无法使用 python 访问 Azure Key Vault 机密
Cannot access azure key vault secret with python
我已经能够通过我的外部 Web 应用程序使用 oauth rest api 访问 azure key vault,但由于某种原因我无法从密钥中检索秘密。经过长时间的研究,我发现可以使用 powershell 和 c# 执行此操作,但仍未找到 python 的任何解决方案。
任何人都知道 python 是否可行,或者有没有办法模拟 powershell 正在做的事情?
这是检索秘密的代码:
def getSecret(vault_name, secret_name, secret_version = ''):
#Get acess token to azure account
data = { "grant_type" : "client_credentials",
"client_id" : 'appidxx',
"client_secret" : 'appsecretxx',
"resource" : "https://vault.azure.net"
}
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format('my tenant id'), data=data, headers=headers)
access_token = r.json()['access_token']
#Get secret from KeyVault
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
result = r.json()
if 'value' in result.keys():
return result["value"]
else:
return 'Secret Not Found'
def searchSecret(secret_name, secret_version = ''):
subscription_id = 'subscription id'
credentials = ServicePrincipalCredentials(
client_id= 'appidxx',
secret= 'appsecretxx',
tenant= 'tenantidxx'
)
kvm_client = KeyVaultManagementClient(credentials, subscription_id )
for vault in kvm_client.vaults.list():
#return when secret found in vault
secret = getSecret(vault.name, secret_name, secret_version = '')
if (secret != 'Secret Not Found'):
return secret
return 'Secret Not Found'
此外,我已经在 Azure 门户中注册了我的应用程序并授予了对我的密钥和机密的权限,但是我注意到当通过访问策略授予对我的应用程序的访问权限时,"Authorized application" 选项被锁定,我无法添加我的应用程序,这可能是我问题的根本原因??
screenshot
首先,您应该授予您的服务主体访问您的密钥保管库的权限。像这样 https://imgur.com/a/mrth1.
我使用 getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b') 测试了您的代码,它对我有用。
import requests
def getSecret(vault_name, secret_name, secret_version = ''):
#Get acess token to azure account
data = { "grant_type" : "client_credentials",
"client_id" : '*******',
"client_secret" : '*******',
"resource" : "https://vault.azure.net"
}
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format('*******'), data=data, headers=headers)
access_token = r.json()['access_token']
#Get secret from KeyVault
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
print r
result = r.json()
if 'value' in result.keys():
return result["value"]
else:
return 'Secret Not Found'
getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b')
如果您想使用 Azure SDK 更轻松地访问机密,Python 中有用于 Key Vault 的新包取代了 azure-keyvault:
- azure-keyvault-certificates (Migration guide)
- azure-keyvault-keys (Migration guide)
- azure-keyvault-secrets (Migration guide)
azure-identity 也是应该与这些一起用于身份验证的包。
可以在 azure-sdk-for-python GitHub repository 上找到有关使用机密库的文档,这里有一个检索机密的示例:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.mgmt.keyvault import KeyVaultManagementClient
credential = DefaultAzureCredential()
subscription_id = "subscription id"
def getSecret(vault_url, secret_name, secret_version=None):
client = SecretClient(vault_url, credential)
# list the secrets in the vault
secret_properties = client.list_properties_of_secrets()
for secret_property in secret_properties:
if secret_property.name == secret_name:
# get secret from Key Vault
return client.get_secret(secret_name, secret_version)
return "Secret Not Found"
def searchSecret(secret_name, secret_version=None):
kvm_client = KeyVaultManagementClient(credential, subscription_id)
for vault in kvm_client.vaults.list():
# return when secret found in vault
secret = getSecret(vault.properties.vault_uri, secret_name, secret_version)
if secret != "Secret Not Found":
return secret
return "Secret Not Found"
您可以通过设置对应于 client_id、secret 和 tenant:[=22= 的环境变量来提供与 ServicePrincipalCredentials 相同的凭据]
export AZURE_CLIENT_ID="appidxx"
export AZURE_CLIENT_SECRET="appsecretxx"
export AZURE_TENANT_ID="tenantidxx"
(我在 Python 中使用 Azure SDK)
我已经能够通过我的外部 Web 应用程序使用 oauth rest api 访问 azure key vault,但由于某种原因我无法从密钥中检索秘密。经过长时间的研究,我发现可以使用 powershell 和 c# 执行此操作,但仍未找到 python 的任何解决方案。 任何人都知道 python 是否可行,或者有没有办法模拟 powershell 正在做的事情? 这是检索秘密的代码:
def getSecret(vault_name, secret_name, secret_version = ''):
#Get acess token to azure account
data = { "grant_type" : "client_credentials",
"client_id" : 'appidxx',
"client_secret" : 'appsecretxx',
"resource" : "https://vault.azure.net"
}
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format('my tenant id'), data=data, headers=headers)
access_token = r.json()['access_token']
#Get secret from KeyVault
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
result = r.json()
if 'value' in result.keys():
return result["value"]
else:
return 'Secret Not Found'
def searchSecret(secret_name, secret_version = ''):
subscription_id = 'subscription id'
credentials = ServicePrincipalCredentials(
client_id= 'appidxx',
secret= 'appsecretxx',
tenant= 'tenantidxx'
)
kvm_client = KeyVaultManagementClient(credentials, subscription_id )
for vault in kvm_client.vaults.list():
#return when secret found in vault
secret = getSecret(vault.name, secret_name, secret_version = '')
if (secret != 'Secret Not Found'):
return secret
return 'Secret Not Found'
此外,我已经在 Azure 门户中注册了我的应用程序并授予了对我的密钥和机密的权限,但是我注意到当通过访问策略授予对我的应用程序的访问权限时,"Authorized application" 选项被锁定,我无法添加我的应用程序,这可能是我问题的根本原因?? screenshot
首先,您应该授予您的服务主体访问您的密钥保管库的权限。像这样 https://imgur.com/a/mrth1.
我使用 getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b') 测试了您的代码,它对我有用。
import requests
def getSecret(vault_name, secret_name, secret_version = ''):
#Get acess token to azure account
data = { "grant_type" : "client_credentials",
"client_id" : '*******',
"client_secret" : '*******',
"resource" : "https://vault.azure.net"
}
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format('*******'), data=data, headers=headers)
access_token = r.json()['access_token']
#Get secret from KeyVault
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
print r
result = r.json()
if 'value' in result.keys():
return result["value"]
else:
return 'Secret Not Found'
getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b')
如果您想使用 Azure SDK 更轻松地访问机密,Python 中有用于 Key Vault 的新包取代了 azure-keyvault:
- azure-keyvault-certificates (Migration guide)
- azure-keyvault-keys (Migration guide)
- azure-keyvault-secrets (Migration guide)
azure-identity 也是应该与这些一起用于身份验证的包。
可以在 azure-sdk-for-python GitHub repository 上找到有关使用机密库的文档,这里有一个检索机密的示例:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.mgmt.keyvault import KeyVaultManagementClient
credential = DefaultAzureCredential()
subscription_id = "subscription id"
def getSecret(vault_url, secret_name, secret_version=None):
client = SecretClient(vault_url, credential)
# list the secrets in the vault
secret_properties = client.list_properties_of_secrets()
for secret_property in secret_properties:
if secret_property.name == secret_name:
# get secret from Key Vault
return client.get_secret(secret_name, secret_version)
return "Secret Not Found"
def searchSecret(secret_name, secret_version=None):
kvm_client = KeyVaultManagementClient(credential, subscription_id)
for vault in kvm_client.vaults.list():
# return when secret found in vault
secret = getSecret(vault.properties.vault_uri, secret_name, secret_version)
if secret != "Secret Not Found":
return secret
return "Secret Not Found"
您可以通过设置对应于 client_id、secret 和 tenant:[=22= 的环境变量来提供与 ServicePrincipalCredentials 相同的凭据]
export AZURE_CLIENT_ID="appidxx"
export AZURE_CLIENT_SECRET="appsecretxx"
export AZURE_TENANT_ID="tenantidxx"
(我在 Python 中使用 Azure SDK)