英文:

Python script to read secrets from Azure Key Vault

问题

我正在尝试编写一个Python脚本，从Azure Key Vault读取机密。在使用***SecretClient***类时，我遇到了身份验证的问题。

我的代码如下：

```python
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
    vault_url="https://my_vault_name.vault.azure.net/",
    credential=CREDENTIAL
)

secret = client.get_secret('my_secret_name')

我得到的错误如下：

EnvironmentCredential: EnvironmentCredential身份验证不可用。环境变量未完全配置。请访问https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot进行故障排除。

ManagedIdentityCredential: ManagedIdentityCredential身份验证不可用，IMDS终结点没有响应。

SharedTokenCacheCredential: 当前凭据未配置为获取租户74******-****-****-****-**********62的令牌。要为此租户启用获取令牌，请在创建凭据时将其添加到additionally_allowed_tenants中，或者将“*”添加到additionally_allowed_tenants以允许获取任何租户的令牌。

我在Azure门户中创建了托管标识，并将其“分配”给了我的Key Vault，并赋予了所有可能的权限。

我也尝试了以下方法：

CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')

和

CREDENTIAL = ManagedIdentityCredential()

但我得到了上述相同的ManagedIdentityCredential错误。

请注意，我试图在我的本地机器上运行该代码。而且，我已经尝试过在脚本中使用DefaultAzureCredential()类上传文件到我的Blob或列出所有资源，它可以正常工作，所以似乎问题出现在SecretClient类上。出于安全原因，我不希望使用环境变量，因为该脚本将在生产环境中运行。

我也可以使用Azure CLI列出我的机密。

我会很感激任何关于如何解决这个问题的想法和建议。

<details>
<summary>英文:</summary>

I am trying to write a python script to read secrets from Azure Key Vault. I am facing an issue with authentication when using ***SecretClient*** class.

My code is the below:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

CREDENTIAL = DefaultAzureCredential()
client = SecretClient(
vault_url="https://my_vault_name.vault.azure.net/",
credential=CREDENTIAL
)

secret = client.get_secret('my_secret_name')

The error I am getting is as follows:

`EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot.this issue. 	`

`ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint. 	`

`SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To enable acquiring tokens for this tenant add it to the additionally_allowed_tenants when creating the credential, or add "*" to additionally_allowed_tenants to allow acquiring tokens for any tenant.`


I created Managed Identity in Azure Portal and 'assigned it' to my Key Vault with all possible permissions. 

I've tried the below as well:

CREDENTIAL = azure.identity.ManagedIdentityCredential(managed_identity_client_id='my_managed_identity_client_id')

and

CREDENTIAL = ManagedIdentityCredential()

but I'm getting the same *ManagedIdentityCredential* error as above.

Please note that I am trying to run the code on my local machine. What's more, I've tried using *DefaultAzureCredential()* class for scripts to upload a file to my blob or list all my resources and it works ok so it's seems like there is an issue with the *SecretClient* class specifically. I do not want to use environmental variables for security reasons as the script will be ran in prod environment.

I am also able to list my secrets using Azure CLI.

I would appreciate any ideas and tips on how to tackle this issue.

</details>


# 答案1
**得分**: 1

我决定更专注于以下错误消息：

&gt; *SharedTokenCacheCredential：当前凭据未配置为获取租户74******-****-****-****-**********62的令牌。要为此租户启用获取令牌，请在创建凭据时将其添加到additionally_allowed_tenants，或者将“*”添加到additionally_allowed_tenants以允许获取任何租户的令牌。*

我添加了一个参数如下：

    CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=['*'])
它运行得很好。我在重新运行代码之前还使用了Azure CLI进行了日志记录，这可能也产生了影响。

感谢大家的评论/答案。

<details>
<summary>英文:</summary>

I decided to focus more on the following error msg:

&gt; *SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant 74******-****-****-****-**********62. To
&gt; enable acquiring tokens for this tenant add it to the
&gt; additionally_allowed_tenants when creating the credential, or add &quot;*&quot;
&gt; to additionally_allowed_tenants to allow acquiring tokens for any
&gt; tenant.*

I have added a parameter as below:

    CREDENTIAL = DefaultAzureCredential(additionally_allowed_tenants=[&#39;*&#39;])
and it worked fine. I have also logged using Azure CLI before re-running the code so it might have had an impact as well.

Thank you all for the comments/answers.



</details>