Azure python sdk: How to authenticate to Azure without exposing credentials in code?

Question

Is there a way authenticate a python app to Azure without adding secrets to my code? Because I'm on untrusted computing resources I can't save my secrets as environment variables nor store "config" files locally.

Given:

• A service principal has been created via the portal for this app (python-sp)
• Service principal has been assigned a Contributor role to Azure Key Vault

Example:

• I want to use the python sdk to programmatically create and manage Azure resources
• To create a new Resource Group, I first need to authenticate the python app. The only method I've been able to find which does not require a clientSecret to be added to the code is to use az login...

sp_name = 'python-sp'
sp_file = 'sp_creds.json'

!az login
!az ad sp create-for-rbac -n $sp_name --sdk-auth > $sp_file
!export AZURE_AUTH_LOCATION=$sp_file

with open(sp_file) as data_file:
    sp_details = json.load(data_file)

os.remove(sp_file)

• Unfortunately this requires interaction so the code isn't really headless. Aside from that, the credentials are in a json file in memory, even if only for a few moments.

• How do I instead access Azure Key Vault to retrieve authentication keys/secrets?

• I can't access Azure Key Vault without some kind of credential in the code.

The methods listed here all seem to require a credential be stored and accessed in some file or hardcoded.

Chicken and egg! But I guess it makes sense. Any ideas?

Answer 1

well, this question is not specific to Azure Python SDK. and the answer would be the same regardless of what type of SDK (or platform, even) you are using. So pass in credentials as environment variables, use certificates, use vaults, use managed identities, etc. All of these approaches allow for headless auth.