Reputation: 26676
Setting Azure EnvironmentCredential()
I am on an Azure VM with a dynamic IP adress. When I am logged in, I am able to retrieve secrets using the following python code without any issues;
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url="https://xxxx/", credential=credential)
secret = secret_client.get_secret("testSecret")
I need to retrieve the secrets when the VM is on but when I am not logged to enable other processes to run. I noticed the code above was failing when I am logged off. The system admin gave me the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET,AZURE_TENANT_ID and VAULT_URL for me to set them as EnvironmentCredentials.
I set them in the CMD as follows;
SETX AZURE_CLIENT_ID "pppp"
SETX AZURE_CLIENT_SECRET "mmmm"
SETX AZURE_TENANT_ID "kkkk"
SETX VAULT_URL "xxxx"
When I check the system environment settings, I can see they have been set
I tried retrieving my secret using this code,
from azure.keyvault.secrets import SecretClient
VAULT_URL = os.environ["VAULT_URL"]
credential = EnvironmentCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
password = client.get_secret("testSecret").value
I got this error
raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: (Forbidden) The user, group or application 'pppp;iss=https://sts.windows.net/kkkk/' does not have secrets get permission on key vault 'name of my vault-vault;location=australiasoutheast'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Question The system admin confirms the credentials issued are the service principal's correct details.
- How can correct this or what am I doing wrong?
- Is there a way for me to print DefaultAzureCredentials so that I set the same as EnvironmentCredential because I believe why I recover secrets when I am logged in is that the credentials are cached when I sign in?
Your help will highly be appreciated.
Upvotes: 4
Views: 16652
Answers (1)
Reputation: 42063
How can correct this or what am I doing wrong?
The error means your service principal does not have the correct secret permission in your keyvault -> Access policies, to solve the issue, add the application(service principal) mentioned in the error message to the Access policies with the Get secret permission in your keyvault in the azure portal. If it still not work, please try to set the environment variables in the System variables instead of User variables for xxx as shown in your screenshot.
Is there a way for me to print DefaultAzureCredentials so that I set the same as EnvironmentCredential because I believe why I recover secrets when I am logged in is that the credentials are cached when I sign in?
No need to do this, the DefaultAzureCredential attempts to authenticate via the following mechanisms in this order, see here. If you didn't set the environment variables before, it should use the managed identity of your VM to authenticate.
Upvotes: 1
Related Questions
- ManagedIdentityCredential authentication unavailable, no managed identity endpoint found
- No environment configuration found. DefaultAzureCredential()
- Azure KeyVault: get_secret() - Python TypeError: string indices must be integers
- Azure: Python SDK and KeyVault -- Service Principal
- How to create environment variables on Azure to access Key Vault
- Cannot access azure key vault secret with python
- Authenticating to Azure Key Vault locally using DefaultAzureCredential
- Azure AuthorizationFailed
- Azure ADAL authentication using python
- Azure authentication failed using python sdk