Azure 密钥保管库在 Python 中创建
[英]Azure key vault create in Python
问题描述
I am trying to programmatically create a key vault in python using this tutorial ( https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python ).
我正在尝试使用本教程( https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python )以编程方式在 python 中创建密钥库。 No errors till the last step where it throws an exception when I call client.vaults.create_or_update() because I might not have used the right values for ALLOW_OBJECT_ID and ALLOW_TENANT_ID.直到我调用 client.vaults.create_or_update() 时它抛出异常的最后一步都没有错误,因为我可能没有为 ALLOW_OBJECT_ID 和 ALLOW_TENANT_ID 使用正确的值。 The documentation says these values can be found on the portal but I could not find it, is there a way to get it programmatically?文档说这些值可以在门户网站上找到,但我找不到,有没有办法以编程方式获取它?
Error: srest.exceptions.AuthenticationError: , AdalError: Get Token request returned http error: 400 and server response: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier XXX was not found in the directory YY错误:srest.exceptions.AuthenticationError:,AdalError:获取令牌请求返回 http 错误:400 和服务器响应:{“error”:“unauthorized_client”,“error_description”:“AADSTS700016:在目录 YY 中找不到标识符为 XXX 的应用程序
Code:代码:
import subprocess
import json
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.common.credentials import ServicePrincipalCredentials
def get_subscription():
subs = json.loads(subprocess.check_output('az account list',
shell=True).decode('utf-8'))
subscription = subs[1]['id']
cmd = 'az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/%s"' % subscription
creds = json.loads(subprocess.check_output(cmd, shell=True).decode('utf-8'))
return subscription, creds
def create_key_vault(vault_name='TestKeyVault'):
subscription_id, creds = get_subscription()
client_id = creds['appId']
secret = creds['password']
tenant = creds['tenant']
credentials = ServicePrincipalCredentials(client_id=client_id, secret=secret, tenant=tenant)
client = KeyVaultManagementClient(credentials, subscription_id)
ALLOW_OBJECT_ID = client_id
ALLOW_TENANT_ID = tenant
RESOURCE_GROUP = 'SomeRG'
VAULT_NAME = vault_name
# Vault properties may also be created by using the
# azure.mgmt.keyvault.models.VaultCreateOrUpdateParameters
# class, rather than a map.
operation = client.vaults.create_or_update(
RESOURCE_GROUP,
VAULT_NAME,
{
'location': 'eastus',
'properties': {
'sku': {
'name': 'standard'
},
'tenant_id': ALLOW_TENANT_ID,
'access_policies': [{
'object_id': ALLOW_OBJECT_ID,
'tenant_id': ALLOW_TENANT_ID,
'permissions': {
'keys': ['all'],
'secrets': ['all']
}
}]
}
}
)
vault = operation.result()
print(f'New vault URI: {vault.properties.vault_uri}')
1 个解决方案
解决方案1
1 已采纳 2020-04-20 02:31:55
Well, the objects could be the users, security groups, service principals in your Azure AD tenant, if you not familiar with access policy in keyvault, check this doc .好吧,对象可能是 Azure AD 租户中的用户、安全组、服务主体,如果您不熟悉 keyvault 中的访问策略,请查看此文档。
To get them grammatically, the easiest way in your case is to use Azure CLI in python.要从语法上获取它们,最简单的方法是在 python 中使用 Azure CLI。
Use az account show to get the tenantId .使用az account show获取tenantId 。
Use az ad user list to get the objectId of the user.使用az ad user list获取用户的objectId 。
Use az ad group list to get the objectId of the security group.使用az ad group list获取安全组的objectId 。
Use az ad sp list to get the objectId of the service principal.使用az ad sp list获取服务主体的objectId 。
Then you should specify the ALLOW_OBJECT_ID and ALLOW_TENANT_ID with the any objectId you need and tenantId above.然后,您应该使用您需要的任何objectId和上面的tenantId指定ALLOW_OBJECT_ID和ALLOW_TENANT_ID 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.