是否可以使用服务主体 return KeyVaultClient 与 Azure Python SDK 方法 get_client_from_auth_file?
Is it possible to return a KeyVaultClient with the Azure Python SDK method get_client_from_auth_file using a Service Principal?
使用 Azure Python SDK,我想 return 使用 get_client_from_auth_file
方法 KeyVaultClient
以便从 KeyVault 获取机密,而无需通过KeyVaultManagementClient
。
根据 documentation,似乎可以从任何 SDK 客户端创建客户端 class。
我能做到:
from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.keyvault import KeyVaultManagementClient
_kv_mgmt_client = get_client_from_auth_file(KeyVaultManagementClient)
但不是这个:
from azure.common.client_factory import get_client_from_auth_file
from azure.keyvault import KeyVaultClient
_kv_client = get_client_from_auth_file(KeyVaultClient)
这是错误信息:TypeError: __init__() got an unexpected keyword argument 'base_url'
更新:
经审查,get_client_from_auth_file
return 有几个结果,包括 base_url
,因此以下辅助函数解析了 TypeError
。
class KeyVaultClientHelper:
def __init__(self, credentials, **kwargs):
self._credentials = credentials
并且 KeyVaultClient 成功,直到它尝试获取秘密并且它 returns Unauthorized
。
helper = get_client_from_auth_file(KeyVaultClientHelper)
client = KeyVaultClient(helper._credentials)
print(client.get_secret("http://my-vault-url...", "MY-KEY", '').value))
但是,我使用具有相同身份验证文件的 ServicePrincipalCredential
成功获取了机密。
克里斯汀,
你可以试试下面的方法,它有一个用于获取 keyvault 客户端的工作示例
import adal
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials
from msrestazure.azure_active_directory import AADTokenCredentials
client_id = '<client_id>'
client_secret = '<client_secret>'
tenant = '<tenant>'
vault_address = '<vault_address>'
secret_name = '<secret_name>'
resource_uri = 'https://vault.azure.net'
def auth_with_adal(server, resource, scope):
authority_host_uri = 'https://login.windows.net'
authority_uri = authority_host_uri + '/' + tenant
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
token = credentials.token
return token['token_type'], token['access_token']
def auth_with_spc(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id = client_id,
secret = client_secret,
tenant = tenant,
resource = resource_uri
)
token = credentials.token
return token['token_type'], token['access_token']
try:
client = KeyVaultClient(KeyVaultAuthentication(auth_with_adal))
secret_bundle = client.get_secret(vault_address, secret_name, '')
print('1) I got the secret using AADTokenCredentials!')
except Exception as e:
print('1) Failed to get a secret!')
print(e)
try:
client = KeyVaultClient(KeyVaultAuthentication(auth_with_spc))
secret_bundle = client.get_secret(vault_address, secret_name, '')
print('2) I got the secret using ServicePrincipalCredentials!')
except Exception as e:
print('2) Failed to get a secret!')
print(e)
您可以使用下面的函数来实现。
client = KeyVaultClient(KeyVaultAuthentication(auth_with_spc))
希望对您有所帮助。
这是 azure-common 中的错误,已在 1.1.22 中修复:
https://pypi.org/project/azure-common/1.1.22/
谢谢!
使用 Azure Python SDK,我想 return 使用 get_client_from_auth_file
方法 KeyVaultClient
以便从 KeyVault 获取机密,而无需通过KeyVaultManagementClient
。
根据 documentation,似乎可以从任何 SDK 客户端创建客户端 class。
我能做到:
from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.keyvault import KeyVaultManagementClient
_kv_mgmt_client = get_client_from_auth_file(KeyVaultManagementClient)
但不是这个:
from azure.common.client_factory import get_client_from_auth_file
from azure.keyvault import KeyVaultClient
_kv_client = get_client_from_auth_file(KeyVaultClient)
这是错误信息:TypeError: __init__() got an unexpected keyword argument 'base_url'
更新:
经审查,get_client_from_auth_file
return 有几个结果,包括 base_url
,因此以下辅助函数解析了 TypeError
。
class KeyVaultClientHelper:
def __init__(self, credentials, **kwargs):
self._credentials = credentials
并且 KeyVaultClient 成功,直到它尝试获取秘密并且它 returns Unauthorized
。
helper = get_client_from_auth_file(KeyVaultClientHelper)
client = KeyVaultClient(helper._credentials)
print(client.get_secret("http://my-vault-url...", "MY-KEY", '').value))
但是,我使用具有相同身份验证文件的 ServicePrincipalCredential
成功获取了机密。
克里斯汀,
你可以试试下面的方法,它有一个用于获取 keyvault 客户端的工作示例
import adal
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials
from msrestazure.azure_active_directory import AADTokenCredentials
client_id = '<client_id>'
client_secret = '<client_secret>'
tenant = '<tenant>'
vault_address = '<vault_address>'
secret_name = '<secret_name>'
resource_uri = 'https://vault.azure.net'
def auth_with_adal(server, resource, scope):
authority_host_uri = 'https://login.windows.net'
authority_uri = authority_host_uri + '/' + tenant
context = adal.AuthenticationContext(authority_uri, api_version=None)
mgmt_token = context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
credentials = AADTokenCredentials(mgmt_token, client_id)
token = credentials.token
return token['token_type'], token['access_token']
def auth_with_spc(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id = client_id,
secret = client_secret,
tenant = tenant,
resource = resource_uri
)
token = credentials.token
return token['token_type'], token['access_token']
try:
client = KeyVaultClient(KeyVaultAuthentication(auth_with_adal))
secret_bundle = client.get_secret(vault_address, secret_name, '')
print('1) I got the secret using AADTokenCredentials!')
except Exception as e:
print('1) Failed to get a secret!')
print(e)
try:
client = KeyVaultClient(KeyVaultAuthentication(auth_with_spc))
secret_bundle = client.get_secret(vault_address, secret_name, '')
print('2) I got the secret using ServicePrincipalCredentials!')
except Exception as e:
print('2) Failed to get a secret!')
print(e)
您可以使用下面的函数来实现。
client = KeyVaultClient(KeyVaultAuthentication(auth_with_spc))
希望对您有所帮助。
这是 azure-common 中的错误,已在 1.1.22 中修复: https://pypi.org/project/azure-common/1.1.22/
谢谢!