从Azure密钥保管库读取机密的Python脚本

huangapple go评论131阅读模式
英文:

Python script to read secrets from Azure Key Vault

问题

我正在尝试编写一个Python脚本从Azure Key Vault读取机密在使用***SecretClient***类时我遇到了身份验证的问题

我的代码如下

```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
    vault_url="https://my_vault_name.vault.azure.net/",
    credential=CREDENTIAL
)

secret = client.get_secret('my_secret_name')

我得到的错误如下:

EnvironmentCredential: EnvironmentCredential身份验证不可用。环境变量未完全配置。请访问https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot进行故障排除。

ManagedIdentityCredential: ManagedIdentityCredential身份验证不可用,IMDS终结点没有响应。

SharedTokenCacheCredential: 当前凭据未配置为获取租户74******-****-****-****-**********62的令牌。要为此租户启用获取令牌,请在创建凭据时将其添加到additionally_allowed_tenants中,或者将“*”添加到additionally_allowed_tenants以允许获取任何租户的令牌。

我在Azure门户中创建了托管标识,并将其“分配”给了我的Key Vault,并赋予了所有可能的权限。

我也尝试了以下方法:

CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')

CREDENTIAL = ManagedIdentityCredential()

但我得到了上述相同的ManagedIdentityCredential错误。

请注意,我试图在我的本地机器上运行该代码。而且,我已经尝试过在脚本中使用DefaultAzureCredential()类上传文件到我的Blob或列出所有资源,它可以正常工作,所以似乎问题出现在SecretClient类上。出于安全原因,我不希望使用环境变量,因为该脚本将在生产环境中运行。

我也可以使用Azure CLI列出我的机密。

我会很感激任何关于如何解决这个问题的想法和建议。


<details>
<summary>英文:</summary>

I am trying to write a python script to read secrets from Azure Key Vault. I am facing an issue with authentication when using ***SecretClient*** class.

My code is the below:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
vault_url="https://my_vault_name.vault.azure.net/",
credential=CREDENTIAL
)

secret = client.get_secret('my_secret_name')


The error I am getting is as follows:

`EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue. 	`

`ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint. 	`

`SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add &quot;*&quot; to additionally_allowed_tenants to allow acquiring tokens for any tenant.`


I created Managed Identity in Azure Portal and &#39;assigned it&#39; to my Key Vault with all possible permissions. 

I&#39;ve tried the below as well:

CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')


and

CREDENTIAL = ManagedIdentityCredential()


but I&#39;m getting the same *ManagedIdentityCredential* error as above.

Please note that I am trying to run the code on my local machine. What&#39;s more, I&#39;ve tried using *DefaultAzureCredential()* class for scripts to upload a file to my blob or list all my resources and it works ok so it&#39;s seems like there is an issue with the *SecretClient* class specifically. I do not want to use environmental variables for security reasons as the script will be ran in prod environment.

I am also able to list my secrets using Azure CLI.

I would appreciate any ideas and tips on how to tackle this issue.

</details>


# 答案1
**得分**: 1

我决定更专注于以下错误消息:

&gt; *SharedTokenCacheCredential:当前凭据未配置为获取租户74******-****-****-****-**********62的令牌。要为此租户启用获取令牌,请在创建凭据时将其添加到additionally_allowed_tenants,或者将“*”添加到additionally_allowed_tenants以允许获取任何租户的令牌。*

我添加了一个参数如下:

    CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=['*'])
它运行得很好。我在重新运行代码之前还使用了Azure CLI进行了日志记录,这可能也产生了影响。

感谢大家的评论/答案。

<details>
<summary>英文:</summary>

I decided to focus more on the following error msg:

&gt; *SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To
&gt; enable acquiring tokens for this tenant add it to the
&gt; additionally_allowed_tenants when creating the credential, or add &quot;*&quot;
&gt; to additionally_allowed_tenants to allow acquiring tokens for any
&gt; tenant.*

I have added a parameter as below:

    CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=[&#39;*&#39;])
and it worked fine. I have also logged using Azure CLI before re-running the code so it might have had an impact as well.

Thank you all for the comments/answers.



</details>



huangapple
  • 本文由 发表于 2023年3月9日 17:06:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/75682429.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定