Reputation: 1613
I want to use Azure Key Vault in a ML notebook to retrieve secrets. The tutorial I followed here suggested to use
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
vault_url = 'https://<myvaulturl>.vault.azure.net'
az_credential = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=az_credential)
client.get_secret('<mysecret>')
However I get this error ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. ManagedIdentityCredential: Unexpected response 'None'
.
I think it does depend on the fact that I don't have my environment variables set:
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
I was wondering if there was any other way to access the vault without using the DefaultAzureCredential
class.
Anybody has any idea?
Upvotes: 1
Views: 3423
Reputation: 2073
To fetch and write all secrets via azure cli in Mac, i call the below script: sh keyvault-list.sh
#!/usr/bin/env bash
echo "Enter the keyvault Name to be used for printing secrets:"
read keyvaultName
fileName=$keyvaultName+$(date "+%Y-%m-%d %H.%M.%S").txt
echo "Starting secret printing for $keyvaultName to fileName=$fileName"
echo "Starting secret printing for $keyvaultName!" >> $fileName
keyvaultEntries=($(az keyvault secret list --vault-name $keyvaultName --query "[*].{name:name}" -o tsv))
for i in "${keyvaultEntries[@]}"
do
# do whatever on "$i" here
echo "$i" :: "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)"
echo "$i" :: "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)" >> $fileName
done
Upvotes: 1
Reputation: 12153
Try to use ClientSecretCredential
to do this :
from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential
AZURE_TENANT_ID = ''
AZURE_CLIENT_ID = ''
AZURE_CLIENT_SECRET = ''
cred = ClientSecretCredential(
client_id = AZURE_CLIENT_ID,
client_secret = AZURE_CLIENT_SECRET,
tenant_id = AZURE_TENANT_ID
)
keyVaultName = ''
KVUri = f"https://{keyVaultName}.vault.azure.net"
sc = SecretClient(vault_url=KVUri, credential=cred)
print(sc.get_secret('<secret name>').value)
UPDATE:
Follow this doc to create an Azure AD app and follow this section to create an app secret. so that you have all 3 params(tenant id, client id and client secret) for ClientSecretCredential
Follow this doc to add this app to the access policy so that this app has permission to query secrets in Azure Key vault.
Upvotes: 1