英文:
Python script to read secrets from Azure Key Vault
问题
我正在尝试编写一个Python脚本,从Azure Key Vault读取机密。在使用***SecretClient***类时,我遇到了身份验证的问题。
我的代码如下:
```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
vault_url="https://my_vault_name.vault.azure.net/",
credential=CREDENTIAL
)
secret = client.get_secret('my_secret_name')
我得到的错误如下:
EnvironmentCredential: EnvironmentCredential身份验证不可用。环境变量未完全配置。请访问https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot进行故障排除。
ManagedIdentityCredential: ManagedIdentityCredential身份验证不可用,IMDS终结点没有响应。
SharedTokenCacheCredential: 当前凭据未配置为获取租户74******-****-****-****-**********62的令牌。要为此租户启用获取令牌,请在创建凭据时将其添加到additionally_allowed_tenants中,或者将“*”添加到additionally_allowed_tenants以允许获取任何租户的令牌。
我在Azure门户中创建了托管标识,并将其“分配”给了我的Key Vault,并赋予了所有可能的权限。
我也尝试了以下方法:
CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')
和
CREDENTIAL = ManagedIdentityCredential()
但我得到了上述相同的ManagedIdentityCredential错误。
请注意,我试图在我的本地机器上运行该代码。而且,我已经尝试过在脚本中使用DefaultAzureCredential()类上传文件到我的Blob或列出所有资源,它可以正常工作,所以似乎问题出现在SecretClient类上。出于安全原因,我不希望使用环境变量,因为该脚本将在生产环境中运行。
我也可以使用Azure CLI列出我的机密。
我会很感激任何关于如何解决这个问题的想法和建议。
<details>
<summary>英文:</summary>
I am trying to write a python script to read secrets from Azure Key Vault. I am facing an issue with authentication when using ***SecretClient*** class.
My code is the below:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
vault_url="https://my_vault_name.vault.azure.net/",
credential=CREDENTIAL
)
secret = client.get_secret('my_secret_name')
The error I am getting is as follows:
`EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue. `
`ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint. `
`SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add "*" to additionally_allowed_tenants to allow acquiring tokens for any tenant.`
I created Managed Identity in Azure Portal and 'assigned it' to my Key Vault with all possible permissions.
I've tried the below as well:
CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')
and
CREDENTIAL = ManagedIdentityCredential()
but I'm getting the same *ManagedIdentityCredential* error as above.
Please note that I am trying to run the code on my local machine. What's more, I've tried using *DefaultAzureCredential()* class for scripts to upload a file to my blob or list all my resources and it works ok so it's seems like there is an issue with the *SecretClient* class specifically. I do not want to use environmental variables for security reasons as the script will be ran in prod environment.
I am also able to list my secrets using Azure CLI.
I would appreciate any ideas and tips on how to tackle this issue.
</details>
# 答案1
**得分**: 1
我决定更专注于以下错误消息:
> *SharedTokenCacheCredential:当前凭据未配置为获取租户74******-****-****-****-**********62的令牌。要为此租户启用获取令牌,请在创建凭据时将其添加到additionally_allowed_tenants,或者将“*”添加到additionally_allowed_tenants以允许获取任何租户的令牌。*
我添加了一个参数如下:
CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=['*'])
它运行得很好。我在重新运行代码之前还使用了Azure CLI进行了日志记录,这可能也产生了影响。
感谢大家的评论/答案。
<details>
<summary>英文:</summary>
I decided to focus more on the following error msg:
> *SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To
> enable acquiring tokens for this tenant add it to the
> additionally_allowed_tenants when creating the credential, or add "*"
> to additionally_allowed_tenants to allow acquiring tokens for any
> tenant.*
I have added a parameter as below:
CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=['*'])
and it worked fine. I have also logged using Azure CLI before re-running the code so it might have had an impact as well.
Thank you all for the comments/answers.
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论