3nomis
3nomis

Reputation: 1613

Use Azure Key Vault to get secrets

I want to use Azure Key Vault in a ML notebook to retrieve secrets. The tutorial I followed here suggested to use

from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

vault_url = 'https://<myvaulturl>.vault.azure.net'
az_credential = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=az_credential)

client.get_secret('<mysecret>')

However I get this error ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. ManagedIdentityCredential: Unexpected response 'None'.
I think it does depend on the fact that I don't have my environment variables set:

AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID

I was wondering if there was any other way to access the vault without using the DefaultAzureCredential class.
Anybody has any idea?

Upvotes: 1

Views: 3423

Answers (2)

Anand Varkey Philips
Anand Varkey Philips

Reputation: 2073

To fetch and write all secrets via azure cli in Mac, i call the below script: sh keyvault-list.sh

#!/usr/bin/env bash
 
echo "Enter the keyvault Name to be used for printing secrets:"
read keyvaultName
 
 
fileName=$keyvaultName+$(date "+%Y-%m-%d %H.%M.%S").txt
echo "Starting secret printing for $keyvaultName to fileName=$fileName"
echo "Starting secret printing for  $keyvaultName!" >> $fileName
 
 
keyvaultEntries=($(az keyvault secret list --vault-name $keyvaultName --query "[*].{name:name}" -o tsv))
 
for i in "${keyvaultEntries[@]}"
do
    # do whatever on "$i" here
    echo "$i"  ::  "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)"
    echo "$i"  ::  "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)" >> $fileName
done

Upvotes: 1

Stanley Gong
Stanley Gong

Reputation: 12153

Try to use ClientSecretCredential to do this :

from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential

AZURE_TENANT_ID = ''
AZURE_CLIENT_ID = ''
AZURE_CLIENT_SECRET = ''


cred = ClientSecretCredential(
    client_id = AZURE_CLIENT_ID,
    client_secret = AZURE_CLIENT_SECRET,
    tenant_id = AZURE_TENANT_ID
)

keyVaultName = ''
KVUri = f"https://{keyVaultName}.vault.azure.net"

sc = SecretClient(vault_url=KVUri, credential=cred)
print(sc.get_secret('<secret name>').value)

Result: enter image description here

enter image description here

UPDATE:

  1. You can find your tenant ID here on Azure Portal:

enter image description here

  1. Follow this doc to create an Azure AD app and follow this section to create an app secret. so that you have all 3 params(tenant id, client id and client secret) for ClientSecretCredential

  2. Follow this doc to add this app to the access policy so that this app has permission to query secrets in Azure Key vault.

Upvotes: 1

Related Questions