1

Thanks in advance, I'm trying to create a VM using python. At the time of deployment it'll check for certificate present in key vault and copy it in the VM.

I'm doing this with by following below article

https://azure.microsoft.com/en-in/resources/samples/key-vault-python-deploy-certificates-to-vm/

The issue here is, the above example was performed by login using the application id, secret method and I'm login using the device auth.

I wanted to use ADAL or device auth method in which it'll ask us to login on to the azure portal and then type the auth code and then login. It'll pass the credentials to the current session. I'm using interactive way of authentication and not using the non interactive way of client id and secrets

I'm getting the error 'KeyVaultManagementClient' object has no attribute 'get_secret' on the function "get_certificates". Is there any function which gets the certificate/secrets using my way of interactive logon? or this is only available with the application id and secret method.

from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.compute.models import DiskCreateOption
from azure.mgmt.network.v2017_03_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2017_03_01.models import SecurityRule
import azure.mgmt.network.models
from msrestazure.azure_active_directory import AADTokenCredentials
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.datalake.analytics.job import DataLakeAnalyticsJobManagementClient
from azure.mgmt.datalake.analytics.job.models import JobInformation, JobState, USqlJobProperties
import adal, uuid, time


SUBSCRIPTION_ID = 'xxx-xxxx-xxxx-xxxx-xxxx'
GROUP_NAME = 'RAH-AQ'
Vault_Name = 'aqrahkeyvault'
LOCATION = ''
certificate_as_secret = ''

def authenticate_device_code():
    """
    Authenticate the end-user using device auth.
    """

    authority_host_uri = 'https://login.microsoftonline.com'
    tenant = 'xxxx-xxxx-xxxx-xxxx-xxxx'
    authority_uri = authority_host_uri + '/' + tenant
    resource_uri = 'https://management.core.windows.net/'
    client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'

    context = adal.AuthenticationContext(authority_uri, api_version=None)
    code = context.acquire_user_code(resource_uri, client_id)
    print(code['message'])
    mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id)
    credentials = AADTokenCredentials(mgmt_token, client_id)

    return credentials



def get_keyvault(kv_client):
  myvault = kv_client.vaults.get(resource_group_name=GROUP_NAME,vault_name= Vault_Name)

  return myvault


def get_certificates(myvault):
    global certificate_as_secret
    certificate_as_secret = kv_client.get_secret(
        myvault.properties.vault_uri,
        staticwebsite,
        "" # Latest version
    )


if __name__ == "__main__":
    credentials = authenticate_device_code()

resource_group_client = ResourceManagementClient(
    credentials, 
    SUBSCRIPTION_ID
)
network_client = NetworkManagementClient(
    credentials, 
    SUBSCRIPTION_ID
)
compute_client = ComputeManagementClient(
    credentials, 
    SUBSCRIPTION_ID
)

kv_client = KeyVaultManagementClient(
    credentials,
    SUBSCRIPTION_ID
)



creation_result_keyvault = get_keyvault(kv_client)
print("------------------------------------------------------")
print(creation_result_keyvault)

creation_result_certificates = get_certificates(creation_result_keyvault)
print("------------------------------------------------------")
print(creation_result_certificates)
Improve this question
5
  • 1
    You need to be using myvault.get_secret not kv_client.get_secret, because it's the vault that has the secret Commented Jun 5, 2019 at 17:42
  • it's giving the error. 'Vault' object has no attribute 'get_secret' Commented Jun 5, 2019 at 18:02
  • What is the output of type(myvault)? And which version of azure.keyvault are you using? Commented Jun 5, 2019 at 18:24
  • I'm sorry, I don't know how to get the output of type(myvault) and about the version of key vault it's the latest version created few days ago. Commented Jun 5, 2019 at 18:32
  • Hi Nivs, Do you know anything about this which can help Commented Jun 6, 2019 at 18:14

2 Answers 2

Reset to default
2

To get the secret in the Azure Keyvault, you need to use the package azure.keyvault. The code like below:

from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials

def auth_callback(server, resource, scope):
    credentials = ServicePrincipalCredentials(
        client_id = '',
        secret = '',
        tenant = '',
        resource = "https://vault.azure.net"
    )
    token = credentials.token
    return token['token_type'], token['access_token']

client = KeyVaultClient(KeyVaultAuthentication(auth_callback))

secret_bundle = client.get_secret(VAULT_URL, SECRET_ID, SECRET_VERSION)

print(secret_bundle.value)

And there is a point you should pay attention to. The point is that you need to add the policy to allow the service principal to get the secret. Key Vault -> Access policy -> Add new -> Secret Management.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hi Charles, Thanks but in your code it is still using client id, client secret to authenticate? I'm not using this authentication and I'm login device auth code method and don't have application id and secret.
for SECRET_VERSION you can use: from azure.keyvault import KeyVaultId secret_bundle = client.get_secret(vault_url, SECRET_ID, secret_version=KeyVaultId.version_none)
0

As @Charles Xu mentioned in their answer, the management library shouldn't be used for getting secrets from a vault. There are now new packages for working with Key Vault data in Python that replace azure-keyvault:

There's also the azure-mgmt-keyvault package for managing vaults. All of these use the azure-identity package for authentication.

To interactively authenticate users through a device, you can use the DeviceCodeCredential class from azure-identity. Here's an example of how to get a secret using the credential, using the client ID and vault name from your code:

from azure.identity import DeviceCodeCredential
from azure.keyvault.secrets import SecretClient

client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
vault_name = 'aqrahkeyvault'

credential =  DeviceCodeCredential(client_id=client_id)
client = SecretClient('https://{}.vault.azure.net'.format(vault_name), credential)
secret = client.get_secret('secret-name')

(I work on the Azure SDK in Python)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.