Reputation: 1613
Use Azure Key Vault to get secrets
I want to use Azure Key Vault in a ML notebook to retrieve secrets. The tutorial I followed here suggested to use
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
vault_url = 'https://<myvaulturl>.vault.azure.net'
az_credential = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=az_credential)
client.get_secret('<mysecret>')
However I get this error ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. ManagedIdentityCredential: Unexpected response 'None'.
I think it does depend on the fact that I don't have my environment variables set:
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
I was wondering if there was any other way to access the vault without using the DefaultAzureCredential class.
Anybody has any idea?
Upvotes: 1
Views: 3423
Answers (2)
Reputation: 2073
To fetch and write all secrets via azure cli in Mac, i call the below script: sh keyvault-list.sh
#!/usr/bin/env bash
echo "Enter the keyvault Name to be used for printing secrets:"
read keyvaultName
fileName=$keyvaultName+$(date "+%Y-%m-%d %H.%M.%S").txt
echo "Starting secret printing for $keyvaultName to fileName=$fileName"
echo "Starting secret printing for $keyvaultName!" >> $fileName
keyvaultEntries=($(az keyvault secret list --vault-name $keyvaultName --query "[*].{name:name}" -o tsv))
for i in "${keyvaultEntries[@]}"
do
# do whatever on "$i" here
echo "$i" :: "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)"
echo "$i" :: "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)" >> $fileName
done
Upvotes: 1
Reputation: 12153
Try to use ClientSecretCredential to do this :
from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential
AZURE_TENANT_ID = ''
AZURE_CLIENT_ID = ''
AZURE_CLIENT_SECRET = ''
cred = ClientSecretCredential(
client_id = AZURE_CLIENT_ID,
client_secret = AZURE_CLIENT_SECRET,
tenant_id = AZURE_TENANT_ID
)
keyVaultName = ''
KVUri = f"https://{keyVaultName}.vault.azure.net"
sc = SecretClient(vault_url=KVUri, credential=cred)
print(sc.get_secret('<secret name>').value)
Result:
UPDATE:
- You can find your tenant ID here on Azure Portal:
Follow this doc to create an Azure AD app and follow this section to create an app secret. so that you have all 3 params(tenant id, client id and client secret) for
ClientSecretCredentialFollow this doc to add this app to the access policy so that this app has permission to query secrets in Azure Key vault.
Upvotes: 1
Related Questions
- Azure Identity and Key Vault: How to use managed identities to authenticate?
- Get secrets in Azure Key vault from api management?
- Get All Secrets from Azure Key Vault with prefix
- Azure Key Vault Secrets Query
- Azure Key Vault get Secret from VMSS Instances
- retrieve secret from azure key vault
- Store key and secret in Azure key-vault
- Access Azure Key Vault secret without a SecretVersion
- Access Azure Key Vault secret in Azure Function
- Using Azure Key Vault for storing username and password