如何通过 Python 中的专用端点访问 Azure Keyvault？

Question

For security purpose, I have disabled public access under Networking Tab in Keyvault and have a private endpoint in place. Both keyvault and private endpoint reside in same resource group. I have an app registration for my application for which I have granted access under Access policies in Keyvault.

Using Python SDK,

from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential as cs


keyVaultName = "<NAME>"
kvURI = "https://<NAME>.vault.azure.net"
AZ_TENANT_ID = '<AZ_TENANT_ID>'
AZ_CLIENT_ID = '<AZ_CLIENT_ID>'
AZ_CLIENT_SECRET = '<AZ_CLIENT_SECRET>'
credential = cs(
            tenant_id=AZ_TENANT_ID,
            client_id=AZ_CLIENT_ID,
            client_secret=AZ_CLIENT_SECRET)

def set_secret(secretname,secretvalue):
        print(credential)
        secret_client = SecretClient(vault_url=kvURI, credential=credential)
        secret = secret_client.set_secret(secretname,secretvalue,enabled=True)
        sec_dic={}
        sec_dic['name']=secret.name
        sec_dic['value']=secret.value
        sec_dic['properties']=secret.properties.version
        return sec_dic
    
xx=set_secret('g','ff')
print(xx)

When running this code, I get the follwing error,

azure.core.exceptions.HttpResponseError: (Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.
Code: Forbidden
Message: Public network access is disabled and request is not from a trusted service nor via an approved private link.
Inner error: {
    "code": "ForbiddenByConnection"
}

What am I doing wrong? How do I connect to keyvault that has no public access only via private endpoint?

Answer 1

I have reproduced in my environment, and got expected results as below:

Firstly, I have done the same process you have explained, and I got same error as you have got:

So, this error comes when you create a private endpoint.

When you create a private endpoint with a particular Virtual Network-Su.net, you need to create a Virtual Machine where Virtual Network is integrated.

Then we need to open the Vm created integrated with the above Virtual Network-Su.net, and now when I try to access the key Vault, I got required result as below:

References:

• azure - Unable to get storage account container details - Stack Overflow

• Azure Key Vault not allow access via private endpoint connection

• Azure functions and Azure KeyVault communicating through service endpoint