def redditconnect_PRAW(): # Cloud Connection Information default_credential = DefaultAzureCredential() secret_client = SecretClient( vault_url="https://keyvaultforquant.vault.azure.net/", credential=default_credential) temp_prawcred_cliendid = secret_client.get_secret( name="RedditConnect-clientid") temp_prawcred_clientsecret = secret_client.get_secret( name="RedditConnect-clientsecret") temp_prawcred_username = secret_client.get_secret( name="RedditConnect-username") temp_prawcred_passwords = secret_client.get_secret( name="RedditConnect-password") # Praw Object prawreddit_object = praw.Reddit( client_id=temp_prawcred_cliendid.value, client_secret=temp_prawcred_clientsecret.value, username=temp_prawcred_username.value, password=temp_prawcred_passwords.value, user_agent="prawtutorialv1") return prawreddit_object
def connect_to_odinprod(): # Cloud Connection Information default_credential = DefaultAzureCredential() secret_client = SecretClient( vault_url="https://keyvaultforquant.vault.azure.net/", credential=default_credential) temp_odin_server = "quantserver.database.windows.net,1433" temp_odin_username = secret_client.get_secret( name="odinprodConnect-username") temp_odin_password = secret_client.get_secret( name="odinprodConnect-password") # PYODBC String pyodbcodinprod_str = \ 'DRIVER=ODBC Driver 17 for SQL Server;' + \ 'SERVER=' + temp_odin_server + ';' +\ 'DATABASE=odin_prod;' +\ 'UID=' + temp_odin_username.value + ';' +\ 'PWD=' + temp_odin_password.value + ';' + \ 'Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;' # PYODBC Object try: print("Determining status of the database: ") pyodbcodinprod_object = pyodbc.connect(pyodbcodinprod_str) except: print("~Database is sleeping, Starting the Database up!") time.sleep(60) pyodbcodinprod_object = pyodbc.connect(pyodbcodinprod_str) finally: print("~Odin Connection is ready!") return pyodbcodinprod_str, pyodbcodinprod_object
def fetch_secrets(vault_url): client = SecretClient(vault_url=vault_url, credential=credential) data = { 'sshpublickey': client.get_secret('sshpublickey').value, 'mspassword' : client.get_secret('mspassword').value, 'msusername' : client.get_secret('msusername').value, 'dynatraceapitoken' : client.get_secret('dynatraceapitoken').value, 'dynatraceapiurl' : client.get_secret('dynatraceapiurl').value } return data
def __init__(self): credential = DefaultAzureCredential() vault_url = 'https://aksseldonml-vault.vault.azure.net/' client = SecretClient(vault_url=vault_url, credential=credential) # get credentials cognitive_endpoint = client.get_secret('cognitiveendpoint').value cognitive_key = client.get_secret('cognitivekey').value ta_credential = AzureKeyCredential(cognitive_key) text_analytics_client = TextAnalyticsClient( endpoint=cognitive_endpoint, credential=ta_credential) self.client = text_analytics_client
def generate_dataframe_from_table(spark, spark_args, table): application_id = spark_args.application_id directory_id = spark_args.directory_id adb_secret_scope = spark_args.adb_secret_scope_name adb_sp_client_key_secret_name = spark_args.adb_sp_client_key_secret_name database = spark_args.jdbc_database jdbc_host = spark_args.jdbc_host jdbc_port = spark_args.jdbc_port jdbc_username_key_name = spark_args.jdbc_username_key_name jdbc_password_key_name = spark_args.jdbc_password_key_name use_msi_azure_sql_auth = spark_args.use_msi_azure_sql_auth client_secret = SERVICE_PRINCIPAL_SECRET if SERVICE_PRINCIPAL_SECRET is not None else dbutils.secrets.get( scope=adb_secret_scope, key=adb_sp_client_key_secret_name) df_constructor = spark.read.format("jdbc") \ .option("url", f"jdbc:sqlserver://{jdbc_host}:{jdbc_port};databaseName={database};") \ .option("dbtable", table) \ .option("driver", "com.microsoft.sqlserver.jdbc.SQLServerDriver") \ .option("hostNameInCertificate", "*.database.windows.net") \ .option("encrypt", "true") \ .option("ServerCertificate", "false") \ .option("trustServerCertificate", "false") \ .option("loginTimeout", "30") if use_msi_azure_sql_auth: sts_url = "https://login.microsoftonline.com/" + directory_id auth_context = AuthenticationContext(sts_url) token_obj = auth_context.acquire_token_with_client_credentials( "https://database.windows.net/", application_id, client_secret) access_token = token_obj['accessToken'] df_constructor.option("accessToken", access_token) else: service_principal_credential = ClientSecretCredential( tenant_id=spark_args.directory_id, client_id=spark_args.application_id, client_secret=SERVICE_PRINCIPAL_SECRET) secret_client = SecretClient(vault_url=spark_args.key_vault_url, credential=service_principal_credential) df_constructor.option( "user", secret_client.get_secret(name=jdbc_username_key_name).value) df_constructor.option( "password", secret_client.get_secret(name=jdbc_password_key_name).value) df = df_constructor.load() return df
def main(req: func.HttpRequest) -> func.HttpResponse: logging.info('Python HTTP trigger function processed a request.') KeyVault_DNS = os.environ["KeyVault_DNS"] SecretName = os.environ["SecretName"] table_name = req.headers.get('name') value = req.get_json() if table_name: try: # Try with managed identity, otherwise to with Service Principal creds = ManagedIdentityCredential() client = SecretClient(vault_url=KeyVault_DNS, credential=creds) retrieved_secret = client.get_secret(SecretName) except: creds = ClientSecretCredential( client_id=os.environ["SP_ID"], client_secret=os.environ["SP_SECRET"], tenant_id=os.environ["TENANT_ID"]) client = SecretClient(vault_url=KeyVault_DNS, credential=creds) retrieved_secret = client.get_secret(SecretName) table_service = TableService(connection_string=retrieved_secret.value) if table_service.exists(table_name): if 'PartitionKey' not in value.keys(): #This is mandatory value['PartitionKey'] = 'reference' if 'RowKey' not in value.keys(): #This is mandatory too value['RowKey'] = '001' try: table_service.update_entity(table_name=table_name, entity=value) except: table_service.insert_entity(table_name=table_name, entity=value) else: ret = dict() ret['result'] = "Please create the table!" return func.HttpResponse(json.dumps(ret), status_code=400) ret = dict() ret['result'] = "Success" return func.HttpResponse(json.dumps(ret), status_code=200) else: ret = dict() ret['result'] = "Please pass a name!!" return func.HttpResponse(json.dumps(ret), status_code=400)
def main(): global cog_endpoint global cog_key try: # Get Configuration Settings load_dotenv() cog_endpoint = os.getenv('COG_SERVICE_ENDPOINT') key_vault_name = os.getenv('KEY_VAULT') app_tenant = os.getenv('TENANT_ID') app_id = os.getenv('APP_ID') app_password = os.getenv('APP_PASSWORD') # Get cognitive services key from keyvault using the service principal credentials key_vault_uri = f"https://{key_vault_name}.vault.azure.net/" credential = ClientSecretCredential(app_tenant, app_id, app_password) keyvault_client = SecretClient(key_vault_uri, credential) secret_key = keyvault_client.get_secret("Cognitive-Services-Key") cog_key = secret_key.value # Get user input (until they enter "quit") userText = '' while userText.lower() != 'quit': userText = input('\nEnter some text ("quit" to stop)\n') if userText.lower() != 'quit': language = GetLanguage(userText) print('Language:', language) except Exception as ex: print(ex)
def home(): # url du key vault sur Azure vault_url = "https://tradingkeyvault.vault.azure.net/" # récupération des accés au key vault dans le context d'Azure credential = DefaultAzureCredential() # récupération des accés à la database depuis le key vault secret_client = SecretClient(vault_url=vault_url, credential=credential) secret = secret_client.get_secret("sqlserver-trading") # connexion au sql server depuis une machine linux cnxn = pyodbc.connect("Driver={ODBC Driver 17 for SQL Server};Server=tcp:sqlserver-trading.database.windows.net,1433;Database=financial;Uid=MasterTrader;Pwd="+secret.value+";Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;") cursor = cnxn.cursor() cursor.execute("SELECT TOP(200) * FROM XGBoost_BSH_1H ORDER BY DatePrediction DESC") # row = cursor.fetchone() rows = cursor.fetchall() rows.reverse() new_rows =[] for row in rows: # row_list = [elem for elem in row] # row_list.append(max(row_list[1:])) row_list = [row[0]] row_list_rounded = list(map(lambda x: round(x, ndigits=4), row[1:])) row_list.extend(row_list_rounded) row_list.append(max(row_list[1:])) new_rows.append(row_list) return render_template('index.html', data=new_rows)
class AzureKeyVault(SecretProvider): def __init__(self, provider_details): log.info("Using secret provider: Azure KeyVault") super().__init__(provider_details) self.__auth_azure() def __auth_azure(self): provider_credentials = self._provider_details["credentials"] credential = ClientSecretCredential( tenant_id=provider_credentials["azure_tenant_id"], client_id=provider_credentials["azure_client_id"], client_secret=provider_credentials["azure_client_secret"]) self.__provider = SecretClient( vault_url=provider_credentials["azure_keyvault_url"], credential=credential) def set_secret(self, key_name, key_value): self.__provider.set_secret(key_name, key_value) def get_secret(self, key_name): try: secret_name = key_name.replace('.', '-').replace('_', '-') log.info("Looking for secret: {} [{}]".format( secret_name, key_name)) secret_value = self.__provider.get_secret(secret_name).value log.info("Secret {} found".format(key_name)) return secret_value except ResourceNotFoundError: log.error("Cannot find secret: {}".format(key_name)) raise except ClientAuthenticationError: log.error("Cannot authenticate, the credentials are invalid") raise
def main(mytimer: func.TimerRequest) -> None: # Extracting Database password default_credential = DefaultAzureCredential() secret_client = SecretClient( vault_url='https://andrewsfirstkeyvault.vault.azure.net/', credential=default_credential) DBPassword = secret_client.get_secret(name="DBTrial-pwd") # Database Connection conninfo_server = "server-trial.database.windows.net,1433" conninfo_database = "Database_Trial" conninfo_username = "******" conninfo_password = DBPassword.value conninfo_connectstring= 'DRIVER=ODBC Driver 17 for SQL Server;'+\ 'SERVER='+conninfo_server+';'+\ 'DATABASE='+conninfo_database+';'+\ 'UID='+conninfo_username+';'+\ 'PWD='+ conninfo_password+';'+\ 'Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;' conn = pyodbc.connect(conninfo_connectstring) cursor = conn.cursor() # Database Insertion cursor.execute("""INSERT INTO TrialTable (RandomCol2_Str, RandomCol3_Str) VALUES ('John','Snow')""") conn.commit() conn.close
def get_data(sql_string, columns): credentials = None credential = DefaultAzureCredential() secret_client = SecretClient("https://smrtschd-aml-kv.vault.azure.net", credential=credential) secret = secret_client.get_secret("database-connection") #client = KeyVaultClient(KeyVaultAuthentication(auth_callback)) #secret_bundle = client.get_secret("https://smrtschd-aml-kv.vault.azure.net", "database-connection", "") server = 'starlims-sql.database.windows.net' database = 'QM12_DATA_AUTOMATION' username = '******' password = secret.value driver= '{ODBC Driver 17 for SQL Server}' conn = pyodbc.connect('Driver='+driver+';'+ 'Server='+server+';'+ 'Database='+database+';'+ 'PORT=1433;'+ 'UID='+username+';'+ 'PWD='+password+'; MARS_Connection=Yes' ) try: SQL_Query = pd.read_sql_query(sql_string, conn) df = pd.DataFrame(SQL_Query, columns=columns) return df except Exception as e: print(e) raise
def getsecretkey2(): keyVault2_name = 'VaronisAssignmentKv2' KeyVault_URI = f"https://{keyVault2_name}.vault.azure.net/" SECRET_NAME = 'VaronisAssignmentSecret' _credential = ClientSecretCredential(tenant_id=TENANT_ID, client_id=CLIENT_ID, client_secret=CLIENT_SECRET) _sc = SecretClient(vault_url=KeyVault_URI, credential=_credential) KVA_SECRET = _sc.get_secret(SECRET_NAME).value KVA_DATE = _sc.get_secret(SECRET_NAME).properties.created_on return KVA_SECRET, SECRET_NAME, KVA_DATE
def Connect(): try: credential = DefaultAzureCredential() scope = 'https://vault.azure.net/.default' access_token = credential.get_token(scope) print(access_token) vault_url = "https://{}.vault.azure.net".format(vault_name) secret_client = SecretClient(vault_url=vault_url, credential=credential) retrieved_secret = secret_client.get_secret("mysql") password = retrieved_secret.value messages.clear() global cnxn cnxn = mysql.connector.connect(user=user,host=host,database=database,password=password) print("Connection established") except mysql.connector.Error as err: if err.errno == errorcode.ER_ACCESS_DENIED_ERROR: print("Something is wrong with the user name or password") elif err.errno == errorcode.ER_BAD_DB_ERROR: print("Database does not exist") else: print(err) else: global cursor cursor = cnxn.cursor() messages.append("Connecting to Database")
class AzureKeyVault(object): def __init__(self, key_vault_name: str): credential = DefaultAzureCredential() key_vault_uri = f"https://{key_vault_name}.vault.azure.net" self.client = SecretClient(vault_url=key_vault_uri, credential=credential) def set_secret(self, secret_name: str, secret_value) -> bool: try: self.client.set_secret(secret_name, secret_value) return True except BaseException as e: Logger().error(f"{e}") return False def get_secret(self, secret_name: str) -> Union[KeyVaultSecret, str]: try: return self.client.get_secret(secret_name) except BaseException as e: Logger().error(f"{e}") return "" def delete_secret(self, secret_name: str) -> bool: try: poller = self.client.begin_delete_secret(secret_name) deleted_secret = poller.result() return True except BaseException as e: Logger().error(f"{e}") return False
def get_queue(queue_name, create_queue, clear_queue): ''' Note that generating the queueclient does not mean there must a queue there as one of the properties of queueclient is "create_queue", so it's really a representation of a queue which may or may not exist yet. ''' keyVaultName = os.environ["KEY_VAULT_NAME"] keyVault_URI = "https://" + keyVaultName + ".vault.azure.net" credential = DefaultAzureCredential() client = SecretClient(vault_url=keyVault_URI, credential=credential) data_access_key = client.get_secret("thecupstore-key") account_url = "https://thecupstore.queue.core.windows.net/" queueclient = QueueClient(account_url=account_url, queue_name=queue_name, credential=data_access_key.value, message_encode_policy=TextBase64EncodePolicy(), message_decode_policy=TextBase64DecodePolicy()) # Check that the queue exists and if not create it if the create switch has been passed as True try: queueclient.get_queue_properties() except: if create_queue: queueclient.create_queue() else: message = "Queue does not exist" else: if clear_queue: queueclient.clear_messages() if 'message' in locals(): # checks for existence of message variable return message else: return queueclient
def __get_storage_account_key(self, accountname, client_id, secret_key, tenant_id, keyvault_account): """ Uses the azure management package and the active directory credentials to fetch the authentication key for a storage account from azure key vault. The key must be stored in azure keyvault for this to work. :param str accountname: storage account name """ credential = ClientSecretCredential(tenant_id, client_id, secret_key) keyvault = 'https://{}.vault.azure.net'.format(keyvault_account) client = SecretClient(keyvault, credential) try: secret_bundle = client.get_secret(accountname) except ResourceNotFoundError: err_str = "The pipeline is not setup to use the {} account. ".format( accountname) err_str += "please add the storage key for the account to {} ".format( keyvault_account) err_str += "as a secret. All input/output paths should start with accountname" raise UnconfiguredStorageAccountError(err_str) account_key = secret_bundle.value return account_key
def get_best_stop_id(name): print(name) credential = DefaultAzureCredential() secret_client = SecretClient(vault_url='https://keyvaulttest-2.vault.azure.net/', credential=credential) secret_transport_nsw = secret_client.get_secret("transport-nsw") headers={'Authorization': secret_transport_nsw.value} stop_payload = { 'outputFormat' : 'rapidJSON', 'type_sf' : 'any', 'coordOutputFormat' : 'EPSG:4326', 'name_sf' : name, 'version' : '10.2.1.42' } headers={'Authorization': secret_transport_nsw.value} stop_response = requests.get('https://api.transport.nsw.gov.au/v1/tp/stop_finder',params=stop_payload,headers=headers) stop_response = stop_response.json() #print(stop_response['locations']) for stop in stop_response['locations']: if stop['isBest'] == True: #print(stop['isBest']) #print(stop['id']) return(stop['id']) else: pass
def main(argv): # Get arguments akv_name = None secret_name = None try: opts, args = getopt.getopt(argv, "hv:s:", ["help", "vault-name=", "secret-name="]) except getopt.GetoptError: print('Options: -v <azure_key_vault_name> -s <secret_name>') sys.exit(2) for opt, arg in opts: if opt == '-h': print('Options: -v <azure_key_vault_name> -s <secret_name>') sys.exit() elif opt in ("-v", "--vault-name"): akv_name = arg elif opt in ("-s", "--secret-name"): secret_name = arg # Print vault name if (akv_name == None) or (secret_name == None): print('Options: -v <azure_key_vault_name> -s <secret_name>') sys.exit() else: print('Getting secret', secret_name, 'from Azure Key Vault', akv_name) # Get secret akv_uri = f"https://{akv_name}.vault.azure.net" credential = DefaultAzureCredential() client = SecretClient(vault_url=akv_uri, credential=credential) secret_value = client.get_secret(secret_name) # Debug: print secret print('Secret value:', secret_value.value)
class Vault: def __init__(self): self.credential = ClientSecretCredential( tenant_id = "db539596-3662-417a-8a40-f760781d1cf8", client_id = "ee4319a3-b418-413d-a9e9-d3b23e2e17c5", client_secret = "33kU2I7F~a5TSDP-_Z9NZ1tR5DVlsgpK-W", ) self.secret_client = SecretClient(vault_url="https://{0}.vault.azure.net".format(os.getenv(("KEY_VAULT_NAME"))),credential=self.credential) self.key_client = KeyClient(vault_url="https://{0}.vault.azure.net".format(os.getenv(("KEY_VAULT_NAME"))),credential=self.credential) self.key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"] def get_secret(self,key): return self.secret_client.get_secret(key).value def set_secret(self,key,value): self.secret_client.set_secret(key,value) def set_key(self,key_name,key_size,key_ops): self.key_client.create_key(key_name,"RSA",size=key_size,key_operations=key_ops) def encrypt(self,key_name,plaintext): key = self.key_client.get_key(key_name) crypto_client = CryptographyClient(key,credential=self.credential) text = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep,bytes(plaintext.encode())) return text.ciphertext def decrypt(self,ciphertext,key_name): key = self.key_client.get_key(key_name) crypto_client = CryptographyClient(key,credential=self.credential) text = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep,ciphertext) return text.plaintext.decode()
def create_app(test_config=None): # 環境変数VAULT_URIにAzure Key VaultのコンテナURIを設定しておく VAULT_URI = getenv("VAULT_URI") if VAULT_URI is None: raise Exception("VAULT_URI env var is not set.") # Azure Identityを使い、Azure Key Vaultコンテナにアクセスする。 # DefaultAzureCredentialを使うことで次のことが実現出来る。 # ・Azure Web Apps等にデプロイした際は、Managed Identityの資格情報を使いKey Vaultにアクセス # ・ローカル開発環境上ではVisual StudioのAzure Account拡張機能でログインした際の資格情報を使いKey Vaultにアクセス credential = DefaultAzureCredential() valut_client = SecretClient(vault_url=VAULT_URI, credential=credential) # Azure Key Vaultコンテナ上に設定されているシークレットを読み出し、PythonのDictにする try: secret = valut_client.get_secret(FLASK_SECRET_KEY) flask_config = json.loads(secret.value) except ResourceNotFoundError as e: raise e except json.JSONDecodeError as e: raise e app = Flask(__name__, instance_relative_config=True) # シークレットから取得した値でconfigをアップデートする app.config.from_mapping(flask_config) @app.route("/") def hello_world(): import datetime return "Hello from azure-keyvault-flask! " + str( datetime.datetime.now()) return app
def get_sender(self, user: str) -> Dict[str, Union[str, int]]: """Retrieve the details for a user from the DB. If we try to retrieve a user defined multiple times it raises an error since we have ambiguous details. Passwords are retrieved from a KeyVault. Parameters ---------- user User associated with the email account used to deliver the email. """ sender_details_lst = [x for x in self.email_db if x["user"] == user] if len(sender_details_lst) == 0: logging.info("Sender user not found in DB.") raise KeyError("Sender not found in DB.") elif len(sender_details_lst) > 1: logging.info("More than one sender user in DB. Please fix.") raise KeyError("Ambiguous sender found in DB") else: sender_details: Dict[str, Union[str, int]] = sender_details_lst[0] credential = DefaultAzureCredential() client = SecretClient(vault_url=os.environ["KEY_VAULT_URI"], credential=credential) secret = client.get_secret(sender_details["keyvault_secret"]).value sender_details["password"] = secret return sender_details
def run_sample(): # Instantiate a secret client that will be used to call the service. # Notice that the client is using default Azure credentials. # To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID', # 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials. VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"] credential = DefaultAzureCredential() client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential) try: # Let's create a secret holding bank account credentials valid for 1 year. # if the secret already exists in the Key Vault, then a new version of the secret is created. print("\n.. Create Secret") expires = datetime.datetime.utcnow() + datetime.timedelta(days=365) secret = client.set_secret("helloWorldSecretName", "helloWorldSecretValue", expires_on=expires) print("Secret with name '{0}' created with value '{1}'".format( secret.name, secret.value)) print("Secret with name '{0}' expires on '{1}'".format( secret.name, secret.properties.expires_on)) # Let's get the bank secret using its name print("\n.. Get a Secret by name") bank_secret = client.get_secret(secret.name) print("Secret with name '{0}' was found with value '{1}'.".format( bank_secret.name, bank_secret.value)) # After one year, the bank account is still active, we need to update the expiry time of the secret. # The update method can be used to update the expiry attribute of the secret. It cannot be used to update # the value of the secret. print("\n.. Update a Secret by name") expires = bank_secret.properties.expires_on + datetime.timedelta( days=365) updated_secret_properties = client.update_secret_properties( secret.name, expires_on=expires) print("Secret with name '{0}' was updated on date '{1}'".format( secret.name, updated_secret_properties.updated_on)) print("Secret with name '{0}' was updated to expire on '{1}'".format( secret.name, updated_secret_properties.expires_on)) # Bank forced a password update for security purposes. Let's change the value of the secret in the Key Vault. # To achieve this, we need to create a new version of the secret in the Key Vault. The update operation cannot # change the value of the secret. secret = client.set_secret(secret.name, "newSecretValue") print("Secret with name '{0}' created with value '{1}'".format( secret.name, secret.value)) # The bank account was closed, need to delete its credentials from the Key Vault. print("\n.. Delete Secret") deleted_secret = client.delete_secret(secret.name) print("Deleting Secret..") print("Secret with name '{0}' was deleted.".format( deleted_secret.name)) except HttpResponseError as e: print("\nrun_sample has caught an error. {0}".format(e.message)) finally: print("\nrun_sample done")
def get_secret(secretName): KVUri = f"https://sayless.vault.azure.net" credential = DefaultAzureCredential() client = SecretClient(vault_url=KVUri, credential=credential) retrieved_secret = client.get_secret(secretName) return retrieved_secret.value
def get_secret(key_vault, key_name): # Create MSI Authentication credential = MSIAuthentication() client = SecretClient(vault_url=key_vault, credential=credential) secret_bundle = client.get_secret(key_name) secret = secret_bundle.value return secret
def get_sp(): # TO DO in next version: link and secret names as parameters to customize which sp to get for which case; # to have less parameters and not over-complicate the code, you can now add the link to the key vault # and the secret names in the code if you don't plan on changing the way the authrization is done in the future. credential = DefaultAzureCredential() secret_client = SecretClient("FILL IN THE LINK TO YOUR KEY VAULT", credential) serviceprincipal_definition = {} #make sure the following secrets exist and are populated in your key vault (can change the names of the variables if you want) serviceprincipal_definition["tenant_id"] = secret_client.get_secret( "tenant-id").value serviceprincipal_definition[ "service_principal_id"] = secret_client.get_secret("sp-id").value serviceprincipal_definition[ "service_principal_password"] = secret_client.get_secret( "sp-password").value return serviceprincipal_definition
def get_secret_from_vault(self): # Connect to vault credential = ManagedIdentityCredential() secret_client = SecretClient(vault_url=self.vault_url, credential=credential) return secret_client.get_secret(self.secret_name)
def __init__(self, uri): credential = DefaultAzureCredential( exclude_shared_token_cache_credential=True, exclude_managed_identity_credential=True, exclude_visual_studio_code_credential=True, exclude_environment_credential=True) client = SecretClient(vault_url=uri, credential=credential) self.password = urllib.parse.quote_plus( client.get_secret("sql-password").value) self.user_name = urllib.parse.quote_plus( client.get_secret("sql-userid").value) self.server = urllib.parse.quote_plus( client.get_secret("sqlserver").value) self.database = urllib.parse.quote_plus( client.get_secret("sql-db").value) self.table_name = urllib.parse.quote_plus( client.get_secret("sql-table").value)
class Vault: def __init__(self): if os.environ.get('IS_PROD', None): self.credential = ClientSecretCredential( tenant_id=os.environ.get('tenant_id', None), client_id=os.environ.get('client_id', None), client_secret=os.environ.get('client_secret', None), ) self.secret_client = SecretClient(vault_url=os.environ.get( 'vault_url', None), credential=self.credential) self.key_client = KeyClient(vault_url=os.environ.get( 'vault_url', None), credential=self.credential) else: self.credential = ClientSecretCredential( tenant_id=Configuration.tenant_id, client_id=Configuration.client_id, client_secret=Configuration.client_secret, ) self.secret_client = SecretClient( vault_url=Configuration.vault_url, credential=self.credential) self.key_client = KeyClient(vault_url=Configuration.vault_url, credential=self.credential) self.key_ops = [ "encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey" ] def get_secret(self, key): return self.secret_client.get_secret(key).value def set_secret(self, key, value): self.secret_client.set_secret(key, value) def set_key(self, key_name, key_size, key_ops): self.key_client.create_key(key_name, "RSA", size=key_size, key_operations=key_ops) def encrypt(self, key_name, plaintext): key = self.key_client.get_key(key_name) crypto_client = CryptographyClient(key, credential=self.credential) text = crypto_client.encrypt(EncryptionAlgorithm.rsa_oaep, bytes(plaintext.encode())) return text.ciphertext def decrypt(self, ciphertext, key_name): key = self.key_client.get_key(key_name) crypto_client = CryptographyClient(key, credential=self.credential) text = crypto_client.decrypt(EncryptionAlgorithm.rsa_oaep, ciphertext) return text.plaintext.decode() def close_all_connections(self): self.secret_client.close() self.key_client.close()
def main(name: str) -> str: par_account_url = os.environ['account_url'] par_storage_container = os.environ['storage_container'] par_file_name = name # os.environ['file_name'] # todo, pass this parameter from ADFv2 or loop through storage container par_keyvault_url = os.environ['keyvault_url'] par_s3_bucket = os.environ['s3_bucket'] status = "ok" try: # Download file from Azure Storage and put it on tmp storage of Azure Function token_credential = DefaultAzureCredential() blob_service_client = BlobServiceClient(account_url=par_account_url, credential=token_credential) blob_client = blob_service_client.get_blob_client( container=par_storage_container, blob=par_file_name) with open("/tmp/" + par_file_name, "wb") as my_blob: download_stream = blob_client.download_blob() my_blob.write(download_stream.readall()) # Upload file from Azure Function tmp storage to AWS S3 secret_client = SecretClient(vault_url=par_keyvault_url, credential=token_credential) aws_access_key_id = secret_client.get_secret("aws-access-key-id").value aws_secret_access_key = secret_client.get_secret( "aws-secret-access-key").value s3_client = boto3.client('s3', aws_access_key_id=aws_access_key_id, aws_secret_access_key=aws_secret_access_key) try: response = s3_client.upload_file("/tmp/" + par_file_name, par_s3_bucket, par_file_name) except ClientError as e: status = str(e) except Exception as e: status = str(e) finally: os.remove("/tmp/" + par_file_name) download_stream = None return status
def get_bearer_token(): keyVaultName = os.environ["previsionzkeyvault"] KVUri = "https://{}.vault.azure.net".format(keyVaultName) secretName = "BEARER-TOKEN" credential = DefaultAzureCredential() client = SecretClient(vault_url=KVUri, credential=credential) print("Retrieving your secret from {}.".format(keyVaultName)) retrieved_secret = client.get_secret(secretName).value print("Secret retrieval done.") return retrieved_secret