3

For a Python code base I would like to have developers accessing application secrets using Azure Key Vault, with the idea that when we deploy, the application also should be able to connect. Hence, I'm thinking Active Directory.

However, I can not find any examples on the interweb that show this with the Python SDK. Initially, I would think to retrieve the CLI user:

from azure.common.credentials import get_azure_cli_credentials

credentials, subscription_id, tenant_id = get_azure_cli_credentials(with_tenant=True)

and then use this retrieved set of credentials to access the key vault:

from azure.keyvault import KeyVaultClient

vault_url = "https://########.vault.azure.net/"
secret_name = "########"
secret_version = "########"

client = KeyVaultClient(credentials)
secret = client.get_secret(vault_url, secret_name, secret_version)

print(secret)

However, I retrieve an error that:

azure.keyvault.v7_0.models.key_vault_error_py3.KeyVaultErrorException: Operation returned an invalid status code 'Unauthorized'

I can confirm that credentials, subscription_id and tenant_id are correct, and that using the CLI, I can succesfully retrieve the secret content. So it must be some Python SDK-specific thing.

Any ideas?

Laurent Mazuel
  • 3,422
  • 13
  • 27
casparjespersen
  • 3,460
  • 5
  • 38
  • 63

5 Answers5

2

It looks like this is a bug in the Python SDK.

https://github.com/Azure/azure-sdk-for-python/issues/5096

You can use your own AD username and password with the UserPassCredentials class. It's not the logged in user, but's it's probably as close as you'll get for now.

EG:

from azure.common.credentials import UserPassCredentials
credentials = UserPassCredentials('username','password')

client = KeyVaultClient(credentials)
secret = client.get_secret(vault_url, secret_name, secret_version)

print(secret)
Euan
  • 559
  • 4
  • 10
1

I tried the same thing and had a different error ("...audience is invalid...") until I changed your first function call adding the resource parameter:

credentials, subscription_id, tenant_id = 
     get_azure_cli_credentials(resource='https://vault.azure.net', with_tenant=True)

With this change I was able to access secrets using the same code you show.

8forty
  • 545
  • 4
  • 13
0

What about this code snippet? Comparing your code to the example, I don't see where you're setting the client_id or the tenant.

Mitch Stewart
  • 1,253
  • 10
  • 12
  • That snippet uses `ServicePrincipalCredentials` for authorization, which I was hoping to bypass, utilizing that the developer is already logged in with Azure credentials. Hence, the credentials are loaded from the Azure CLI with `get_azure_cli_credentials`. – casparjespersen Apr 11 '19 at 15:22
0

You’ll want to set the access policy for the key vault to allow the authenticated user to access secrets. This can be done in the portal. Bear in mind that key vault has an upper limit of 16 access definitions, so you’ll probably want to grant access to a group and add your users to that group.

Josh
  • 4,009
  • 2
  • 31
  • 46
  • That is already set. The user does have access. And also, as I stated, if I go through the Azure CLI I can successfully retrieve the secrets, but going through Python SDK (with CLI credentials) I cannot. – casparjespersen Apr 12 '19 at 07:32
0

As @8forty pointed out, adding a resource='https://vault.azure.net' parameter to your get_azure_cli_credentials call will resolve the issue.

However, there are new packages for working with Key Vault in Python that replace azure-keyvault:

azure-identity is also the package that should be used with these for authentication.

If you want to authenticate your Key Vault client with the credentials of the logged in CLI user, you can use the AzureCliCredential class:

from azure.identity import AzureCliCredential
from azure.keyvault.secrets import SecretClient

credential = AzureCliCredential()

vault_url = "https://{vault-name}.vault.azure.net"
secret_name = "secret-name"

client = SecretClient(vault_url, credential)
secret = client.get_secret(secret_name)

print(secret.value)

(I work on the Azure SDK in Python)

mccoyp
  • 252
  • 1
  • 7