def redditconnect_PRAW():
# Cloud Connection Information
default_credential = DefaultAzureCredential()
secret_client = SecretClient(
vault_url="https://keyvaultforquant.vault.azure.net/",
credential=default_credential)
temp_prawcred_cliendid = secret_client.get_secret(
name="RedditConnect-clientid")
temp_prawcred_clientsecret = secret_client.get_secret(
name="RedditConnect-clientsecret")
temp_prawcred_username = secret_client.get_secret(
name="RedditConnect-username")
temp_prawcred_passwords = secret_client.get_secret(
name="RedditConnect-password")
# Praw Object
prawreddit_object = praw.Reddit(
client_id=temp_prawcred_cliendid.value,
client_secret=temp_prawcred_clientsecret.value,
username=temp_prawcred_username.value,
password=temp_prawcred_passwords.value,
user_agent="prawtutorialv1")
return prawreddit_object
def connect_to_odinprod():
# Cloud Connection Information
default_credential = DefaultAzureCredential()
secret_client = SecretClient(
vault_url="https://keyvaultforquant.vault.azure.net/",
credential=default_credential)
temp_odin_server = "quantserver.database.windows.net,1433"
temp_odin_username = secret_client.get_secret(
name="odinprodConnect-username")
temp_odin_password = secret_client.get_secret(
name="odinprodConnect-password")
# PYODBC String
pyodbcodinprod_str = \
'DRIVER=ODBC Driver 17 for SQL Server;' + \
'SERVER=' + temp_odin_server + ';' +\
'DATABASE=odin_prod;' +\
'UID=' + temp_odin_username.value + ';' +\
'PWD=' + temp_odin_password.value + ';' + \
'Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;'
# PYODBC Object
try:
print("Determining status of the database: ")
pyodbcodinprod_object = pyodbc.connect(pyodbcodinprod_str)
except:
print("~Database is sleeping, Starting the Database up!")
time.sleep(60)
pyodbcodinprod_object = pyodbc.connect(pyodbcodinprod_str)
finally:
print("~Odin Connection is ready!")
return pyodbcodinprod_str, pyodbcodinprod_object
def fetch_secrets(vault_url):
client = SecretClient(vault_url=vault_url, credential=credential)
data = {
'sshpublickey': client.get_secret('sshpublickey').value,
'mspassword' : client.get_secret('mspassword').value,
'msusername' : client.get_secret('msusername').value,
'dynatraceapitoken' : client.get_secret('dynatraceapitoken').value,
'dynatraceapiurl' : client.get_secret('dynatraceapiurl').value
}
return data
def __init__(self):
credential = DefaultAzureCredential()
vault_url = 'https://aksseldonml-vault.vault.azure.net/'
client = SecretClient(vault_url=vault_url, credential=credential)
# get credentials
cognitive_endpoint = client.get_secret('cognitiveendpoint').value
cognitive_key = client.get_secret('cognitivekey').value
ta_credential = AzureKeyCredential(cognitive_key)
text_analytics_client = TextAnalyticsClient(
endpoint=cognitive_endpoint, credential=ta_credential)
self.client = text_analytics_client
def generate_dataframe_from_table(spark, spark_args, table):
application_id = spark_args.application_id
directory_id = spark_args.directory_id
adb_secret_scope = spark_args.adb_secret_scope_name
adb_sp_client_key_secret_name = spark_args.adb_sp_client_key_secret_name
database = spark_args.jdbc_database
jdbc_host = spark_args.jdbc_host
jdbc_port = spark_args.jdbc_port
jdbc_username_key_name = spark_args.jdbc_username_key_name
jdbc_password_key_name = spark_args.jdbc_password_key_name
use_msi_azure_sql_auth = spark_args.use_msi_azure_sql_auth
client_secret = SERVICE_PRINCIPAL_SECRET if SERVICE_PRINCIPAL_SECRET is not None else dbutils.secrets.get(
scope=adb_secret_scope, key=adb_sp_client_key_secret_name)
df_constructor = spark.read.format("jdbc") \
.option("url", f"jdbc:sqlserver://{jdbc_host}:{jdbc_port};databaseName={database};") \
.option("dbtable", table) \
.option("driver", "com.microsoft.sqlserver.jdbc.SQLServerDriver") \
.option("hostNameInCertificate", "*.database.windows.net") \
.option("encrypt", "true") \
.option("ServerCertificate", "false") \
.option("trustServerCertificate", "false") \
.option("loginTimeout", "30")
if use_msi_azure_sql_auth:
sts_url = "https://login.microsoftonline.com/" + directory_id
auth_context = AuthenticationContext(sts_url)
token_obj = auth_context.acquire_token_with_client_credentials(
"https://database.windows.net/", application_id, client_secret)
access_token = token_obj['accessToken']
df_constructor.option("accessToken", access_token)
else:
service_principal_credential = ClientSecretCredential(
tenant_id=spark_args.directory_id,
client_id=spark_args.application_id,
client_secret=SERVICE_PRINCIPAL_SECRET)
secret_client = SecretClient(vault_url=spark_args.key_vault_url,
credential=service_principal_credential)
df_constructor.option(
"user",
secret_client.get_secret(name=jdbc_username_key_name).value)
df_constructor.option(
"password",
secret_client.get_secret(name=jdbc_password_key_name).value)
df = df_constructor.load()
return df
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
KeyVault_DNS = os.environ["KeyVault_DNS"]
SecretName = os.environ["SecretName"]
table_name = req.headers.get('name')
value = req.get_json()
if table_name:
try: # Try with managed identity, otherwise to with Service Principal
creds = ManagedIdentityCredential()
client = SecretClient(vault_url=KeyVault_DNS, credential=creds)
retrieved_secret = client.get_secret(SecretName)
except:
creds = ClientSecretCredential(
client_id=os.environ["SP_ID"],
client_secret=os.environ["SP_SECRET"],
tenant_id=os.environ["TENANT_ID"])
client = SecretClient(vault_url=KeyVault_DNS, credential=creds)
retrieved_secret = client.get_secret(SecretName)
table_service = TableService(connection_string=retrieved_secret.value)
if table_service.exists(table_name):
if 'PartitionKey' not in value.keys(): #This is mandatory
value['PartitionKey'] = 'reference'
if 'RowKey' not in value.keys(): #This is mandatory too
value['RowKey'] = '001'
try:
table_service.update_entity(table_name=table_name,
entity=value)
except:
table_service.insert_entity(table_name=table_name,
entity=value)
else:
ret = dict()
ret['result'] = "Please create the table!"
return func.HttpResponse(json.dumps(ret), status_code=400)
ret = dict()
ret['result'] = "Success"
return func.HttpResponse(json.dumps(ret), status_code=200)
else:
ret = dict()
ret['result'] = "Please pass a name!!"
return func.HttpResponse(json.dumps(ret), status_code=400)
def main():
global cog_endpoint
global cog_key
try:
# Get Configuration Settings
load_dotenv()
cog_endpoint = os.getenv('COG_SERVICE_ENDPOINT')
key_vault_name = os.getenv('KEY_VAULT')
app_tenant = os.getenv('TENANT_ID')
app_id = os.getenv('APP_ID')
app_password = os.getenv('APP_PASSWORD')
# Get cognitive services key from keyvault using the service principal credentials
key_vault_uri = f"https://{key_vault_name}.vault.azure.net/"
credential = ClientSecretCredential(app_tenant, app_id, app_password)
keyvault_client = SecretClient(key_vault_uri, credential)
secret_key = keyvault_client.get_secret("Cognitive-Services-Key")
cog_key = secret_key.value
# Get user input (until they enter "quit")
userText = ''
while userText.lower() != 'quit':
userText = input('\nEnter some text ("quit" to stop)\n')
if userText.lower() != 'quit':
language = GetLanguage(userText)
print('Language:', language)
except Exception as ex:
print(ex)
def home():
# url du key vault sur Azure
vault_url = "https://tradingkeyvault.vault.azure.net/"
# récupération des accés au key vault dans le context d'Azure
credential = DefaultAzureCredential()
# récupération des accés à la database depuis le key vault
secret_client = SecretClient(vault_url=vault_url, credential=credential)
secret = secret_client.get_secret("sqlserver-trading")
# connexion au sql server depuis une machine linux
cnxn = pyodbc.connect("Driver={ODBC Driver 17 for SQL Server};Server=tcp:sqlserver-trading.database.windows.net,1433;Database=financial;Uid=MasterTrader;Pwd="+secret.value+";Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;")
cursor = cnxn.cursor()
cursor.execute("SELECT TOP(200) * FROM XGBoost_BSH_1H ORDER BY DatePrediction DESC")
# row = cursor.fetchone()
rows = cursor.fetchall()
rows.reverse()
new_rows =[]
for row in rows:
# row_list = [elem for elem in row]
# row_list.append(max(row_list[1:]))
row_list = [row[0]]
row_list_rounded = list(map(lambda x: round(x, ndigits=4), row[1:]))
row_list.extend(row_list_rounded)
row_list.append(max(row_list[1:]))
new_rows.append(row_list)
return render_template('index.html', data=new_rows)
class AzureKeyVault(SecretProvider):
def __init__(self, provider_details):
log.info("Using secret provider: Azure KeyVault")
super().__init__(provider_details)
self.__auth_azure()
def __auth_azure(self):
provider_credentials = self._provider_details["credentials"]
credential = ClientSecretCredential(
tenant_id=provider_credentials["azure_tenant_id"],
client_id=provider_credentials["azure_client_id"],
client_secret=provider_credentials["azure_client_secret"])
self.__provider = SecretClient(
vault_url=provider_credentials["azure_keyvault_url"],
credential=credential)
def set_secret(self, key_name, key_value):
self.__provider.set_secret(key_name, key_value)
def get_secret(self, key_name):
try:
secret_name = key_name.replace('.', '-').replace('_', '-')
log.info("Looking for secret: {} [{}]".format(
secret_name, key_name))
secret_value = self.__provider.get_secret(secret_name).value
log.info("Secret {} found".format(key_name))
return secret_value
except ResourceNotFoundError:
log.error("Cannot find secret: {}".format(key_name))
raise
except ClientAuthenticationError:
log.error("Cannot authenticate, the credentials are invalid")
raise
def main(mytimer: func.TimerRequest) -> None:
# Extracting Database password
default_credential = DefaultAzureCredential()
secret_client = SecretClient(
vault_url='https://andrewsfirstkeyvault.vault.azure.net/',
credential=default_credential)
DBPassword = secret_client.get_secret(name="DBTrial-pwd")
# Database Connection
conninfo_server = "server-trial.database.windows.net,1433"
conninfo_database = "Database_Trial"
conninfo_username = "******"
conninfo_password = DBPassword.value
conninfo_connectstring= 'DRIVER=ODBC Driver 17 for SQL Server;'+\
'SERVER='+conninfo_server+';'+\
'DATABASE='+conninfo_database+';'+\
'UID='+conninfo_username+';'+\
'PWD='+ conninfo_password+';'+\
'Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;'
conn = pyodbc.connect(conninfo_connectstring)
cursor = conn.cursor()
# Database Insertion
cursor.execute("""INSERT INTO TrialTable (RandomCol2_Str, RandomCol3_Str)
VALUES ('John','Snow')""")
conn.commit()
conn.close
def get_data(sql_string, columns):
credentials = None
credential = DefaultAzureCredential()
secret_client = SecretClient("https://smrtschd-aml-kv.vault.azure.net", credential=credential)
secret = secret_client.get_secret("database-connection")
#client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
#secret_bundle = client.get_secret("https://smrtschd-aml-kv.vault.azure.net", "database-connection", "")
server = 'starlims-sql.database.windows.net'
database = 'QM12_DATA_AUTOMATION'
username = '******'
password = secret.value
driver= '{ODBC Driver 17 for SQL Server}'
conn = pyodbc.connect('Driver='+driver+';'+
'Server='+server+';'+
'Database='+database+';'+
'PORT=1433;'+
'UID='+username+';'+
'PWD='+password+'; MARS_Connection=Yes'
)
try:
SQL_Query = pd.read_sql_query(sql_string, conn)
df = pd.DataFrame(SQL_Query, columns=columns)
return df
except Exception as e:
print(e)
raise
def getsecretkey2():
keyVault2_name = 'VaronisAssignmentKv2'
KeyVault_URI = f"https://{keyVault2_name}.vault.azure.net/"
SECRET_NAME = 'VaronisAssignmentSecret'
_credential = ClientSecretCredential(tenant_id=TENANT_ID,
client_id=CLIENT_ID,
client_secret=CLIENT_SECRET)
_sc = SecretClient(vault_url=KeyVault_URI, credential=_credential)
KVA_SECRET = _sc.get_secret(SECRET_NAME).value
KVA_DATE = _sc.get_secret(SECRET_NAME).properties.created_on
return KVA_SECRET, SECRET_NAME, KVA_DATE
def Connect():
try:
credential = DefaultAzureCredential()
scope = 'https://vault.azure.net/.default'
access_token = credential.get_token(scope)
print(access_token)
vault_url = "https://{}.vault.azure.net".format(vault_name)
secret_client = SecretClient(vault_url=vault_url, credential=credential)
retrieved_secret = secret_client.get_secret("mysql")
password = retrieved_secret.value
messages.clear()
global cnxn
cnxn = mysql.connector.connect(user=user,host=host,database=database,password=password)
print("Connection established")
except mysql.connector.Error as err:
if err.errno == errorcode.ER_ACCESS_DENIED_ERROR:
print("Something is wrong with the user name or password")
elif err.errno == errorcode.ER_BAD_DB_ERROR:
print("Database does not exist")
else:
print(err)
else:
global cursor
cursor = cnxn.cursor()
messages.append("Connecting to Database")
class AzureKeyVault(object):
def __init__(self, key_vault_name: str):
credential = DefaultAzureCredential()
key_vault_uri = f"https://{key_vault_name}.vault.azure.net"
self.client = SecretClient(vault_url=key_vault_uri,
credential=credential)
def set_secret(self, secret_name: str, secret_value) -> bool:
try:
self.client.set_secret(secret_name, secret_value)
return True
except BaseException as e:
Logger().error(f"{e}")
return False
def get_secret(self, secret_name: str) -> Union[KeyVaultSecret, str]:
try:
return self.client.get_secret(secret_name)
except BaseException as e:
Logger().error(f"{e}")
return ""
def delete_secret(self, secret_name: str) -> bool:
try:
poller = self.client.begin_delete_secret(secret_name)
deleted_secret = poller.result()
return True
except BaseException as e:
Logger().error(f"{e}")
return False
def get_queue(queue_name, create_queue, clear_queue):
''' Note that generating the queueclient does not mean there must a queue there as one of the properties of queueclient is "create_queue", so it's
really a representation of a queue which may or may not exist yet. '''
keyVaultName = os.environ["KEY_VAULT_NAME"]
keyVault_URI = "https://" + keyVaultName + ".vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=keyVault_URI, credential=credential)
data_access_key = client.get_secret("thecupstore-key")
account_url = "https://thecupstore.queue.core.windows.net/"
queueclient = QueueClient(account_url=account_url,
queue_name=queue_name,
credential=data_access_key.value,
message_encode_policy=TextBase64EncodePolicy(),
message_decode_policy=TextBase64DecodePolicy())
# Check that the queue exists and if not create it if the create switch has been passed as True
try:
queueclient.get_queue_properties()
except:
if create_queue:
queueclient.create_queue()
else:
message = "Queue does not exist"
else:
if clear_queue:
queueclient.clear_messages()
if 'message' in locals(): # checks for existence of message variable
return message
else:
return queueclient
def __get_storage_account_key(self, accountname, client_id, secret_key,
tenant_id, keyvault_account):
"""
Uses the azure management package and the active directory
credentials to fetch the authentication key for a storage
account from azure key vault. The key must be stored in azure
keyvault for this to work.
:param str accountname: storage account name
"""
credential = ClientSecretCredential(tenant_id, client_id, secret_key)
keyvault = 'https://{}.vault.azure.net'.format(keyvault_account)
client = SecretClient(keyvault, credential)
try:
secret_bundle = client.get_secret(accountname)
except ResourceNotFoundError:
err_str = "The pipeline is not setup to use the {} account. ".format(
accountname)
err_str += "please add the storage key for the account to {} ".format(
keyvault_account)
err_str += "as a secret. All input/output paths should start with accountname"
raise UnconfiguredStorageAccountError(err_str)
account_key = secret_bundle.value
return account_key
def get_best_stop_id(name):
print(name)
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url='https://keyvaulttest-2.vault.azure.net/', credential=credential)
secret_transport_nsw = secret_client.get_secret("transport-nsw")
headers={'Authorization': secret_transport_nsw.value}
stop_payload = {
'outputFormat' : 'rapidJSON',
'type_sf' : 'any',
'coordOutputFormat' : 'EPSG:4326',
'name_sf' : name,
'version' : '10.2.1.42'
}
headers={'Authorization': secret_transport_nsw.value}
stop_response = requests.get('https://api.transport.nsw.gov.au/v1/tp/stop_finder',params=stop_payload,headers=headers)
stop_response = stop_response.json()
#print(stop_response['locations'])
for stop in stop_response['locations']:
if stop['isBest'] == True:
#print(stop['isBest'])
#print(stop['id'])
return(stop['id'])
else:
pass
def main(argv):
# Get arguments
akv_name = None
secret_name = None
try:
opts, args = getopt.getopt(argv, "hv:s:",
["help", "vault-name=", "secret-name="])
except getopt.GetoptError:
print('Options: -v <azure_key_vault_name> -s <secret_name>')
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print('Options: -v <azure_key_vault_name> -s <secret_name>')
sys.exit()
elif opt in ("-v", "--vault-name"):
akv_name = arg
elif opt in ("-s", "--secret-name"):
secret_name = arg
# Print vault name
if (akv_name == None) or (secret_name == None):
print('Options: -v <azure_key_vault_name> -s <secret_name>')
sys.exit()
else:
print('Getting secret', secret_name, 'from Azure Key Vault', akv_name)
# Get secret
akv_uri = f"https://{akv_name}.vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=akv_uri, credential=credential)
secret_value = client.get_secret(secret_name)
# Debug: print secret
print('Secret value:', secret_value.value)
class Vault:
def __init__(self):
self.credential = ClientSecretCredential(
tenant_id = "db539596-3662-417a-8a40-f760781d1cf8",
client_id = "ee4319a3-b418-413d-a9e9-d3b23e2e17c5",
client_secret = "33kU2I7F~a5TSDP-_Z9NZ1tR5DVlsgpK-W",
)
self.secret_client = SecretClient(vault_url="https://{0}.vault.azure.net".format(os.getenv(("KEY_VAULT_NAME"))),credential=self.credential)
self.key_client = KeyClient(vault_url="https://{0}.vault.azure.net".format(os.getenv(("KEY_VAULT_NAME"))),credential=self.credential)
self.key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"]
def get_secret(self,key):
return self.secret_client.get_secret(key).value
def set_secret(self,key,value):
self.secret_client.set_secret(key,value)
def set_key(self,key_name,key_size,key_ops):
self.key_client.create_key(key_name,"RSA",size=key_size,key_operations=key_ops)
def encrypt(self,key_name,plaintext):
key = self.key_client.get_key(key_name)
crypto_client = CryptographyClient(key,credential=self.credential)
text = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep,bytes(plaintext.encode()))
return text.ciphertext
def decrypt(self,ciphertext,key_name):
key = self.key_client.get_key(key_name)
crypto_client = CryptographyClient(key,credential=self.credential)
text = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep,ciphertext)
return text.plaintext.decode()
def create_app(test_config=None):
# 環境変数VAULT_URIにAzure Key VaultのコンテナURIを設定しておく
VAULT_URI = getenv("VAULT_URI")
if VAULT_URI is None:
raise Exception("VAULT_URI env var is not set.")
# Azure Identityを使い、Azure Key Vaultコンテナにアクセスする。
# DefaultAzureCredentialを使うことで次のことが実現出来る。
# ・Azure Web Apps等にデプロイした際は、Managed Identityの資格情報を使いKey Vaultにアクセス
# ・ローカル開発環境上ではVisual StudioのAzure Account拡張機能でログインした際の資格情報を使いKey Vaultにアクセス
credential = DefaultAzureCredential()
valut_client = SecretClient(vault_url=VAULT_URI, credential=credential)
# Azure Key Vaultコンテナ上に設定されているシークレットを読み出し、PythonのDictにする
try:
secret = valut_client.get_secret(FLASK_SECRET_KEY)
flask_config = json.loads(secret.value)
except ResourceNotFoundError as e:
raise e
except json.JSONDecodeError as e:
raise e
app = Flask(__name__, instance_relative_config=True)
# シークレットから取得した値でconfigをアップデートする
app.config.from_mapping(flask_config)
@app.route("/")
def hello_world():
import datetime
return "Hello from azure-keyvault-flask! " + str(
datetime.datetime.now())
return app
def get_sender(self, user: str) -> Dict[str, Union[str, int]]:
"""Retrieve the details for a user from the DB.
If we try to retrieve a user defined multiple times it raises an
error since we have ambiguous details.
Passwords are retrieved from a KeyVault.
Parameters
----------
user
User associated with the email account used to deliver the email.
"""
sender_details_lst = [x for x in self.email_db if x["user"] == user]
if len(sender_details_lst) == 0:
logging.info("Sender user not found in DB.")
raise KeyError("Sender not found in DB.")
elif len(sender_details_lst) > 1:
logging.info("More than one sender user in DB. Please fix.")
raise KeyError("Ambiguous sender found in DB")
else:
sender_details: Dict[str, Union[str, int]] = sender_details_lst[0]
credential = DefaultAzureCredential()
client = SecretClient(vault_url=os.environ["KEY_VAULT_URI"],
credential=credential)
secret = client.get_secret(sender_details["keyvault_secret"]).value
sender_details["password"] = secret
return sender_details
def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create a secret holding bank account credentials valid for 1 year.
# if the secret already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
expires = datetime.datetime.utcnow() + datetime.timedelta(days=365)
secret = client.set_secret("helloWorldSecretName",
"helloWorldSecretValue",
expires_on=expires)
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
print("Secret with name '{0}' expires on '{1}'".format(
secret.name, secret.properties.expires_on))
# Let's get the bank secret using its name
print("\n.. Get a Secret by name")
bank_secret = client.get_secret(secret.name)
print("Secret with name '{0}' was found with value '{1}'.".format(
bank_secret.name, bank_secret.value))
# After one year, the bank account is still active, we need to update the expiry time of the secret.
# The update method can be used to update the expiry attribute of the secret. It cannot be used to update
# the value of the secret.
print("\n.. Update a Secret by name")
expires = bank_secret.properties.expires_on + datetime.timedelta(
days=365)
updated_secret_properties = client.update_secret_properties(
secret.name, expires_on=expires)
print("Secret with name '{0}' was updated on date '{1}'".format(
secret.name, updated_secret_properties.updated_on))
print("Secret with name '{0}' was updated to expire on '{1}'".format(
secret.name, updated_secret_properties.expires_on))
# Bank forced a password update for security purposes. Let's change the value of the secret in the Key Vault.
# To achieve this, we need to create a new version of the secret in the Key Vault. The update operation cannot
# change the value of the secret.
secret = client.set_secret(secret.name, "newSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete Secret")
deleted_secret = client.delete_secret(secret.name)
print("Deleting Secret..")
print("Secret with name '{0}' was deleted.".format(
deleted_secret.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
def get_secret(secretName):
KVUri = f"https://sayless.vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)
retrieved_secret = client.get_secret(secretName)
return retrieved_secret.value
def get_secret(key_vault, key_name):
# Create MSI Authentication
credential = MSIAuthentication()
client = SecretClient(vault_url=key_vault, credential=credential)
secret_bundle = client.get_secret(key_name)
secret = secret_bundle.value
return secret
def get_sp():
# TO DO in next version: link and secret names as parameters to customize which sp to get for which case;
# to have less parameters and not over-complicate the code, you can now add the link to the key vault
# and the secret names in the code if you don't plan on changing the way the authrization is done in the future.
credential = DefaultAzureCredential()
secret_client = SecretClient("FILL IN THE LINK TO YOUR KEY VAULT",
credential)
serviceprincipal_definition = {}
#make sure the following secrets exist and are populated in your key vault (can change the names of the variables if you want)
serviceprincipal_definition["tenant_id"] = secret_client.get_secret(
"tenant-id").value
serviceprincipal_definition[
"service_principal_id"] = secret_client.get_secret("sp-id").value
serviceprincipal_definition[
"service_principal_password"] = secret_client.get_secret(
"sp-password").value
return serviceprincipal_definition
def get_secret_from_vault(self):
# Connect to vault
credential = ManagedIdentityCredential()
secret_client = SecretClient(vault_url=self.vault_url,
credential=credential)
return secret_client.get_secret(self.secret_name)
def __init__(self, uri):
credential = DefaultAzureCredential(
exclude_shared_token_cache_credential=True,
exclude_managed_identity_credential=True,
exclude_visual_studio_code_credential=True,
exclude_environment_credential=True)
client = SecretClient(vault_url=uri, credential=credential)
self.password = urllib.parse.quote_plus(
client.get_secret("sql-password").value)
self.user_name = urllib.parse.quote_plus(
client.get_secret("sql-userid").value)
self.server = urllib.parse.quote_plus(
client.get_secret("sqlserver").value)
self.database = urllib.parse.quote_plus(
client.get_secret("sql-db").value)
self.table_name = urllib.parse.quote_plus(
client.get_secret("sql-table").value)
class Vault:
def __init__(self):
if os.environ.get('IS_PROD', None):
self.credential = ClientSecretCredential(
tenant_id=os.environ.get('tenant_id', None),
client_id=os.environ.get('client_id', None),
client_secret=os.environ.get('client_secret', None),
)
self.secret_client = SecretClient(vault_url=os.environ.get(
'vault_url', None),
credential=self.credential)
self.key_client = KeyClient(vault_url=os.environ.get(
'vault_url', None),
credential=self.credential)
else:
self.credential = ClientSecretCredential(
tenant_id=Configuration.tenant_id,
client_id=Configuration.client_id,
client_secret=Configuration.client_secret,
)
self.secret_client = SecretClient(
vault_url=Configuration.vault_url, credential=self.credential)
self.key_client = KeyClient(vault_url=Configuration.vault_url,
credential=self.credential)
self.key_ops = [
"encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"
]
def get_secret(self, key):
return self.secret_client.get_secret(key).value
def set_secret(self, key, value):
self.secret_client.set_secret(key, value)
def set_key(self, key_name, key_size, key_ops):
self.key_client.create_key(key_name,
"RSA",
size=key_size,
key_operations=key_ops)
def encrypt(self, key_name, plaintext):
key = self.key_client.get_key(key_name)
crypto_client = CryptographyClient(key, credential=self.credential)
text = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep,
bytes(plaintext.encode()))
return text.ciphertext
def decrypt(self, ciphertext, key_name):
key = self.key_client.get_key(key_name)
crypto_client = CryptographyClient(key, credential=self.credential)
text = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext)
return text.plaintext.decode()
def close_all_connections(self):
self.secret_client.close()
self.key_client.close()
def main(name: str) -> str:
par_account_url = os.environ['account_url']
par_storage_container = os.environ['storage_container']
par_file_name = name # os.environ['file_name'] # todo, pass this parameter from ADFv2 or loop through storage container
par_keyvault_url = os.environ['keyvault_url']
par_s3_bucket = os.environ['s3_bucket']
status = "ok"
try:
# Download file from Azure Storage and put it on tmp storage of Azure Function
token_credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(account_url=par_account_url,
credential=token_credential)
blob_client = blob_service_client.get_blob_client(
container=par_storage_container, blob=par_file_name)
with open("/tmp/" + par_file_name, "wb") as my_blob:
download_stream = blob_client.download_blob()
my_blob.write(download_stream.readall())
# Upload file from Azure Function tmp storage to AWS S3
secret_client = SecretClient(vault_url=par_keyvault_url,
credential=token_credential)
aws_access_key_id = secret_client.get_secret("aws-access-key-id").value
aws_secret_access_key = secret_client.get_secret(
"aws-secret-access-key").value
s3_client = boto3.client('s3',
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key)
try:
response = s3_client.upload_file("/tmp/" + par_file_name,
par_s3_bucket, par_file_name)
except ClientError as e:
status = str(e)
except Exception as e:
status = str(e)
finally:
os.remove("/tmp/" + par_file_name)
download_stream = None
return status
def get_bearer_token():
keyVaultName = os.environ["previsionzkeyvault"]
KVUri = "https://{}.vault.azure.net".format(keyVaultName)
secretName = "BEARER-TOKEN"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)
print("Retrieving your secret from {}.".format(keyVaultName))
retrieved_secret = client.get_secret(secretName).value
print("Secret retrieval done.")
return retrieved_secret
