def _authenticate(self): keyvault_client_id = self._auth_params.get('keyvault_client_id') keyvault_secret_id = self._auth_params.get('keyvault_secret_id') # If user provided KeyVault secret, we will pull auth params information from it if keyvault_secret_id: self._auth_params.update( json.loads( get_keyvault_secret(keyvault_client_id, keyvault_secret_id))) client_id = self._auth_params.get('client_id') client_secret = self._auth_params.get('client_secret') access_token = self._auth_params.get('access_token') tenant_id = self._auth_params.get('tenant_id') use_msi = self._auth_params.get('use_msi') subscription_id = self._auth_params.get('subscription_id') if access_token and subscription_id: self.log.info("Creating session with Token Authentication") self.subscription_id = subscription_id self.credentials = BasicTokenAuthentication( token={'access_token': access_token}) self._is_token_auth = True elif client_id and client_secret and tenant_id and subscription_id: self.log.info( "Creating session with Service Principal Authentication") self.subscription_id = subscription_id self.credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource=self.resource_namespace) self.tenant_id = tenant_id elif use_msi and subscription_id: self.log.info("Creating session with MSI Authentication") self.subscription_id = subscription_id if client_id: self.credentials = MSIAuthentication( client_id=client_id, resource=self.resource_namespace) else: self.credentials = MSIAuthentication( resource=self.resource_namespace) elif self._auth_params.get('enable_cli_auth'): self.log.info("Creating session with Azure CLI Authentication") self._is_cli_auth = True try: (self.credentials, self.subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=self.resource_namespace) except Exception: self.log.error('Unable to authenticate with Azure') self.log.info("Session using Subscription ID: %s" % self.subscription_id)
def test_get_keyvault_secret(self, _1): mock = Mock() mock.value = '{"client_id": "client", "client_secret": "secret"}' with patch('azure.common.credentials.ServicePrincipalCredentials.__init__', return_value=None), \ patch('azure.keyvault.v7_0.KeyVaultClient.get_secret', return_value=mock): reload(sys.modules['c7n_azure.utils']) result = get_keyvault_secret(None, 'https://testkv.vault.net/secrets/testsecret/123412') self.assertEqual(result, mock.value)
def test_get_keyvault_secret_with_parameter(self, _1): mock = Mock() mock.value = '{"client_id": "client", "client_secret": "secret"}' with patch('azure.common.credentials.ServicePrincipalCredentials.__init__', return_value=None), \ patch('azure.keyvault.v7_0.KeyVaultClient.get_secret', return_value=mock): reload(sys.modules['c7n_azure.utils']) result = get_keyvault_secret(None, 'https://testkv.vault.net/secrets/testsecret/123412', cloud_endpoints=AZURE_CHINA_CLOUD) self.assertEqual(mock.value, result) resource_auth = _1.call_args.kwargs.get('resource') self.assertEqual('https://vault.azure.cn', resource_auth)
def _authenticate(self): keyvault_client_id = self._auth_params.get('keyvault_client_id') keyvault_secret_id = self._auth_params.get('keyvault_secret_id') # If user provided KeyVault secret, we will pull auth params information from it try: if keyvault_secret_id: self._auth_params.update( json.loads( get_keyvault_secret(keyvault_client_id, keyvault_secret_id))) except HTTPError as e: e.message = 'Failed to retrieve SP credential ' \ 'from Key Vault with client id: {0}'.format(keyvault_client_id) raise token_providers = [ AccessTokenProvider, ServicePrincipalProvider, MSIProvider, CLIProvider ] for provider in token_providers: instance = provider(self._auth_params, self.resource_namespace) if instance.is_available(): result = instance.authenticate() self.subscription_id = result.subscription_id self.tenant_id = result.tenant_id self.credentials = result.credential self.token_provider = provider break # Let provided id parameter override everything else if self.subscription_id_override is not None: self.subscription_id = self.subscription_id_override log.info('Authenticated [%s | %s%s]', instance.name, self.subscription_id, ' | Authorization File' if self.authorization_file else '')
def __init__(self, cloud_endpoints, authorization_file=None, subscription_id_override=None): # type: (*str, *str) -> None if authorization_file: with open(authorization_file) as json_file: self._auth_params = json.load(json_file) else: self._auth_params = { 'client_id': os.environ.get(constants.ENV_CLIENT_ID), 'client_secret': os.environ.get(constants.ENV_CLIENT_SECRET), 'access_token': os.environ.get(constants.ENV_ACCESS_TOKEN), 'tenant_id': os.environ.get(constants.ENV_TENANT_ID), 'use_msi': bool(os.environ.get(constants.ENV_USE_MSI)), 'subscription_id': os.environ.get(constants.ENV_SUB_ID), 'keyvault_client_id': os.environ.get(constants.ENV_KEYVAULT_CLIENT_ID), 'keyvault_secret_id': os.environ.get(constants.ENV_KEYVAULT_SECRET_ID), 'enable_cli_auth': True } self._auth_params[ 'authority'] = cloud_endpoints.endpoints.active_directory keyvault_client_id = self._auth_params.get('keyvault_client_id') keyvault_secret_id = self._auth_params.get('keyvault_secret_id') # If user provided KeyVault secret, we will pull auth params information from it try: if keyvault_secret_id: self._auth_params.update( json.loads( get_keyvault_secret(keyvault_client_id, keyvault_secret_id))) except HTTPError as e: e.message = 'Failed to retrieve SP credential ' \ 'from Key Vault with client id: {0}'.format(keyvault_client_id) raise self._credential = None if self._auth_params.get('access_token') is not None: auth_name = 'Access Token' pass elif (self._auth_params.get('client_id') and self._auth_params.get('client_secret') and self._auth_params.get('tenant_id')): auth_name = 'Principal' self._credential = ClientSecretCredential( client_id=self._auth_params['client_id'], client_secret=self._auth_params['client_secret'], tenant_id=self._auth_params['tenant_id'], authority=self._auth_params['authority']) elif self._auth_params.get('use_msi'): auth_name = 'MSI' self._credential = ManagedIdentityCredential( client_id=self._auth_params.get('client_id')) elif self._auth_params.get('enable_cli_auth'): auth_name = 'Azure CLI' self._credential = AzureCliCredential() account_info, error = _run_command('az account show --output json') account_json = json.loads(account_info) self._auth_params['subscription_id'] = account_json['id'] self._auth_params['tenant_id'] = account_json['tenantId'] if error is not None: raise Exception('Unable to query TenantId and SubscriptionId') if subscription_id_override is not None: self._auth_params['subscription_id'] = subscription_id_override self._subscription_id = self._auth_params['subscription_id'] self._tenant_id = self._auth_params['tenant_id'] log.info('Authenticated [%s | %s%s]', auth_name, self.subscription_id, ' | Authorization File' if authorization_file else '')
def _authenticate(self): try: keyvault_client_id = self._auth_params.get('keyvault_client_id') keyvault_secret_id = self._auth_params.get('keyvault_secret_id') # If user provided KeyVault secret, we will pull auth params information from it if keyvault_secret_id: self._auth_params.update( json.loads( get_keyvault_secret(keyvault_client_id, keyvault_secret_id))) client_id = self._auth_params.get('client_id') client_secret = self._auth_params.get('client_secret') access_token = self._auth_params.get('access_token') tenant_id = self._auth_params.get('tenant_id') use_msi = self._auth_params.get('use_msi') subscription_id = self._auth_params.get('subscription_id') if access_token and subscription_id: log.info("Creating session with Token Authentication") self.subscription_id = subscription_id self.credentials = BasicTokenAuthentication( token={'access_token': access_token}) self._is_token_auth = True elif client_id and client_secret and tenant_id and subscription_id: log.info( "Creating session with Service Principal Authentication") self.subscription_id = subscription_id self.credentials = ServicePrincipalCredentials( client_id=client_id, secret=client_secret, tenant=tenant_id, resource=self.resource_namespace) self.tenant_id = tenant_id elif use_msi and subscription_id: log.info("Creating session with MSI Authentication") self.subscription_id = subscription_id if client_id: self.credentials = MSIAuthentication( client_id=client_id, resource=self.resource_namespace) else: self.credentials = MSIAuthentication( resource=self.resource_namespace) elif self._auth_params.get('enable_cli_auth'): log.info("Creating session with Azure CLI Authentication") self._is_cli_auth = True (self.credentials, self.subscription_id, self.tenant_id) = Profile().get_login_credentials( resource=self.resource_namespace) log.info("Session using Subscription ID: %s" % self.subscription_id) except AuthenticationError as e: log.error('Azure Authentication Failure\n' 'Error: {0}'.format( json.dumps(e.inner_exception.error_response, indent=2))) sys.exit(1) except HTTPError as e: if keyvault_client_id and keyvault_secret_id: log.error( 'Azure Authentication Failure\n' 'Error: Cannot retrieve SP credentials from the Key Vault ' '(KV uses MSI to access) with client id: {0}'.format( keyvault_client_id)) elif use_msi: log.error( 'Azure Authentication Failure\n' 'Error: Could not authenticate using managed service identity {0}' .format(client_id if client_id else '(system identity)')) else: log.error('Azure Authentication Failure: %s' % e.response) sys.exit(1) except CLIError as e: log.error( 'Azure Authentication Failure\n' 'Error: Could not authenticate with Azure CLI credentials: {0}' .format(e)) sys.exit(1) except Exception as e: log.error('Azure Authentication Failure\n' 'Error: {0}'.format(e)) sys.exit(1)