Cannot access azure key vault secret with python

Question

I've been able to access azure key vault using oauth rest api through my external web app, but for some reason I am unable to retrieve the secrets from the keys. After long hours of researching I've found out that its possible to do this with powershell and c# but have still yet to find any solution with python. Anyone know if its possible with python, or is there a way of emulating what powershell is doing through? Here's the code to retrieve the secret:

def getSecret(vault_name, secret_name, secret_version = ''):
    #Get acess token to azure account
    data = { "grant_type" : "client_credentials", 
            "client_id" : 'appidxx', 
            "client_secret" : 'appsecretxx', 
            "resource" : "https://vault.azure.net"
        }
    headers = { "Content-Type" : "application/x-www-form-urlencoded" }
    r = requests.post("https://login.windows.net/{}/oauth2/token".format('my tenant id'), data=data, headers=headers)
    access_token = r.json()['access_token']
    #Get secret from KeyVault
    headers = {"Authorization":"Bearer {}".format(access_token) }
    r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
    result = r.json()
    if 'value' in result.keys():
        return result["value"]
    else: 
        return 'Secret Not Found'

def searchSecret(secret_name, secret_version = ''):
subscription_id = 'subscription id'    
credentials = ServicePrincipalCredentials(
        client_id= 'appidxx',
        secret= 'appsecretxx',
        tenant= 'tenantidxx'
    )

    kvm_client = KeyVaultManagementClient(credentials,  subscription_id )
    for vault in kvm_client.vaults.list():
        #return when secret found in vault
        secret = getSecret(vault.name, secret_name, secret_version = '')
        if (secret != 'Secret Not Found'):
            return secret
    return 'Secret Not Found'

Also I have registered my app in azure portal and granted permissions to my keys and secrets, however i noticed that when granting access to my app through access policy, the "Authorized application" option is locked and i cannot add my app, which may be the root cause of my issue?? screenshot

Answer 1

If you want to access secrets more easily using the Azure SDK, there are new packages for working with Key Vault in Python that replace azure-keyvault :

• azure-keyvault-certificates (Migration guide)
• azure-keyvault-keys (Migration guide)
• azure-keyvault-secrets (Migration guide)

azure-identity is also the package that should be used with these for authentication.

Documentation for working with the secrets library can be found on the azure-sdk-for-python GitHub repository , and here's a sample for retrieving secrets as you were doing:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.mgmt.keyvault import KeyVaultManagementClient

credential = DefaultAzureCredential()
subscription_id = "subscription id"

def getSecret(vault_url, secret_name, secret_version=None):
    client = SecretClient(vault_url, credential)
    # list the secrets in the vault
    secret_properties = client.list_properties_of_secrets()
    for secret_property in secret_properties:
        if secret_property.name == secret_name:
            # get secret from Key Vault
            return client.get_secret(secret_name, secret_version)
    return "Secret Not Found"

def searchSecret(secret_name, secret_version=None):
    kvm_client = KeyVaultManagementClient(credential, subscription_id)
    for vault in kvm_client.vaults.list():
        # return when secret found in vault
        secret = getSecret(vault.properties.vault_uri, secret_name, secret_version)
        if secret != "Secret Not Found":
            return secret
    return "Secret Not Found"

You can provide the same credentials that you used for ServicePrincipalCredentials by setting environment variables corresponding to the client_id , secret , and tenant :

export AZURE_CLIENT_ID="appidxx"
export AZURE_CLIENT_SECRET="appsecretxx"
export AZURE_TENANT_ID="tenantidxx"

(I work on the Azure SDK in Python)

Answer 2

Firstly, you should give your service principal access your key vault permission. Like this https://imgur.com/a/mrth1 .

I test your code by using getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b') , it works for me.

import requests
def getSecret(vault_name, secret_name, secret_version = ''):
    #Get acess token to azure account
    data = { "grant_type" : "client_credentials", 
            "client_id" : '*******', 
            "client_secret" : '*******', 
            "resource" : "https://vault.azure.net"
        }
    headers = { "Content-Type" : "application/x-www-form-urlencoded" }
    r = requests.post("https://login.windows.net/{}/oauth2/token".format('*******'), data=data, headers=headers)
    access_token = r.json()['access_token']
    #Get secret from KeyVault
    headers = {"Authorization":"Bearer {}".format(access_token) }
    r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(vault_name, secret_name, secret_version), headers=headers)
    print r
    result = r.json()
    if 'value' in result.keys():
        return result["value"]
    else: 
        return 'Secret Not Found'
getSecret('shui','shui02','b89f7498e8c64b6c9365e0eda55b4b5b')