[英]Azure key vault create in Python
I am trying to programmatically create a key vault in python using this tutorial ( https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python ).我正在尝试使用本教程( https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python )以编程方式在 python 中创建密钥库。 No errors till the last step where it throws an exception when I call client.vaults.create_or_update() because I might not have used the right values for ALLOW_OBJECT_ID and ALLOW_TENANT_ID.
直到我调用 client.vaults.create_or_update() 时它抛出异常的最后一步都没有错误,因为我可能没有为 ALLOW_OBJECT_ID 和 ALLOW_TENANT_ID 使用正确的值。 The documentation says these values can be found on the portal but I could not find it, is there a way to get it programmatically?
文档说这些值可以在门户网站上找到,但我找不到,有没有办法以编程方式获取它?
Error: srest.exceptions.AuthenticationError: , AdalError: Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier XXX was not found in the directory YY错误:srest.exceptions.AuthenticationError:,AdalError:获取令牌请求返回 http 错误:400 和服务器响应:{“error”:“unauthorized_client”,“error_description”:“AADSTS700016:在目录 YY 中找不到标识符为 XXX 的应用程序
Code:代码:
import subprocess
import json
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.common.credentials import ServicePrincipalCredentials
def get_subscription():
subs = json.loads(subprocess.check_output('az account list',
shell=True).decode('utf-8'))
subscription = subs[1]['id']
cmd = 'az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/%s"' % subscription
creds = json.loads(subprocess.check_output(cmd, shell=True).decode('utf-8'))
return subscription, creds
def create_key_vault(vault_name='TestKeyVault'):
subscription_id, creds = get_subscription()
client_id = creds['appId']
secret = creds['password']
tenant = creds['tenant']
credentials = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant)
client = KeyVaultManagementClient(credentials, subscription_id)
ALLOW_OBJECT_ID = client_id
ALLOW_TENANT_ID = tenant
RESOURCE_GROUP = 'SomeRG'
VAULT_NAME = vault_name
# Vault properties may also be created by using the
# azure.mgmt.keyvault.models.VaultCreateOrUpdateParameters
# class, rather than a map.
operation = client.vaults.create_or_update(
RESOURCE_GROUP,
VAULT_NAME,
{
'location': 'eastus',
'properties': {
'sku': {
'name': 'standard'
},
'tenant_id': ALLOW_TENANT_ID,
'access_policies': [{
'object_id': ALLOW_OBJECT_ID,
'tenant_id': ALLOW_TENANT_ID,
'permissions': {
'keys': ['all'],
'secrets': ['all']
}
}]
}
}
)
vault = operation.result()
print(f'New vault URI: {vault.properties.vault_uri}')
Well, the objects could be the users, security groups, service principals in your Azure AD tenant, if you not familiar with access policy in keyvault, check this doc .好吧,对象可能是 Azure AD 租户中的用户、安全组、服务主体,如果您不熟悉 keyvault 中的访问策略,请查看此文档。
To get them grammatically, the easiest way in your case is to use Azure CLI in python.要从语法上获取它们,最简单的方法是在 python 中使用 Azure CLI。
Use az account show
to get the tenantId
.使用
az account show
获取tenantId
。
Use az ad user list
to get the objectId
of the user.使用
az ad user list
获取用户的objectId
。
Use az ad group list
to get the objectId
of the security group.使用
az ad group list
获取安全组的objectId
。
Use az ad sp list
to get the objectId
of the service principal.使用
az ad sp list
获取服务主体的objectId
。
Then you should specify the ALLOW_OBJECT_ID
and ALLOW_TENANT_ID
with the any objectId
you need and tenantId
above.然后,您应该使用您需要的任何
objectId
和上面的tenantId
指定ALLOW_OBJECT_ID
和ALLOW_TENANT_ID
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.