(f"{e}")
return False
def get_secret(self, secret_name: str) -> Union[KeyVaultSecret, str]:
try:
return self.client.get_secret(secret_name)
except BaseException as e:
Logger().error(f"{e}")
return ""
def delete_secret(self, secret_name: str) -> bool:
try:
poller = self.client.begin_delete_secret(secret_name)
deleted_secret = poller.result()
return True
except BaseException as e:
Logger().error(f"{e}")
return False
def main(req: func.HttpRequest) -> func.HttpResponse:
# capture interesting environment variables for debugging
env = "\n".join(f"{var}: {os.environ.get(var)}" for var in EXPECTED_VARIABLES)
try:
credential = ManagedIdentityCredential(
client_id=os.environ.get("AZURE_IDENTITY_TEST_MANAGED_IDENTITY_CLIENT_ID")
)
# do something with Key Vault to verify the credential can get a valid token
client = SecretClient(os.environ["AZURE_IDENTITY_TEST_VAULT_URL"], credential, logging_enable=True)
secret = client.set_secret("managed-identity-test-secret", "value")
client.begin_delete_secret(secret.name)
return func.HttpResponse("test passed")
except Exception as ex:
return func.HttpResponse("test failed: " + repr(ex) + "\n" * 3 + env)
def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create a secret holding bank account credentials valid for 1 year.
# if the secret already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
secret = client.set_secret("helloWorldSecretName",
"helloWorldSecretValue",
expires_on=expires)
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
print("Secret with name '{0}' expires on '{1}'".format(
secret.name, secret.properties.expires_on))
# Let's get the bank secret using its name
print("\n.. Get a Secret by name")
bank_secret = client.get_secret(secret.name)
print("Secret with name '{0}' was found with value '{1}'.".format(
bank_secret.name, bank_secret.value))
# After one year, the bank account is still active, we need to update the expiry time of the secret.
# The update method can be used to update the expiry attribute of the secret. It cannot be used to update
# the value of the secret.
print("\n.. Update a Secret by name")
expires = bank_secret.properties.expires_on + datetime.timedelta(
days=365)
updated_secret_properties = client.update_secret_properties(
secret.name, expires_on=expires)
print("Secret with name '{0}' was updated on date '{1}'".format(
secret.name, updated_secret_properties.updated_on))
print("Secret with name '{0}' was updated to expire on '{1}'".format(
secret.name, updated_secret_properties.expires_on))
# Bank forced a password update for security purposes. Let's change the value of the secret in the Key Vault.
# To achieve this, we need to create a new version of the secret in the Key Vault. The update operation cannot
# change the value of the secret.
secret = client.set_secret(secret.name, "newSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Deleting Secret...")
deleted_secret = client.begin_delete_secret(secret.name).result()
print("Secret with name '{0}' was deleted.".format(
deleted_secret.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
class Secrets():
def __init__(self):
for env_var in ('AZURE_TENANT_ID', 'AZURE_CLIENT_ID', 'KEY_VAULT_NAME',
'AZURE_CLIENT_SECRET'):
if not os.environ.get(env_var):
logging.error(('The environment variables "AZURE_TENANT_ID", '
'"AZURE_CLIENT_ID", "KEY_VAULT_NAME" and '
'"AZURE_CLIENT_SECRET" all need to be set '
'in your environment.'))
raise ValueError((f'Environment variable {env_var} '
'not set. Cannot authenticate with Azure.'))
self.key_vault_name = os.environ.get('KEY_VAULT_NAME')
KVUri = f'https://{self.key_vault_name}.vault.azure.net'
credential = EnvironmentCredential()
self.client = SecretClient(vault_url=KVUri, credential=credential)
def get(self, secret_name):
logging.info(
f'Getting secret "{secret_name}" from "{self.key_vault_name}"')
try:
retrieved_secret = self.client.get_secret(secret_name)
return retrieved_secret.value
except exceptions.ResourceNotFoundError:
raise KeyError(
f'Secret "{secret_name}" does not exist in "{self.key_vault_name}"'
)
def set(self, secret_name, secret_value):
logging.info(
f'Creating secret "{secret_name}" in {self.key_vault_name}. Value: "{secret_value}"'
)
self.client.set_secret(secret_name, secret_value)
def delete(self, secret_name):
logging.info(
f'Deleting secret "{secret_name}" from "{self.key_vault_name}"')
try:
self.client.begin_delete_secret(secret_name)
logging.info(f'Deleted')
except exceptions.ResourceNotFoundError:
logging.info(
f'Secret "{secret_name}" does not exist in "{self.key_vault_name}"'
)
def auth():
token = oauth.fitbit.authorize_access_token()
secretName = session["user"] = token["user_id"]
secretValue = token["refresh_token"]
app.secret_key = token["access_token"]
client = SecretClient(vault_url=app.config["VAULT_URL"],
credential=DefaultAzureCredential())
try:
client.set_secret(secretName, secretValue)
except ResourceExistsError:
# assume user has renabled the service reset the key
client.begin_delete_secret(secretName)
# sync data with FHIR API using Io[M]T Connector
loop = asyncio.new_event_loop()
loop.run_until_complete(sync())
return "Successful Sync"
def delete_secret(self):
"""
Responsible to DELETE secrets in vault.
ref.: https://pypi.org/project/azure-keyvault-secrets/#delete-a-secret
"""
credential = DefaultAzureCredential()
secret_client = SecretClient(
vault_url="https://my-key-vault.vault.azure.net/",
credential=credential)
deleted_secret = secret_client.begin_delete_secret(
"secret-name").result()
print(deleted_secret.name)
print(deleted_secret.deleted_date)
class KeyVaultSecrets:
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
credential = DefaultAzureCredential()
self.secret_client = SecretClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential)
self.secret_name = "secret-name-" + uuid.uuid1().hex
self.secret_Value = "secret-value"
def set_secret(self):
print("Setting a secret...")
self.secret_client.set_secret(self.secret_name, self.secret_Value)
print("\tdone")
def get_secret(self):
print("Getting a secret...")
secret = self.secret_client.get_secret(self.secret_name)
print("\tdone, secret: (" + secret.name + "," + secret.value + ").")
def delete_secret(self):
print("Deleting a secret...")
deleted_secret = self.secret_client.begin_delete_secret(
self.secret_name).result()
print("\tdone: " + deleted_secret.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Secrets\nIdentity - Credential")
print("------------------------")
print("1) Set a secret")
print("2) Get that secret")
print("3) Delete that secret (Clean up the resource)")
print("")
try:
self.set_secret()
self.get_secret()
finally:
self.delete_secret()
class KeyVault():
def __init__(self, vault_url):
self.credential = DefaultAzureCredential()
self.secret_client = SecretClient(vault_url=vault_url,
credential=self.credential)
def get_secret(self, secret_name):
secret = self.secret_client.get_secret(secret_name)
print(secret.enabled)
return secret.value
def update_secret(self, secret_name, secret_data):
secret = self.secret_client.set_secret(secret_name, secret_data)
return secret.properties.version
def delete_secret(self, secret_name):
secret = self.secret_client.begin_delete_secret(secret_name).wait()
self.secret_client.purge_deleted_secret(secret_name)
print(secret)
class KeyVaultSecrets(KeyVaultBase):
def __init__(self):
credential = self.get_default_credential()
self.secret_client = SecretClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential)
self.secret_name = "secret-name-" + uuid.uuid1().hex
self.secret_Value = "secret-value"
def set_secret(self):
print("Setting a secret...")
self.secret_client.set_secret(self.secret_name, self.secret_Value)
print("\tdone")
def get_secret(self):
print("Getting a secret...")
secret = self.secret_client.get_secret(self.secret_name)
print("\tdone, secret: (" + secret.name + "," + secret.value + ").")
def delete_secret(self):
print("Deleting a secret...")
deleted_secret = self.secret_client.begin_delete_secret(
self.secret_name).result()
print("\tdone: " + deleted_secret.name)
def run(self):
print("")
print("------------------------")
print("Key Vault - Secrets\nIdentity - Credential")
print("------------------------")
print("1) Set a secret")
print("2) Get that secret")
print("3) Delete that secret (Clean up the resource)")
print("")
try:
self.set_secret()
self.get_secret()
finally:
self.delete_secret()
class SecretService:
credential: DefaultAzureCredential
secret_client: SecretClient
def __init__(self):
self.credential = DefaultAzureCredential()
# noinspection PyTypeChecker
self.secret_client = SecretClient(
vault_url=get_settings().key_vault_url, credential=self.credential)
def set_secret(self, name, value, **kwargs) -> KeyVaultSecret:
secret = self.secret_client.set_secret(name, value, **kwargs)
return secret
def get_secret(self, name, version=None, **kwargs) -> KeyVaultSecret:
secret = self.secret_client.get_secret(name, version=version, **kwargs)
return secret
def get_secret_value(self, name, version=None, **kwargs) -> str:
return self.get_secret(name, version=version, **kwargs).value
def delete_secret(self, name):
return self.secret_client.begin_delete_secret(name)
bank_secret = client.get_secret(secret.name)
print("Secret with name '{0}' was found with value '{1}'.".format(
bank_secret.name, bank_secret.value))
# After one year, the bank account is still active, we need to update the expiry time of the secret.
# The update method can be used to update the expiry attribute of the secret. It cannot be used to update
# the value of the secret.
print("\n.. Update a Secret by name")
expires = bank_secret.properties.expires_on + datetime.timedelta(days=365)
updated_secret_properties = client.update_secret_properties(
secret.name, expires_on=expires)
print("Secret with name '{0}' was updated on date '{1}'".format(
secret.name, updated_secret_properties.updated_on))
print("Secret with name '{0}' was updated to expire on '{1}'".format(
secret.name, updated_secret_properties.expires_on))
# Bank forced a password update for security purposes. Let's change the value of the secret in the Key Vault.
# To achieve this, we need to create a new version of the secret in the Key Vault. The update operation cannot
# change the value of the secret.
secret = client.set_secret(secret.name, "newSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Deleting Secret...")
client.begin_delete_secret(secret.name)
print("Secret with name '{0}' was deleted.".format(secret.name))
except HttpResponseError as e:
print("\nThis sample has caught an error. {0}".format(e.message))
credential = DefaultAzureCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
bank_secret = client.set_secret("recoverPurgeBankSecretName",
"recoverPurgeSecretValue1")
storage_secret = client.set_secret("recoverPurgeStorageSecretName",
"recoverPurgeSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(storage_secret.name))
# The storage account was closed, so we need to delete its credentials from the Key Vault.
print("\n.. Delete a Secret")
delete_secret_poller = client.begin_delete_secret(bank_secret.name)
secret = delete_secret_poller.result()
delete_secret_poller.wait()
print("Secret with name '{0}' was deleted on date {1}.".format(
secret.name, secret.deleted_date))
# We accidentally deleted the bank account secret. Let's recover it.
# A deleted secret can only be recovered if the Key Vault is soft-delete enabled.
print("\n.. Recover Deleted Secret")
recover_secret_poller = client.begin_recover_deleted_secret(
bank_secret.name)
recovered_secret = recover_secret_poller.result()
# This wait is just to ensure recovery is complete before we delete the secret again
recover_secret_poller.wait()
print("Recovered Secret with name '{0}'.".format(recovered_secret.name))
class AzureKeyVault:
headers = None
kvName = None
token = None
tracer = None
uri = None
def __init__(self,
tracer: logging.Logger,
kvName: str,
msiClientId: Optional[str] = None):
self.tracer = tracer
self.tracer.info("initializing KeyVault %s" % kvName)
self.kvName = kvName
self.uri = "https://%s.vault.azure.net" % kvName
self.token = ManagedIdentityCredential(client_id=msiClientId)
self.kv_client = SecretClient(vault_url=self.uri,
credential=self.token)
# Set a secret in the KeyVault
def setSecret(self, secretName: str, secretValue: str) -> bool:
self.tracer.info("setting KeyVault secret for secretName=%s" %
secretName)
try:
self.kv_client.set_secret(secretName, secretValue)
except Exception as e:
self.tracer.critical("could not set KeyVault secret (%s)" % e)
sys.exit(ERROR_SETTING_KEYVAULT_SECRET)
return True
# Delete a secret from the KeyVault
def deleteSecret(self, secretName: str) -> bool:
self.tracer.info("deleting KeyVault secret %s" % secretName)
try:
self.kv_client.begin_delete_secret(secretName)
except Exception as e:
self.tracer.critical("could not delete KeyVault secret (%s)" % e)
return False
return True
# Get the current version of a specific secret in the KeyVault
def getSecret(self,
secretId: str,
version: Optional[str] = None) -> KeyVaultSecret:
self.tracer.info("getting KeyVault secret for secretId=%s" % secretId)
secret = None
try:
secret = self.kv_client.get_secret(secretId, version)
except Exception as e:
self.tracer.error(
"could not get KeyVault secret for secretId=%s (%s)" %
(secretId, e))
return secret
# Get the current versions of all secrets inside the customer KeyVault
def getCurrentSecrets(self) -> Dict[str, str]:
self.tracer.info("getting current KeyVault secrets")
secrets = {}
try:
kvSecrets = self.kv_client.list_properties_of_secrets()
for k in kvSecrets:
secrets[k.name] = self.kv_client.get_secret(k.name).value
except Exception as e:
self.tracer.error("could not get current KeyVault secrets (%s)" %
e)
return secrets
# Check if a KeyVault with a specified name exists
def exists(self) -> bool:
self.tracer.info("checking if KeyVault %s exists" % self.kvName)
try:
kvSecrets = self.kv_client.list_properties_of_secrets(
max_page_size=1)
if kvSecrets:
self.tracer.info("KeyVault %s exists" % self.kvName)
return True
except Exception as e:
self.tracer.error(
"could not determine is KeyVault %s exists (%s)" %
(self.kvName, e))
self.tracer.info("KeyVault %s does not exist" % self.kvName)
return False
if c.name.startswith("livekvtest")
]
for certificate in deleted_test_certificates:
cert_client.purge_deleted_certificate(certificate.name)
test_keys = [
k for k in key_client.list_properties_of_keys()
if k.name.startswith("livekvtest")
]
for key in test_keys:
key_client.begin_delete_key(key.name).wait()
deleted_test_keys = [
k for k in key_client.list_deleted_keys()
if k.name.startswith("livekvtest")
]
for key in deleted_test_keys:
key_client.purge_deleted_key(key.name)
test_secrets = [
s for s in secret_client.list_properties_of_secrets()
if s.name.startswith("livekvtest")
]
for secret in test_secrets:
secret_client.begin_delete_secret(secret.name).wait()
deleted_test_secrets = [
s for s in secret_client.list_deleted_secrets()
if s.name.startswith("livekvtest")
]
for secret in deleted_test_secrets:
secret_client.purge_deleted_secret(secret.name)
# if the secret already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
secret = client.set_secret("backupRestoreSecretName",
"backupRestoreSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
# Backups are good to have, if in case secrets gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing Secret")
secret_backup = client.backup_secret(secret.name)
print("Backup created for secret with name '{0}'.".format(secret.name))
# The storage account secret is no longer in use, so you delete it.
print("\n.. Deleting secret...")
delete_operation = client.begin_delete_secret(secret.name)
deleted_secret = delete_operation.result()
print("Deleted secret with name '{0}'".format(deleted_secret.name))
# Wait for the deletion to complete before purging the secret.
# The purge will take some time, so wait before restoring the backup to avoid a conflict.
delete_operation.wait()
print("\n.. Purge the secret")
client.purge_deleted_secret(deleted_secret.name)
time.sleep(60)
print("Purged secret with name '{0}'".format(deleted_secret.name))
# In the future, if the secret is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the secret using the backed up secret bytes")
secret = client.restore_secret_backup(secret_backup)
print("Restored secret with name '{0}'".format(secret.name))
credential = DefaultAzureCredential()
client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
bank_secret = client.set_secret("recoverPurgeBankSecretName",
"recoverPurgeSecretValue1")
storage_secret = client.set_secret("recoverPurgeStorageSecretName",
"recoverPurgeSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(storage_secret.name))
# The storage account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete a Secret")
secret = client.begin_delete_secret(bank_secret.name).result()
print("Secret with name '{0}' was deleted on date {1}.".format(
secret.name, secret.deleted_date))
# We accidentally deleted the bank account secret. Let's recover it.
# A deleted secret can only be recovered if the Key Vault is soft-delete enabled.
print("\n.. Recover Deleted Secret")
recovered_secret = client.begin_recover_deleted_secret(
bank_secret.name).result()
print("Recovered Secret with name '{0}'.".format(recovered_secret.name))
# Let's delete storage account now.
# If the keyvault is soft-delete enabled, then for permanent deletion deleted secret needs to be purged.
# Calling result() on the method will immediately return the `DeletedSecret`, but calling wait() blocks
# until the secret is deleted server-side so it can be purged.
print("\n.. Deleting secret...")
class AzureKeyVault(AzureApi):
"""Azure KeyVault API to set/get secrets from a given Keyvault on Azure"""
def __init__(self, keyvault_name: str, auth_path: Path):
"""Initialize the Azure Keyvault client
Args:
keyvault_name (str, optional): Name of the keyvault. Defaults to None.
auth_path (Path, optional): Authentication json file path. Defaults to None.
"""
super(AzureKeyVault, self).__init__(auth_path)
self.name = keyvault_name
self.uri = f"https://{self.name}.vault.azure.net"
self.secret_client = SecretClient(
vault_url=self.uri,
credential=self.client_secret_credentials,
version="7.0")
self.keyvault_client = KeyVaultManagementClient(
self.client_secret_credentials, self.subscription_id)
self.exists = self.name in [
i.name for i in self.keyvault_client.vaults.list()
]
self.logger.debug(f"Keyvault manager ready: {self.name}")
def get_secret(self, name: str) -> str:
"""Get secret from keyvault
Args:
name (str): name of the secret to get from keyvault
Returns:
str: The secret value
"""
try:
secret = self.secret_client.get_secret(name)
self.logger.debug(f"Retrieved secret: {secret.id}")
except CloudError as e:
self.logger.error(f"Could not get secret: {name}")
raise e
return secret.value
def set_secret(self, name: str, value: str) -> str:
"""Set secret value in keyvault
Args:
name (str): name of the secret to get from keyvault
value (str): value of the keyvault secret
"""
try:
secret = self.secret_client.set_secret(name, value)
self.logger.debug(f"Set secret: {secret.id}")
except CloudError as e:
self.logger.error(f"Could not set secret: {name}")
raise e
return secret.value
def delete_secret(self, name: str, purge: bool = True) -> None:
"""Delete a secret from the key vault
Args:
name (str): name of the secret
purge (bool, optional): whether to purge the secret or soft-delete. Defaults to True.
"""
poller = self.secret_client.begin_delete_secret(name)
poller.wait()
if purge:
self.secret_client.purge_deleted_secret(name)
def grant_access(self, rsg: str, subnet_ids: List[str] = None) -> None:
"""Grant access to a keyvault from a list of subnets
Args:
rsg (str): Resource group of the key vault
subnet_ids (List[str], optional): list of subnet IDs. Defaults to None.
"""
self.logger.info(f"Grant access to KeyVault running for: {self.name}")
tenant_id = self._get_tenant_id()
vault = self.keyvault_client.vaults.get(rsg, self.name)
props = vault.properties
tenant_update = False
if (tenant_id not in [
x.tenant_id for x in vault.properties.access_policies
]) or vault.properties.tenant_id != tenant_id:
tenant_update = True
props.tenant_id = tenant_id
props.access_policies.append({
"tenant_id": tenant_id,
"object_id": self.get_object_id(),
"permissions": {
"secrets": ["all"]
},
})
if subnet_ids:
props.network_acls = NetworkRuleSet(
default_action="Deny",
ip_rules=[],
virtual_network_rules=[
VirtualNetworkRule(id=i) for i in subnet_ids
],
)
if subnet_ids or tenant_update:
kv = self.keyvault_client.vaults.create_or_update(
rsg,
self.name,
{
"location": vault.location,
"properties": props
},
)
kv.wait()
def delete_keyvault(self,
rsg: str,
location: str,
purge: bool = True,
fail_ok: bool = True) -> None:
"""Delete a key vault
Args:
rsg (str): resource group of the vault
location (str): location of the vault
purge (bool, optional): whether to purge the vault. Defaults to True.
"""
self.logger.info(f"Deleting keyvault {self.name}")
try:
d = self.keyvault_client.vaults.delete(rsg, self.name)
if purge:
self.logger.info(f"Purging keyvault {self.name}")
p = self.keyvault_client.vaults.begin_purge_deleted(
self.name, location)
p.wait()
except Exception as e:
if not fail_ok:
raise e
self.exists = False
def create_keyvault(self,
rsg: str,
location: str,
soft_delete: bool = True,
subnet_ids: List[str] = None):
"""Creates a key vault object in Azure
Args:
soft_delete (bool, optional): turn on soft-delete. Defaults to True.
subnet_ids (List[str], optional): subnet IDs to grant access to. Defaults to None.
Raises:
RuntimeError: Keyvault name is already taken.
"""
self.logger.info(f"Create or update KeyVault running for: {self.name}")
if not self.check_name_available():
raise RuntimeError(
"Keyvault name is taken by deleted keyvault or is being used.")
configuration = {
"location": location,
"properties": {
"sku": {
"name": "standard",
"family": "A"
},
"tenant_id":
self._get_tenant_id(),
"enable_soft_delete":
soft_delete,
"access_policies": [{
"tenant_id": self._get_tenant_id(),
"object_id": self.get_object_id(),
"permissions": {
"keys": ["all"],
"secrets": ["all", "purge"]
},
}],
},
}
if subnet_ids:
configuration["properties"]["network_acls"] = NetworkRuleSet(
default_action="Deny",
ip_rules=[],
virtual_network_rules=[
VirtualNetworkRule(id=i) for i in subnet_ids
])
kv = self.keyvault_client.vaults.begin_create_or_update(
rsg, self.name, configuration)
kv.wait()
while True:
try:
self.set_secret("test", "x")
except:
self.logger.warning(
"Waiting for keyvault to come up. Please check connection to the VNET."
)
time.sleep(1)
else:
self.delete_secret("test")
break
self.exists = True
def check_name_available(self) -> bool:
"""Check if keyvault name is available
Args:
name (str): name of the keyvault
Returns:
bool: whether the name is available or not
"""
deleted_vaults = self.keyvault_client.vaults.list_deleted()
names = [i.name for i in deleted_vaults]
print(names)
available = self.keyvault_client.vaults.check_name_availability(
VaultCheckNameAvailabilityParameters(name=self.name))
print(available)
if (self.name in names) or not available.name_available:
return False
return True
def deleted_secret_recovery(self):
"""
a sample of enumerating, retrieving, recovering and purging deleted secrets from a key vault
"""
# create a vault enabling the soft delete feature
vault = self.create_vault()
# create a secret client
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url=vault.properties.vault_uri,
credential=credential)
# create secrets in the vault
secret_to_recover = get_name('secret')
secret_to_purge = get_name('secret')
secret = secret_client.set_secret(secret_to_recover,
"secret to restore")
print('created secret {}'.format(secret.name))
secret = secret_client.set_secret(secret_to_purge, "secret to purge")
print('created secret {}'.format(secret.name))
# list the name of all of the secrets in the client's vault
secret_properties = secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
# delete the secrets
delete_secret_poller = secret_client.begin_delete_secret(
secret_to_recover)
deleted_secret = delete_secret_poller.result()
delete_secret_poller.wait()
print('deleted secret {}'.format(deleted_secret.name))
delete_secret_poller = secret_client.begin_delete_secret(
secret_to_purge)
deleted_secret = delete_secret_poller.result()
delete_secret_poller.wait()
print('deleted secret {}'.format(deleted_secret.name))
# list the deleted secrets
deleted_secrets = secret_client.list_deleted_secrets()
print("all of the deleted secrets in the client's vault:")
for deleted_secret in deleted_secrets:
print(deleted_secret.name)
# recover a deleted secret
recover_secret_poller = secret_client.begin_recover_deleted_secret(
secret_to_recover)
recovered_secret = recover_secret_poller.result()
print('recovered secret {}'.format(recovered_secret.name))
# purge a deleted secret
secret_client.purge_deleted_secret(secret_to_purge)
time.sleep(50)
print('purged secret {}'.format(secret_to_purge))
# list the name of all of the secrets in the client's vault
secret_properties = secret_client.list_properties_of_secrets()
print("all of the secrets in the client's vault:")
for secret_property in secret_properties:
print(secret_property.name)
def run_sample():
# Instantiate a secret client that will be used to call the service. Notice that the client is using default Azure
# credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
bank_secret = client.set_secret("listOpsBankSecretName", "listOpsSecretValue1")
storage_secret = client.set_secret("listOpsStorageSecretName", "listOpsSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(storage_secret.name))
# You need to check if any of the secrets are sharing same values.
# Let's list the secrets and print their values.
# List operations don 't return the secrets with value information.
# So, for each returned secret we call get_secret to get the secret with its value information.
print("\n.. List secrets from the Key Vault")
secrets = client.list_properties_of_secrets()
for secret in secrets:
retrieved_secret = client.get_secret(secret.name)
print(
"Secret with name '{0}' and value {1} was found.".format(retrieved_secret.name, retrieved_secret.name)
)
# The bank account password got updated, so you want to update the secret in Key Vault to ensure it reflects the
# new password. Calling set_secret on an existing secret creates a new version of the secret in the Key Vault
# with the new value.
updated_secret = client.set_secret(bank_secret.name, "newSecretValue")
print(
"Secret with name '{0}' was updated with new value '{1}'".format(updated_secret.name, updated_secret.value)
)
# You need to check all the different values your bank account password secret had previously. Lets print all
# the versions of this secret.
print("\n.. List versions of the secret using its name")
secret_versions = client.list_properties_of_secret_versions(bank_secret.name)
for secret_version in secret_versions:
print(
"Bank Secret with name '{0}' has version: '{1}'.".format(
secret_version.name, secret_version.version
)
)
# The bank account and storage accounts got closed. Let's delete bank and storage accounts secrets.
# Calling result() on the method will immediately return the `DeletedSecret`, but calling wait() blocks
# until the secret is deleted server-side.
print("\n.. Deleting secrets...")
client.begin_delete_secret(bank_secret.name).wait()
client.begin_delete_secret(storage_secret.name).wait()
# You can list all the deleted and non-purged secrets, assuming Key Vault is soft-delete enabled.
print("\n.. List deleted secrets from the Key Vault")
deleted_secrets = client.list_deleted_secrets()
for deleted_secret in deleted_secrets:
print(
"Secret with name '{0}' has recovery id '{1}'".format(deleted_secret.name, deleted_secret.recovery_id)
)
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print("\n{0} Please enable soft-delete on Key Vault to perform this operation.".format(e.message))
else:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
try:
# Let's create a secret holding storage account credentials.
# if the secret already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
secret = client.set_secret("backupRestoreSecretName",
"backupRestoreSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
# Backups are good to have, if in case secrets gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing Secret")
secret_backup = client.backup_secret(secret.name)
print("Backup created for secret with name '{0}'.".format(secret.name))
# The storage account secret is no longer in use, so you delete it.
print("\n.. Deleting secret...")
deleted_secret = client.begin_delete_secret(secret.name).result()
print("Deleted Secret with name '{0}'".format(deleted_secret.name))
# In future, if the secret is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the secret using the backed up secret bytes")
secret = client.restore_secret_backup(secret_backup)
print("Restored Secret with name '{0}'".format(secret.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
In Linux:
set: export KEY_VAULT_NAME="KeyVault-PythonQS-kv"
get: echo $KEY_VAULT_NAME
"""
keyVaultName = os.environ["KEY_VAULT_NAME"]
KVUri = f"https://{keyVaultName}.vault.azure.net"
#credential = DefaultAzureCredential()
# This seems to work better:
# https://docs.microsoft.com/en-us/answers/questions/74848/access-denied-to-first-party-service.html
credential = ChainedTokenCredential(AzureCliCredential())
client = SecretClient(vault_url=KVUri, credential=credential)
secretName = input("Input a name for your secret > ")
secretValue = input("Input a value for your secret > ")
print(
f"\nCreating a secret in {keyVaultName} called '{secretName}' with the value '{secretValue}' ..."
)
client.set_secret(secretName, secretValue)
print(" done.")
print(f"\nRetrieving your secret from {keyVaultName}.")
retrieved_secret = client.get_secret(secretName)
print(f"Your secret is '{retrieved_secret.value}'.")
print(f"\nDeleting your secret from {keyVaultName} ...")
poller = client.begin_delete_secret(secretName)
deleted_secret_uri = poller.result()
print(" done.")
