在 Azure 中存储服务主体凭据以使用 Python 对 Key Vault 进行身份验证
[英]Storing Service Principal Credentials in Azure to Authenticate Key Vault using Python
问题描述
I am currently using Python to read a file from Azure blob storage and store it in a dataframe.
我目前正在使用 Python 从 Azure blob 存储读取文件并将其存储在数据帧中。 In order to authenticate the blob storage I am extracting storage account key from the Azure key vault using the service principal credentials.为了对 blob 存储进行身份验证,我使用服务主体凭据从 Azure 密钥保管库中提取存储帐户密钥。
My code is as follows:我的代码如下:
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials
def auth_callback(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id = '',
client_secret='',
tenant = '',
resource = "https://samplename.vault.azure.net/"
)
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
key_bundle = client.get_key('https://samplename.vault.azure.net/', '','')
json_key = key_bundle.key
However, I have to save the service principal key inside the code, which I feel is not the best practice.但是,我必须将服务主体密钥保存在代码中,我觉得这不是最佳做法。
How can I avoid this?我怎样才能避免这种情况?
I have also thought of storing the service principal credentials in a separate config file stored in blob storage and then reading it from Python.我还考虑将服务主体凭据存储在存储在 blob 存储中的单独配置文件中,然后从 Python 中读取它。 But that also involves ultimately storing the credentials of tee service principal in a text file.但这也涉及最终将 tee 服务主体的凭据存储在文本文件中。
I am running Python from Azure Batch.我正在从 Azure Batch 运行 Python。
3 个解决方案
解决方案1
1 2020-03-04 06:02:52
I'm also trying to run Python in the batch service, and would like to access Key Vault without any credentials being visible on the portal or in the python script, so I need to use a certificate rather than a key.我还尝试在批处理服务中运行 Python,并希望在门户或 Python 脚本中不可见任何凭据的情况下访问 Key Vault,因此我需要使用证书而不是密钥。 I think this has got to be a pretty common use case for the batch service.我认为这必须是批处理服务的一个非常常见的用例。
I can access Key Vault using the certificate thumbprint in a Powershell script, but the only way I could find to access it from python was by setting the AZURE_CLIENT_CERTIFICATE_PATH environment variable to point to a non password protected pem certificate and using the DefaultAzureCredential class.我可以使用 Powershell 脚本中的证书指纹访问 Key Vault,但我能找到从 python 访问它的唯一方法是将 AZURE_CLIENT_CERTIFICATE_PATH 环境变量设置为指向非密码保护的 pem 证书并使用 DefaultAzureCredential 类。 The batch service requires password protected cer or pfx certificates, so any solution is going to be very fiddly - the only thing I can think of is to convert the pfx to a pem and then set the environment variable, with the pfx password being visible in the code or on the portal.批处理服务需要受密码保护的 cer 或 pfx 证书,因此任何解决方案都将非常繁琐 - 我唯一能想到的就是将 pfx 转换为 pem,然后设置环境变量,pfx 密码在代码或在门户上。
If there's a simpler way please let me know.如果有更简单的方法,请告诉我。 Otherwise I think this is a significant gap in the batch service, which is otherwise very useful.否则我认为这是批处理服务中的一个重大差距,否则非常有用。
解决方案2
0 2019-04-05 22:24:55
The best answer will depend where you execute your code.最佳答案将取决于您执行代码的位置。
If you execute it on an Azure VM, Azure Container or anything inside Azure, then your scenario is exactly why MSI (Managed System Identities) exists :).如果你在 Azure VM、Azure 容器或 Azure 内部的任何东西上执行它,那么你的场景正是 MSI(托管系统身份)存在的原因:)。 I would strongly suggests you take a look at MSI documentation: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview我强烈建议您查看 MSI 文档: https : //docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
This is fully supported in the Python SDK. Python SDK 完全支持这一点。
If you execute in your own environment outside, then the question is not really Azure specific, and you could use a library like "keyring" to take care of storing this kind of secret:如果您在自己的外部环境中执行,那么问题并不是真正特定于 Azure,您可以使用“密钥环”之类的库来处理存储此类机密:
https://pypi.org/project/keyring/#what-is-python-keyring-libhttps://pypi.org/project/keyring/#what-is-python-keyring-lib
(disclosure: I work at MS in the Python SDK team) (披露:我在 Python SDK 团队的 MS 工作)
解决方案3
0 2019-04-08 17:54:23
Current best practices for using Azure Batch is to use certificate based authentication for your service principal.当前使用 Azure Batch 的最佳做法是对服务主体使用基于证书的身份验证。 To do this add your certificate to Batch using the 'Certificates API' ( https://docs.microsoft.com/en-us/python/api/azure-batch/azure.batch.operations.certificate_operations.certificateoperations?view=azure-python#add-certificate--certificate-add-options-none--custom-headers-none--raw-false----operation-config- ).为此,请使用“证书 API”( https://docs.microsoft.com/en-us/python/api/azure-batch/azure.batch.operations.certificate_operations.certificateoperations?view=azure -python#add-certificate--certificate-add-options-none--custom-headers-none--raw-false----operation-config- )。 Then when you create your pool you can specify 'certificate_references' to have these certificates installed to each node in your pool ( https://docs.microsoft.com/en-us/python/api/azure-batch/azure.batch.models.pooladdparameter?view=azure-python ).然后,当您创建池时,您可以指定“certificate_references”以将这些证书安装到池中的每个节点 ( https://docs.microsoft.com/en-us/python/api/azure-batch/azure.batch。 models.pooladdparameter?view=azure-python )。
If you prefer to use key-based authentication you can additionally specify the keys as environment variables on the pool, which will be encrypted at REST如果您更喜欢使用基于密钥的身份验证,您可以另外将密钥指定为池中的环境变量,这将在 REST 中加密
We receive quite a few requests to add MSI support, but currently I do not know the timeline for when it is planned to be added.我们收到了很多添加 MSI 支持的请求,但目前我不知道计划添加的时间表。
(disclosure: I work at MS in the Azure Batch team) (披露:我在微软的 Azure Batch 团队工作)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.