stackoom
  简体   繁体   中英

Azure Identity and Key Vault: How to use managed identities to authenticate?

 原文  2021-10-21 00:38:33       azure/ azure-keyvault

Question

I am trying to use the Azure Identity package to access Key Vault secrets. I am using AzureML and it has its own system assigned managed identity ("Identity" in the left-hand blade).

This system assigned managed identity yields me an Object (principal) ID. It also allows me to set Azure role assignments. This managed identity is a: (1) contributor, (2) administrator, and (3) key vaults secret user for the key vault service I want to use with my secrets.

Inside AzureML, on a Python notebook, if I run:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

# load key vault data
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url="--KV URL--", credential=credential)
secret_client.get_secret("secret-i-want")

# fails
EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.

Fair enough, it tells me to basically create a service principal and put its details into the environment. But, I don't want to. I want to use the Managed Identity which is apparently best in class for security because I am not storing secrets anywhere.

Looking through documentation, there exists a way to allegedly use the Managed Identity, but I cannot make it work. https://azuresdkdocs.blob.core.windows.net/$web/python/azure-identity/1.6.0/azure.identity.html#azure.identity.ManagedIdentityCredential

I am uncertain how to get a client ID for AzureML or its managed identity.

from azure.identity import ManagedIdentityCredential
credential2 = ManagedIdentityCredential(identity_config={"object_id": "principal-id-for-aml-managed-identity"})
secret_client = SecretClient(vault_url="--KV URL--", credential=credential2)
# hangs with no error

1 answers

solution1
 0  2021-10-21 09:22:36

I have tested in my environment.

You can use AzureCliCrendential instead of ManagedIdentityCredential.

In the terminal, login using below command to login using System Assigned Identiy

az login --identity

Now, use the below pyhton notebook script :

from azure.identity import AzureCliCredential
from azure.keyvault.secrets import SecretClient

managed_identity = AzureCliCredential()
secret_client = SecretClient(vault_url="https://radapakv.vault.azure.net/", credential=managed_identity)
value = secret_client.get_secret("test")

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use compound identity to authenticate with Azure to access Azure Key Vault How to access Azure Key Vault (AKV) from Azure Kubernetes Service (AKS) using Managed Identities Azure DevOps - ARM deployment - Key Vault and Managed Identities Azure Key Vault - List all Apps (Managed Identities) requesting secretes How to access Key Vault with Azure Managed Service Identity in node? How to use user-assigned managed identity to access Key Vault for Function App Config in Azure How to assign System Managed Identities access to a Key Vault using a loop? Azure Key Vault or Managed Identity for Service-To-Azure-Service Accessing Azure Key Vault from JAVA Azure App Service using managed identities Azure key vault how to identify different identities assigned in access policies
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM