1

I have previously used the Azure Python SDK module AADCredentials to authenticate a client such as SubscriptionClient from azure-mgmt-resource. As azure-identity is being rolled out, I find that I cannot use AADCredentials with azure-identity clients such as SecretClient to access a KeyVault. In a nutshell, I am trying to figure out a way to use an externally generated auth token for a service principal to create a credential that SecretClient can use without re-writing AADCredentials to add a get_token method e.g.

from azure.keyvault.secrets import SecretClient
from msrestazure.azure_active_directory import AADTokenCredentials

token={'tokenType':'Bearer','accessToken':'BLAH'}
client_id='123'
cred=AADTokenCredentials(cred,client_id=client_id)
secret_client=SecretClient(vault_url=vault_url, credential=creds)

#Errors with 'AADTokenCredentials has no attribute 'get_token'
retrieved_secret=secret_client.get_secret('secretname')

I'm trying to do this so that Python does not get access to the service principal certificate and therefore cannot copy it elsewhere along with the password.

Any thoughts would be appreciated

Improve this question
0

1 Answer 1

Reset to default
3

azure-identity doesn't include an equivalent credential but there is a sample demonstrating how to write a custom credential that does the same thing (from the custom credentials sample):

from azure.core.credentials import AccessToken

class StaticTokenCredential(object):
    """Authenticates with a previously acquired access token

    Note that an access token is valid only for certain resources and eventually expires.
    This credential is therefore quite limited. An application using it must ensure
    the token is valid and contains all claims required by any service client given an
    instance of this credential.
    """
    def __init__(self, access_token):
        # type: (Union[str, AccessToken]) -> None
        if isinstance(access_token, AccessToken):
            self._token = access_token
        else:
            # Setting expires_on in the past causes Azure SDK clients to call
            # get_token every time they need a token. You could adapt this class
            # to use the token's actual expires_on value, if you know it.
            self._token = AccessToken(token=access_token, expires_on=0)

    def get_token(self, *scopes, **kwargs):
        # type: (*str, **Any) -> AccessToken
        return self._token
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

That looks like it should do the job if there isn't an equivalent in azure.identity. Thanks for your help

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.