无法使用 python 从 Azure Key Vault 获取机密/证书 | 'KeyVaultManagementClient' 对象没有属性 'get_secret'
unable to get the secret / certificate from Azure Key Vault using python | 'KeyVaultManagementClient' object has no attribute 'get_secret'
提前致谢,我正在尝试使用 python 创建虚拟机。在部署时,它将检查密钥保管库中是否存在证书并将其复制到 VM 中。
我正在按照下面的文章进行操作
https://azure.microsoft.com/en-in/resources/samples/key-vault-python-deploy-certificates-to-vm/
这里的问题是,上面的示例是通过使用应用程序 ID、秘密方法登录执行的,我使用设备身份验证登录。
我想使用 ADAL 或设备身份验证方法,它会要求我们登录到 Azure 门户,然后键入授权代码,然后登录。它会将凭据传递给当前会话。
我正在使用交互式身份验证方式,而不是使用客户端 ID 和机密的非交互式方式
我在函数 "get_certificates" 上收到错误 'KeyVaultManagementClient' object has no attribute 'get_secret'。是否有任何功能可以使用我的交互式登录方式获取 certificate/secrets ?或者这仅适用于应用程序 ID 和秘密方法。
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.compute.models import DiskCreateOption
from azure.mgmt.network.v2017_03_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2017_03_01.models import SecurityRule
import azure.mgmt.network.models
from msrestazure.azure_active_directory import AADTokenCredentials
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.datalake.analytics.job import DataLakeAnalyticsJobManagementClient
from azure.mgmt.datalake.analytics.job.models import JobInformation, JobState, USqlJobProperties
import adal, uuid, time
SUBSCRIPTION_ID = 'xxx-xxxx-xxxx-xxxx-xxxx'
GROUP_NAME = 'RAH-AQ'
Vault_Name = 'aqrahkeyvault'
LOCATION = ''
certificate_as_secret = ''
def authenticate_device_code():
"""
Authenticate the end-user using device auth.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = 'xxxx-xxxx-xxxx-xxxx-xxxx'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
context = adal.AuthenticationContext(authority_uri, api_version=None)
code = context.acquire_user_code(resource_uri, client_id)
print(code['message'])
mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
def get_keyvault(kv_client):
myvault = kv_client.vaults.get(resource_group_name=GROUP_NAME,vault_name= Vault_Name)
return myvault
def get_certificates(myvault):
global certificate_as_secret
certificate_as_secret = kv_client.get_secret(
myvault.properties.vault_uri,
staticwebsite,
"" # Latest version
)
if __name__ == "__main__":
credentials = authenticate_device_code()
resource_group_client = ResourceManagementClient(
credentials,
SUBSCRIPTION_ID
)
network_client = NetworkManagementClient(
credentials,
SUBSCRIPTION_ID
)
compute_client = ComputeManagementClient(
credentials,
SUBSCRIPTION_ID
)
kv_client = KeyVaultManagementClient(
credentials,
SUBSCRIPTION_ID
)
creation_result_keyvault = get_keyvault(kv_client)
print("------------------------------------------------------")
print(creation_result_keyvault)
creation_result_certificates = get_certificates(creation_result_keyvault)
print("------------------------------------------------------")
print(creation_result_certificates)
要获取 Azure Keyvault 中的秘密,您需要使用包 azure.keyvault。代码如下:
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials
def auth_callback(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id = '',
secret = '',
tenant = '',
resource = "https://vault.azure.net"
)
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret_bundle = client.get_secret(VAULT_URL, SECRET_ID, SECRET_VERSION)
print(secret_bundle.value)
还有一点你要注意。关键是您需要添加策略以允许服务主体获取机密。 Key Vault -> 访问策略 -> 新增 -> 机密管理。
正如@Charles Xu 在他们的回答中提到的,管理库不应该用于从保险库中获取机密。 Python 中现在有用于处理 Key Vault 数据的新包,取代了 azure-keyvault:
- azure-keyvault-certificates (Migration guide)
- azure-keyvault-keys (Migration guide)
- azure-keyvault-secrets (Migration guide)
还有用于身份验证的 azure-mgmt-keyvault package for managing vaults. All of these use the azure-identity 包。
要通过设备以交互方式验证用户身份,您可以使用 azure-identity 中的 DeviceCodeCredential class。以下是如何使用凭据、使用代码中的客户端 ID 和保管库名称获取机密的示例:
from azure.identity import DeviceCodeCredential
from azure.keyvault.secrets import SecretClient
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
vault_name = 'aqrahkeyvault'
credential = DeviceCodeCredential(client_id=client_id)
client = SecretClient('https://{}.vault.azure.net'.format(vault_name), credential)
secret = client.get_secret('secret-name')
(我在 Python 中使用 Azure SDK)
提前致谢,我正在尝试使用 python 创建虚拟机。在部署时,它将检查密钥保管库中是否存在证书并将其复制到 VM 中。
我正在按照下面的文章进行操作
https://azure.microsoft.com/en-in/resources/samples/key-vault-python-deploy-certificates-to-vm/
这里的问题是,上面的示例是通过使用应用程序 ID、秘密方法登录执行的,我使用设备身份验证登录。
我想使用 ADAL 或设备身份验证方法,它会要求我们登录到 Azure 门户,然后键入授权代码,然后登录。它会将凭据传递给当前会话。 我正在使用交互式身份验证方式,而不是使用客户端 ID 和机密的非交互式方式
我在函数 "get_certificates" 上收到错误 'KeyVaultManagementClient' object has no attribute 'get_secret'。是否有任何功能可以使用我的交互式登录方式获取 certificate/secrets ?或者这仅适用于应用程序 ID 和秘密方法。
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.compute.models import DiskCreateOption
from azure.mgmt.network.v2017_03_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2017_03_01.models import SecurityRule
import azure.mgmt.network.models
from msrestazure.azure_active_directory import AADTokenCredentials
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.datalake.analytics.job import DataLakeAnalyticsJobManagementClient
from azure.mgmt.datalake.analytics.job.models import JobInformation, JobState, USqlJobProperties
import adal, uuid, time
SUBSCRIPTION_ID = 'xxx-xxxx-xxxx-xxxx-xxxx'
GROUP_NAME = 'RAH-AQ'
Vault_Name = 'aqrahkeyvault'
LOCATION = ''
certificate_as_secret = ''
def authenticate_device_code():
"""
Authenticate the end-user using device auth.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = 'xxxx-xxxx-xxxx-xxxx-xxxx'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
context = adal.AuthenticationContext(authority_uri, api_version=None)
code = context.acquire_user_code(resource_uri, client_id)
print(code['message'])
mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
def get_keyvault(kv_client):
myvault = kv_client.vaults.get(resource_group_name=GROUP_NAME,vault_name= Vault_Name)
return myvault
def get_certificates(myvault):
global certificate_as_secret
certificate_as_secret = kv_client.get_secret(
myvault.properties.vault_uri,
staticwebsite,
"" # Latest version
)
if __name__ == "__main__":
credentials = authenticate_device_code()
resource_group_client = ResourceManagementClient(
credentials,
SUBSCRIPTION_ID
)
network_client = NetworkManagementClient(
credentials,
SUBSCRIPTION_ID
)
compute_client = ComputeManagementClient(
credentials,
SUBSCRIPTION_ID
)
kv_client = KeyVaultManagementClient(
credentials,
SUBSCRIPTION_ID
)
creation_result_keyvault = get_keyvault(kv_client)
print("------------------------------------------------------")
print(creation_result_keyvault)
creation_result_certificates = get_certificates(creation_result_keyvault)
print("------------------------------------------------------")
print(creation_result_certificates)
要获取 Azure Keyvault 中的秘密,您需要使用包 azure.keyvault。代码如下:
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials
def auth_callback(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id = '',
secret = '',
tenant = '',
resource = "https://vault.azure.net"
)
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret_bundle = client.get_secret(VAULT_URL, SECRET_ID, SECRET_VERSION)
print(secret_bundle.value)
还有一点你要注意。关键是您需要添加策略以允许服务主体获取机密。 Key Vault -> 访问策略 -> 新增 -> 机密管理。
正如@Charles Xu 在他们的回答中提到的,管理库不应该用于从保险库中获取机密。 Python 中现在有用于处理 Key Vault 数据的新包,取代了 azure-keyvault:
- azure-keyvault-certificates (Migration guide)
- azure-keyvault-keys (Migration guide)
- azure-keyvault-secrets (Migration guide)
还有用于身份验证的 azure-mgmt-keyvault package for managing vaults. All of these use the azure-identity 包。
要通过设备以交互方式验证用户身份,您可以使用 azure-identity 中的 DeviceCodeCredential class。以下是如何使用凭据、使用代码中的客户端 ID 和保管库名称获取机密的示例:
from azure.identity import DeviceCodeCredential
from azure.keyvault.secrets import SecretClient
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
vault_name = 'aqrahkeyvault'
credential = DeviceCodeCredential(client_id=client_id)
client = SecretClient('https://{}.vault.azure.net'.format(vault_name), credential)
secret = client.get_secret('secret-name')
(我在 Python 中使用 Azure SDK)