4

I am on an Azure VM with a dynamic IP adress. When I am logged in, I am able to retrieve secrets using the following python code without any issues;

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url="https://xxxx/", credential=credential)
secret = secret_client.get_secret("testSecret")

I need to retrieve the secrets when the VM is on but when I am not logged to enable other processes to run. I noticed the code above was failing when I am logged off. The system admin gave me the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET,AZURE_TENANT_ID and VAULT_URL for me to set them as EnvironmentCredentials.

I set them in the CMD as follows;

SETX AZURE_CLIENT_ID "pppp"
SETX AZURE_CLIENT_SECRET "mmmm"
SETX AZURE_TENANT_ID "kkkk"
SETX VAULT_URL "xxxx"

When I check the system environment settings, I can see they have been setenter image description here

I tried retrieving my secret using this code,

from azure.keyvault.secrets import SecretClient
VAULT_URL = os.environ["VAULT_URL"]
credential = EnvironmentCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
password = client.get_secret("testSecret").value

I got this error

raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: (Forbidden) The user, group or application 'pppp;iss=https://sts.windows.net/kkkk/' does not have secrets get permission on key vault 'name of my vault-vault;location=australiasoutheast'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

Question The system admin confirms the credentials issued are the service principal's correct details.

  1. How can correct this or what am I doing wrong?
  2. Is there a way for me to print DefaultAzureCredentials so that I set the same as EnvironmentCredential because I believe why I recover secrets when I am logged in is that the credentials are cached when I sign in?

Your help will highly be appreciated.

wwnde
  • 26,119
  • 6
  • 18
  • 32

1 Answers1

1

How can correct this or what am I doing wrong?

The error means your service principal does not have the correct secret permission in your keyvault -> Access policies, to solve the issue, add the application(service principal) mentioned in the error message to the Access policies with the Get secret permission in your keyvault in the azure portal. If it still not work, please try to set the environment variables in the System variables instead of User variables for xxx as shown in your screenshot.

Is there a way for me to print DefaultAzureCredentials so that I set the same as EnvironmentCredential because I believe why I recover secrets when I am logged in is that the credentials are cached when I sign in?

No need to do this, the DefaultAzureCredential attempts to authenticate via the following mechanisms in this order, see here. If you didn't set the environment variables before, it should use the managed identity of your VM to authenticate.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Putting all the variables in System Variables I get the error `azure.identity._exceptions.CredentialUnavailableError: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.` Also, I with the help of the system admin checked the access policy and what is listed as application is the VMs name. It has all the Secret Management Operations Selected including get. Are you suggesting I do away with the VM's name and replace with the AZURE_CLIENT_ID ? Lastly the link provided on access is not working. – wwnde Oct 22 '20 at 03:14
  • @wwnde Navigate to the VM in the portal -> `Identity`, if it was enabled, the `VMs name` in your case should be the managed identity of your VM. Actually, in this case, I recommend you to use the system-assigned managed identity, just enable it if it was not, add it to the keyvault access policy, then in your code, use `credential = ManagedIdentityCredential()`, it is the best choice if you want to run your code in VM. – Joy Wang Oct 22 '20 at 03:49
  • Done as directed. Just like the 'DefaultCredential', only works when logged on. Authentication does not happen when logged off. Was that expected? – wwnde Oct 22 '20 at 05:06
  • @wwnde What do you mean logged on and off? I think it will work as long as the vm is running. – Joy Wang Oct 22 '20 at 05:49
  • It doesn't run when the VM is running and I am logged off or no one is logged on. That's my nightmare – wwnde Oct 22 '20 at 05:58
  • Any reason why this may be as it is? – wwnde Oct 22 '20 at 06:30
  • @wwnde If the `logged on` here you mean RDP into the VM, I think it should work even if you don't RDP into it. Could you make sure your code was executed? – Joy Wang Oct 22 '20 at 06:35
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/223439/discussion-between-wwnde-and-joy-wang). – wwnde Oct 22 '20 at 07:26