Passing Secret from keyvault as password of Azure VM using Azure CLI wrapped in Python

Question

I've written a basic code which is in Azure CLI wrapped in Python. This runs well on Linux machine and deploys a VM. We just have to provide the Resource Group Name. It fetches the VNET from that RG and then deploys the VM.

I wanted to fetch the credentials which is present in KeyVault and then pass it to the Azure VM password. But VM gets created successfully and I've to reset the password to make it work as I'm unable to login the VM.

Below is the code

import subprocess
import json

#one vnet and one subnet in the resourcegroup.
def get_vnet_name(rscgroup_name):
    get_vnet_command=["az","network","vnet","list","--resource-group",rscgroup_name]
    get_vnet=subprocess.run(get_vnet_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
    a=get_vnet.stdout.decode('utf-8')
    d=json.loads(a)
    for item in d:
        vname=item["name"]
        subnets=item["subnets"]
    for i in subnets:
        subnetname=i["name"]
    return vname,subnetname

def fetch_secret(vault_name,secret_name):
    fetch_secret_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_name,"--query","value", "-o", "tsv"]
    fetch_secret=subprocess.run(fetch_secret_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
    secretkubectl=fetch_secret.stdout
    return secretkubectl

def fetch_secret_password(vault_name,secret_pass_name):
    fetch_password_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_pass_name,"--query","value", "-o", "tsv"]
    fetch_password=subprocess.run(fetch_password_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
    print(fetch_password.stdout)
    secretpass=fetch_password.stdout
    print(secretpass)
    return secretpass

def create_vm(vm_resourcegroup,vm_name, vm_image,vm_username, secretpass,vm_vnet,vm_subnet, vm_size, secretkubectl):
    create_vm_command=["az","vm","create","--resource-group",vm_resourcegroup,"--name",vm_name,"--image",vm_image,"--admin-username", vm_username,"--admin-password",secretpass,"--vnet-name",vm_vnet,"--subnet",vm_subnet,"--size", vm_size, "--custom-data", secretkubectl]
    create_vm=subprocess.run(create_vm_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
    return

if __name__=="__main__":
    rscgroup_name="vm-test-group"
    avm_name="testvm1245"
    avm_image="Win2019Datacenter"
    avm_username="azureuser"
    avm_size="Standard_D2_V3"
    vault_name = "keyvaultname"
    secret_name = "storgacctn"
    secret_pass_name = "password"

    avm_vnet,avm_subnet=get_vnet_name(rscgroup_name)
    secretkubectl =fetch_secret(vault_name,secret_name)
    secretpass =fetch_secret_password(vault_name,secret_pass_name)
    create_vm(rscgroup_name,avm_name,avm_image,avm_username,secretpass,avm_vnet,avm_subnet,avm_size,secretkubectl)

I can see the password fine, i removed the "-o", "tsv" flag and i see below snap with password in double quotes. Still i cannot login with the credentials present as secret in KeyVault.

I know it's very easy when i use JSON but i wanted to achieve it using python and cli

Answer 1

The issue in your code is that the output of the subprocess is a Bytecode, not a real string. You can see the output start with the b, it means the Bytecode. So you need to convert the output into a string and remove the line break. Change the function like below:

def fetch_secret_password(vault_name,secret_pass_name):
    fetch_password_command=["az","keyvault","secret","show","--vault-name",vault_name,"--name",secret_pass_name,"--query","value", "-o", "tsv"]
    fetch_password=subprocess.run(fetch_password_command, stdout=subprocess.PIPE, stderr = subprocess.PIPE)
    print(fetch_password.stdout)
    secretpass=fetch_password.stdout.decode('UTF-8').strip()
    print(secretpass)
    return secretpass

Then you get a string as you store in the secret for your VM password.