使用包含在 Python 中的 Azure CLI 从 keyvault 传递 Secret 作为 Azure VM 的密码
Passing Secret from keyvault as password of Azure VM using Azure CLI wrapped in Python
我写了一个基本代码,它在 Azure CLI 中封装在 Python 中。这在 Linux 机器上运行良好并部署了 VM。我们只需提供资源组名称。它从该 RG 获取 VNET,然后部署 VM。
我想获取 KeyVault 中存在的凭据,然后将其传递给 Azure VM 密码。但是 VM 已成功创建,我必须重置密码才能使其正常工作,因为我无法登录 VM。
下面是代码
import subprocess
import json
#one vnet and one subnet in the resourcegroup.
def get_vnet_name(rscgroup_name):
get_vnet_command=["az","network","vnet","list","--resource-group",rscgroup_name]
get_vnet=subprocess.run(get_vnet_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
a=get_vnet.stdout.decode('utf-8')
d=json.loads(a)
for item in d:
vname=item["name"]
subnets=item["subnets"]
for i in subnets:
subnetname=i["name"]
return vname,subnetname
def fetch_secret(vault_name,secret_name):
fetch_secret_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_name,"--query","value", "-o", "tsv"]
fetch_secret=subprocess.run(fetch_secret_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
secretkubectl=fetch_secret.stdout
return secretkubectl
def fetch_secret_password(vault_name,secret_pass_name):
fetch_password_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_pass_name,"--query","value", "-o", "tsv"]
fetch_password=subprocess.run(fetch_password_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
print(fetch_password.stdout)
secretpass=fetch_password.stdout
print(secretpass)
return secretpass
def create_vm(vm_resourcegroup,vm_name, vm_image,vm_username, secretpass,vm_vnet,vm_subnet, vm_size, secretkubectl):
create_vm_command=["az","vm","create","--resource-group",vm_resourcegroup,"--name",vm_name,"--image",vm_image,"--admin-username", vm_username,"--admin-password",secretpass,"--vnet-name",vm_vnet,"--subnet",vm_subnet,"--size", vm_size, "--custom-data", secretkubectl]
create_vm=subprocess.run(create_vm_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
return
if __name__=="__main__":
rscgroup_name="vm-test-group"
avm_name="testvm1245"
avm_image="Win2019Datacenter"
avm_username="azureuser"
avm_size="Standard_D2_V3"
vault_name = "keyvaultname"
secret_name = "storgacctn"
secret_pass_name = "password"
avm_vnet,avm_subnet=get_vnet_name(rscgroup_name)
secretkubectl =fetch_secret(vault_name,secret_name)
secretpass =fetch_secret_password(vault_name,secret_pass_name)
create_vm(rscgroup_name,avm_name,avm_image,avm_username,secretpass,avm_vnet,avm_subnet,avm_size,secretkubectl)
我可以很好地看到密码,我删除了“-o”,"tsv" 标志,我看到下面的快照用双引号引起来了密码。我仍然无法使用 KeyVault 中作为秘密提供的凭据登录。
我知道使用 JSON 很容易,但我想使用 python 和 cli
来实现它
您的代码中的问题是子进程的输出是字节码,而不是真正的字符串。你可以看到输出以 b 开头,它表示字节码。因此,您需要将输出转换为字符串并删除换行符。像下面这样更改函数:
def fetch_secret_password(vault_name,secret_pass_name):
fetch_password_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_pass_name,"--query","value", "-o", "tsv"]
fetch_password=subprocess.run(fetch_password_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
print(fetch_password.stdout)
secretpass=fetch_password.stdout.decode('UTF-8').strip()
print(secretpass)
return secretpass
然后你会得到一个字符串,因为你存储在你的 VM 密码的秘密中。
我写了一个基本代码,它在 Azure CLI 中封装在 Python 中。这在 Linux 机器上运行良好并部署了 VM。我们只需提供资源组名称。它从该 RG 获取 VNET,然后部署 VM。
我想获取 KeyVault 中存在的凭据,然后将其传递给 Azure VM 密码。但是 VM 已成功创建,我必须重置密码才能使其正常工作,因为我无法登录 VM。
下面是代码
import subprocess
import json
#one vnet and one subnet in the resourcegroup.
def get_vnet_name(rscgroup_name):
get_vnet_command=["az","network","vnet","list","--resource-group",rscgroup_name]
get_vnet=subprocess.run(get_vnet_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
a=get_vnet.stdout.decode('utf-8')
d=json.loads(a)
for item in d:
vname=item["name"]
subnets=item["subnets"]
for i in subnets:
subnetname=i["name"]
return vname,subnetname
def fetch_secret(vault_name,secret_name):
fetch_secret_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_name,"--query","value", "-o", "tsv"]
fetch_secret=subprocess.run(fetch_secret_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
secretkubectl=fetch_secret.stdout
return secretkubectl
def fetch_secret_password(vault_name,secret_pass_name):
fetch_password_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_pass_name,"--query","value", "-o", "tsv"]
fetch_password=subprocess.run(fetch_password_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
print(fetch_password.stdout)
secretpass=fetch_password.stdout
print(secretpass)
return secretpass
def create_vm(vm_resourcegroup,vm_name, vm_image,vm_username, secretpass,vm_vnet,vm_subnet, vm_size, secretkubectl):
create_vm_command=["az","vm","create","--resource-group",vm_resourcegroup,"--name",vm_name,"--image",vm_image,"--admin-username", vm_username,"--admin-password",secretpass,"--vnet-name",vm_vnet,"--subnet",vm_subnet,"--size", vm_size, "--custom-data", secretkubectl]
create_vm=subprocess.run(create_vm_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
return
if __name__=="__main__":
rscgroup_name="vm-test-group"
avm_name="testvm1245"
avm_image="Win2019Datacenter"
avm_username="azureuser"
avm_size="Standard_D2_V3"
vault_name = "keyvaultname"
secret_name = "storgacctn"
secret_pass_name = "password"
avm_vnet,avm_subnet=get_vnet_name(rscgroup_name)
secretkubectl =fetch_secret(vault_name,secret_name)
secretpass =fetch_secret_password(vault_name,secret_pass_name)
create_vm(rscgroup_name,avm_name,avm_image,avm_username,secretpass,avm_vnet,avm_subnet,avm_size,secretkubectl)
我可以很好地看到密码,我删除了“-o”,"tsv" 标志,我看到下面的快照用双引号引起来了密码。我仍然无法使用 KeyVault 中作为秘密提供的凭据登录。
我知道使用 JSON 很容易,但我想使用 python 和 cli
来实现它您的代码中的问题是子进程的输出是字节码,而不是真正的字符串。你可以看到输出以 b 开头,它表示字节码。因此,您需要将输出转换为字符串并删除换行符。像下面这样更改函数:
def fetch_secret_password(vault_name,secret_pass_name):
fetch_password_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_pass_name,"--query","value", "-o", "tsv"]
fetch_password=subprocess.run(fetch_password_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
print(fetch_password.stdout)
secretpass=fetch_password.stdout.decode('UTF-8').strip()
print(secretpass)
return secretpass
然后你会得到一个字符串,因为你存储在你的 VM 密码的秘密中。