[英]How is the access token generated from a managed identity in Azure used with the Python SDK?
I've setup a VM machine in Azure that has a managed identity.我在 Azure 中设置了一个具有托管标识的 VM 机器。 I follow the guide here https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
我按照这里的指南https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
So now I have an access token.所以现在我有一个访问令牌。 But what I fail to understand is how do I use this token to access my key vault?
但我不明白的是如何使用此令牌访问我的密钥库? I'm using the Python SDK.
我正在使用 Python SDK。 Looking at the docs for the SDK here https://docs.microsoft.com/en-us/python/api/azure-keyvault/azure.keyvault?view=azure-python
在此处查看 SDK 的文档https://docs.microsoft.com/en-us/python/api/azure-keyvault/azure.keyvault?view=azure-python
There exist a access token class AccessToken(scheme, token, key)
I assume i can use my token i generated earlier here.存在一个访问令牌 class
AccessToken(scheme, token, key)
我假设我可以使用我之前在这里生成的令牌。 But what is scheme and key?但是什么是方案和密钥? The docs does not explain it.
文档没有解释它。 Or am I looking at the wrong class to use with the token?
还是我在查看与令牌一起使用的错误 class ?
If you're using a VM with a managed identity, then you can create a credential for a Key Vault client using azure-identity 's ManagedIdentityCredential
class .如果你使用的是具有托管标识的 VM,则可以使用azure-identity的
ManagedIdentityCredential
class为 Key Vault 客户端创建凭据。 The credential will fetch and use access tokens for you as you use the Key Vault client:当您使用 Key Vault 客户端时,凭据将为您获取和使用访问令牌:
from azure.identity import ManagedIdentityCredential
from azure.keyvault.secrets import SecretClient
credential = ManagedIdentityCredential()
client = SecretClient("https://{vault-name}.vault.azure.net", credential)
secret = client.get_secret("secret-name")
Note that I'm using a SecretClient
to fetch secrets from Key Vault;请注意,我使用
SecretClient
从 Key Vault 获取机密; there are new packages for working with Key Vault in Python that replace azure-keyvault
: Python 中有用于替换
azure-keyvault
的 Key Vault 的新软件包:
Clients in each of these packages can use any credential from azure-identity for authentication.每个包中的客户端都可以使用来自azure-identity的任何凭据进行身份验证。
(I work on the Azure SDK in Python) (我在 Python 中研究 Azure SDK)
I wouldn't recommend you use the managed identity of a VM to access KeyVault.我不建议您使用 VM 的托管标识来访问 KeyVault。 You should create a service principal if you intend on running scripts / code.
如果您打算运行脚本/代码,您应该创建一个服务主体。
The best way of doing this is with the Azure CLI.最好的方法是使用 Azure CLI。 See here for instructions on installing the CLI, and refer to this , or this for creating your service principal.
有关安装 CLI 的说明,请参阅此处,并参阅此或此以创建您的服务主体。
The best way to manage resources in Python is by using ADAL, which is documented:在 Python 中管理资源的最佳方法是使用 ADAL,记录在案:
https://github.com/AzureAD/azure-activedirectory-library-for-python https://github.com/AzureAD/azure-activedirectory-library-for-python
In your case, however, managing KeyVault is made a little easier since the KeyVault library for Python also provides the means for you to authenticate without directly using ADAL to obtain your access token.但是,在您的情况下,管理 KeyVault 会更容易一些,因为 Python 的 KeyVault 库还为您提供了无需直接使用 ADAL 来获取访问令牌的身份验证方法。 See here:
看这里:
https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python
from azure.keyvault import KeyVaultClient
from azure.common.credentials import ServicePrincipalCredentials
credentials = ServicePrincipalCredentials(
client_id = '...',
secret = '...',
tenant = '...'
)
client = KeyVaultClient(credentials)
# VAULT_URL must be in the format 'https://<vaultname>.vault.azure.net'
# KEY_VERSION is required, and can be obtained with the KeyVaultClient.get_key_versions(self, vault_url, key_name) API
key_bundle = client.get_key(VAULT_URL, KEY_NAME, KEY_VERSION)
key = key_bundle.key
In the above, client_id, secret, and tenant (id) are all outputs of the az ad sp create-for-rbac --name {APP-NAME}
CLI command.在上面,client_id、secret 和租户 (id) 都是
az ad sp create-for-rbac --name {APP-NAME}
CLI 命令的输出。
Remember to review and adjust the role assignments for the sp you created.请记住查看和调整您创建的 sp 的角色分配。 And your KeyVault is only as secure as the devices which have access to your sp's credentials.
并且您的 KeyVault 仅与有权访问您的 sp 凭据的设备一样安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.