stackoom
  简体   繁体   中英

Authenticating to Azure Key Vault locally using DefaultAzureCredential

 原文  2020-04-09 15:57:11       python/ azure/ azure-keyvault/ azure-sdk-python

Question

I am attempting to run this 'Retrieve a secret from the vault' example locally (Ubuntu 19.10) to retrieve a secret from an Azure Key Vault:

from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

client = SecretClient(vault_url="https://<<vaultname>>.vault.azure.com",
                      credential=DefaultAzureCredential())

secret = client.get_secret("<<mysecret>>")

However I receive the following error:

azure.core.exceptions.ClientAuthenticationError:

No credential in this chain provided a token.

Attempted credentials:

EnvironmentCredential: Incomplete environment configuration. See https://aka.ms/python-sdk-identity#environment-variables for expected environment variables

ImdsCredential: IMDS endpoint unavailable

Please visit the documentation at

https://aka.ms/python-sdk-identity#defaultazurecredential

to learn what options DefaultAzureCredential supports

The documentation on Service-to-Service authentication to Key Vault seems to suggest that I should be able to authenticate by the Azure CLI, and I've followed the steps to login via az login , select the appropriate subscription (which I've done just in case, despite only having one), and verify access via az account get-access-token --resource https://vault.azure.net which does return a token, however still receive the error above.

Am I wrong in assuming I should be able to authenticate after logging in via the cli?

And if so, and I need to manually set the environment variables described in the documentation link provided for EnvironmentCredential , what values do I need to supply for AZURE_CLIENT_ID and AZURE_CLIENT_SECRET ?

1 answers

solution1
 2 ACCPTED  2020-04-09 23:11:30

Am I wrong in assuming I should be able to authenticate after logging in via the cli?

You're not wrong, it's possible with the current preview version of azure-identity , 1.4.0b2 as I write this. With that installed, your code should work once you've logged in to the CLI.

... what values do I need to supply for AZURE_CLIENT_ID and AZURE_CLIENT_SECRET ?

These would be the client (or "application") ID of a service principal, and one of its secrets. The azure-keyvault-secrets documentation describes how to create a service principal and configure its access to a Key Vault, using the CLI.

Briefly restating that documentation here, you can create a service principal with this command:

az ad sp create-for-rbac --name http://my-application

From the output of that command, "appId" is the value of AZURE_CLIENT_ID and "password" is the value of AZURE_CLIENT_SECRET .

Then, to grant the service principal access to the Key Vault's secrets:

az keyvault set-policy --name <<vaultname>> --spn $AZURE_CLIENT_ID --secret-permissions get set list delete backup recover restore purge

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using DefaultAzureCredential() in Azure Function with Python Encrypt azure blob using Key in Azure-key-vault in Python Interacting with Azure Key Vault using python w/ rest api Storing Service Principal Credentials in Azure to Authenticate Key Vault using Python Using Azure Key Vault and Active Directory to Retrieve Secrets Azure key vault create in Python Azure key vault: Merge certificate Decoding JsonWebKey from Azure Key Vault with Python Python Azure Function - MSI Authentication with Key Vault Using Managed Identity in Azure Batch to Authenticate with Key Vault using Python in a Batch Pool
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM