(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

huangapple go评论79阅读模式
英文:

(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

问题

I am using azure databricks notebook(python). I am trying to access the azure blob storage container files to azure databricks. To access the file I am trying to use the key Vault as use of hard coded account name and access is not good practice but I am getting the following error:

(Forbidden) The user, group or application 'appid=-" ;iss=https://sts.windows.net//' does not have secrets get permission on key vault 'Key;location=eastus'. For help resolving this issue, please see link
Code: Forbidden
Message: The user, group or application 'appid=
;oid=*****;iss=https://sts.windows.net/
***/' does not have secrets get permission on key vault '****Key;location=eastus'. For help resolving this issue, please see link
Inner error: {
"code": "AccessDenied"
}

I have added secretscope to databricks. here is the screenshot of access policies:
(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

here is my full code:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
import pandas as pd
import io
import pyspark.sql
from datetime from datetime, timedelta

#set Azure Key Vaults details
key_vault_name = 'key'
secret_name = '
***'

credential = DefaultAzureCredential()

#create Secret Client
secret_client = SecretClient(vault_url=f"https://{key_vault_name}.vault.azure.net/", credential=credential)

#define Azure Blob Storage connection details
storage_account_name = secret_client.get_secret('storage-account-name').value
storage_account_access_key = secret_client.get_secret('storage-account-access-key').value
container_name = ''
refined_container_name = '
'

connection_string = secret_client.get_secret(secret_name).value

print('storage_account_name = ',storage_account_name)
print('storage_account_access_key = ',storage_account_access_key)
print('connection_string = ', connection_string)

英文:

I am using azure databricks notebook(python). I am trying to access the azure blob storage container files to azure databricks. To access the file I am trying to use the key Vault as use of hard coded account name and access is not good practice but I am getting following error:

(Forbidden) The user, group or application 'appid=-" ;iss=https://sts.windows.net/****/' does not have secrets get permission on key vault '***Key;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Code: Forbidden
Message: The user, group or application 'appid=******;oid=*****;iss=https://sts.windows.net/****/' does not have secrets get permission on key vault '****Key;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Inner error: {
    "code": "AccessDenied"
}

I have added secretscope to databricks. here is the screenshot of access policies:
(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

here is my full code:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
import pandas as pd
import io
import pyspark.sql
from datetime import datetime, timedelta

#set Azure Key Vaults details
key_vault_name = '***key'
secret_name = '******'

credential = DefaultAzureCredential()

#create Secret Client
secret_client = SecretClient(vault_url=f"https://{key_vault_name}.vault.azure.net/", credential=credential)

#define Azure Blob Storage connection details
storage_account_name = secret_client.get_secret('storage-account-name').value
storage_account_access_key = secret_client.get_secret('storage-account-access-key').value
container_name = '*****'
refined_container_name = '*****'

connection_string = secret_client.get_secret(secret_name).value

print('storage_account_name = ',storage_account_name)
print('storage_account_access_key = ',storage_account_access_key)
print('connection_string = ', connection_string)

答案1

得分: 1

I reproduce same thing in my environment .I got same error.

要解决上述错误,请按照以下步骤操作:

步骤1: 转到 Azure 密钥保管库 -> 访问策略 -> + 创建并提供足够的权限。

步骤2: 创建秘密范围 -> 转到 Azure_Vault -> 输入 Vault_URI。(例如,Vault_URI: https://<key_vault_name>.vault.azure.net/) 和资源 ID -> 转到 Azure 门户中的 Azure 密钥保管库的属性选项卡,你会获得 Vault URI 和资源 ID。

代码:

from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential as cs
kv1_URI = "https://testvam.vault.azure.net/"
TENANT_ID1 = '72f988bf-86f1-41afxxxxxxxxxxxxx'
CLIENT1_ID = 'f4dab6c8-5009-48xxxxxxxxx'
CLIENT1_SECRET = 'UVh8Q~l6M55fxxxxxxxxxxxxxxxx'
credentials = cs(
    tenant_id=TENANT_ID1,
    client_id=CLIENT1_ID,
    client_secret=CLIENT1_SECRET)

def set_secret(secret_name1,secret_value1):
    print(credentials)
    secret_client = SecretClient(vault_url=kv1_URI, credential=credentials)
    secret = secret_client.set_secret(secret_name1,secret_value1,enabled=True)
    secr_dic={}
    secr_dic['name']=secret.name
    secr_dic['value']=secret.value
    secr_dic['properties']=secret.properties.version
    return secr_dic

# 使用密钥保管库的秘密值
x1=set_secret('dem','value')
print(x1)

输出:

英文:

I reproduce same thing in my environment .I got same error.

(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

To resolve above error .Please follow below steps :

Step 1: Go to azure key vault -> Access policies -> + create and provide enough permissions.

(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

Step2 : Create Secret Scope -> Go to Azure_Vault -> Enter the Vault_URI .(For Example, Vault_URI: https://&lt;key_vault_name.&gt;.vault.azure.net/) and Resource ID -> Go to Properties tab of an Azure Key Vault in your Azure portal you get both Vault URI and Resource ID.

(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

Code:

from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential as cs
kv1_URI = &quot;https://testvam.vault.azure.net/&quot;
TENANT_ID1 = &#39;72f988bf-86f1-41afxxxxxxxxxxxxx&#39;
CLIENT1_ID = &#39;f4dab6c8-5009-48xxxxxxxxx&#39;
CLIENT1_SECRET = &#39;UVh8Q~l6M55fxxxxxxxxxxxxxxxx&#39;
credentials = cs(
		    tenant_id=TENANT_ID1,
		    client_id=CLIENT1_ID,
		    client_secret=CLIENT1_SECRET)

def set_secret(secret_name1,secret_value1):
    print(credentials)
    secret_client = SecretClient(vault_url=kv1_URI, credential=credentials)
    secret = secret_client.set_secret(secret_name1,secret_value1,enabled=True)
    secr_dic={}
    secr_dic[&#39;name&#39;]=secret.name
    secr_dic[&#39;value&#39;]=secret.value
    secr_dic[&#39;properties&#39;]=secret.properties.version
    return secr_dic

#Use Keyvalut Secret Value
x1=set_secret(&#39;dem&#39;,&#39;value&#39;)
print(x1)

Output:

(Forbidden) The user, group or application 'appid="******" does not have secrets get permission on key vault '****Key;location=eastus'

答案2

得分: 0

你需要使用dbutils(1)(2)来与Databricks的机密范围进行交互,而不是使用Azure Key Vault SDK。

(1) https://learn.microsoft.com/en-us/azure/databricks/dev-tools/databricks-utils#dbutils-secrets
(2) https://learn.microsoft.com/en-us/azure/databricks/security/secrets/example-secret-workflow#secret-example-notebook

英文:

You need to use dbutils(1)(2) to interact with databricks secret scoped instead of Azure key vault SDK.

(1) https://learn.microsoft.com/en-us/azure/databricks/dev-tools/databricks-utils#dbutils-secrets
(2) https://learn.microsoft.com/en-us/azure/databricks/security/secrets/example-secret-workflow#secret-example-notebook

答案3

得分: -1

在密钥保管库上,为应用程序标识添加访问策略并添加“获取”秘密权限。

英文:

On the Key Vault, add an access policy for the application id and add the "Get" secret permission.

huangapple
  • 本文由 发表于 2023年3月21日 01:17:57
  • 转载请务必保留本文链接:https://go.coder-hub.com/75793371.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定