4

我需要从 keyvault 中检索秘密。到目前为止,这是我的代码:

from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.common.credentials import ServicePrincipalCredentials


subscription_id = 'x'
# See above for details on creating different types of AAD credentials
credentials = ServicePrincipalCredentials(
    client_id = 'x',
    secret = 'x',
    tenant = 'x'
)

kv_client = KeyVaultManagementClient(credentials, subscription_id)

for vault in kv_client.vaults.list():
    print(vault)

但我收到此错误:

msrestazure.azure_exceptions.CloudError:Azure 错误:AuthorizationFailed 消息:对象 ID 为“x”的客户端“x”无权在“/订阅/x”范围内执行“Microsoft.Resources/subscriptions/resources/read”操作。

现在我可以使用 C# 代码/ POwershell 访问具有相同凭据的相同密钥库,因此授权绝对没有问题。不知道为什么它不能使用 SDK 工作。请帮忙。

4

5 回答 5

5

如果您希望通过ServicePrincipalCredentials实例访问,您可以使用:

from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials

credentials = None

def auth_callback(server, resource, scope):
    credentials = ServicePrincipalCredentials(
        client_id = '',
        secret = '',
        tenant = '',
        resource = "https://vault.azure.net"
    )
    token = credentials.token
    return token['token_type'], token['access_token']

client = KeyVaultClient(KeyVaultAuthentication(auth_callback))

secret_bundle = client.get_secret("https://vault_url", "secret_id", "")

print(secret_bundle.value)

这假设您不想传递版本。如果你这样做,你可以用最后一个参数代替它。

于 2018-04-07T00:05:20.433 回答
4

我在上面运行了您的代码示例,它能够毫无问题地列出密钥库,因此这不是代码问题。

我已在预配密钥保管库的订阅上将贡献者角色分配给我的 AD 应用程序,并将访问策略设置为允许对 AD 应用程序的 Key 和 Secret 的 GET 和 LIST 权限。

在Python 3.6.2运行时环境下运行的我使用的 Azure Python 包的版本:

  • azure.common (1.1.8)
  • azure.mgmt.keyvault (0.40.0)
  • msrestazure(0.4.13)

我建议您尝试使用经过验证的 Python 运行时版本和 Azure Python 包版本。

附录:

如果上述 Python 运行时环境版本以及 Azure Python 包也不适合您,您可能应该考虑在Azure SDK for Python GitHub中创建一个新问题,因为它也使用与 Azure .NET SDK 相同的凭据作为 PowerShell。

于 2017-08-31T06:42:01.667 回答
2

您还可以通过秘密名称而不是 ID 来获取秘密:

secret_bundle = client.get_secret(<VAULT URL>, "<NAME>", "")

于 2018-11-02T19:10:06.690 回答
1

可以使用 azure.identity 中的以下类,即ClientSecretCredential,找到以下代码例如:

from azure.identity import ClientSecretCredential
from azure.keyvault.secrets import SecretClient

TENANT= <TenantId-in-string>
CLIENT_ID = <ClientId-in-string>
CLIENT_SECRET= <ClientSecret-in-string>
credential = ClientSecretCredential(TENANT,CLIENT_ID,CLIENT_SECRET)
VAULT_URL= <AzureVault-url-in-string>
client = SecretClient(vault_url=VAULT_URL, credential=credential)

print(client)
example_secret = client.get_secret(<secret_name_in_string>)
print(example_secret.value)
于 2021-11-09T15:01:05.887 回答
0

There are some good answers already, but the Azure SDK has since released new packages for working with Key Vault in Python that replace azure-keyvault:

azure-identity is also the package that should be used with these for authentication.

Documentation for working with the secrets library can be found on the azure-sdk-for-python GitHub repository, and here's a sample for retrieving secrets as you were doing:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()

secret_client = SecretClient(
    vault_url="https://my-key-vault.vault.azure.net/",
    credential=credential
)
secret = secret_client.get_secret("secret-name")

You can provide the same credentials that you used for ServicePrincipalCredentials by setting environment variables corresponding to the client_id, secret, and tenant:

export AZURE_CLIENT_ID="client_id"
export AZURE_CLIENT_SECRET="secret"
export AZURE_TENANT_ID="tenant"

(I work on the Azure SDK in Python)

于 2020-12-10T22:02:49.917 回答