Reputation: 1539
Azure Retrieve Secret from key vault
I am following the Microsoft documentation to retrieve secrets from a key vault using python sdk.
The code and explanation offered by Microsoft leads to this code:
import os
import cmd
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
keyvault_name = f'https://<Keyvaultname>.vault.azure.net/'
KeyVaultName = "<Keyvaultname>"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=keyvault_name, credential=credential)
print(" done.")
print(f"Retrieving your secret from {KeyVaultName}.")
retrieved_secret = client.get_secret("test")
print(f"Your secret is '{retrieved_secret.value}'.")
According to my understanding, the DefaultCredentials are the one configured in the az login which is fine, my code runs just fine but I keep getting this message in the terminal.
done.
Retrieving your secret from <KeyvaultName>.
EnvironmentCredential.get_token failed: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. Multiple accounts
were found in the cache. Use username and tenant id to disambiguate.
I presume that this warnings are due the fact that I have multiple subscription in my azure portal.
I was wondering, how can I get rid of those and set the credentials for only a single subscription?
Thank you so much for any help and explanation you can offer me.
Upvotes: 0
Views: 941
Answers (1)
Reputation: 136146
Generally speaking, I would not worry about this warning. When you use DefaultAzureCredential, SDK tries the following credential options in that order (Reference):
- EnvironmentCredential
- ManagedIdentityCredential
- SharedTokenCacheCredential
- VisualStudioCredential
- VisualStudioCodeCredential
- AzureCliCredential
- AzurePowerShellCredential
- InteractiveBrowserCredential
SDK moves from one credential options to another if that credential option fails. The warning message is just a way for the SDK to tell you what all credential options it has tried.
However if you still want to get rid of this message, there are a few options available to you:
- Exclude the credential options that you do not want SDK to try when using
DefaultAzureCredential. You can specify those viaexclude_xxx_credentialoption in the constructor. For example, if you want to excludeEnvironmentCredential, you would specifyexclude_environment_credential=Truein theDefaultAzureCredentialconstructor. SDK will skip those credential methods. Please see thislinkfor all constructor options. - Use specific credential option. For example, if you always want to use Azure CLI credentials, then instead of using DefaultAzureCredential you can use
AzureCliCredential.
Upvotes: 1
Related Questions
- Read key vault secrets in Azure DevOps pipeline
- Python Azure sdk: How to retrieve secrets from keyvault?
- Azure Python SDK retrieve Key Vault secret for storage account
- KeyVault getting a secret out fails
- Retrieving list of secrets from azure keyvault in python
- Cannot access azure key vault secret with python
- Using Azure Key Vault and Active Directory to Retrieve Secrets
- Read Azure Key Vault Secret from Function App
- unable to get the secret / certificate from Azure Key Vault using python | 'KeyVaultManagementClient' object has no attribute 'get_secret'
- Interacting with Azure Key Vault using python w/ rest api