0

I would like to retrieve Azure Key Vault referenced secrets in App Configuration service. In dotnet it is a piece of cake, you simply add options.ConfigureKeyVault and can retrieve secret like this:

var credential = new DefaultAzureCredential();
var config = new ConfigurationBuilder().AddAzureAppConfiguration(options => {
        options.Connect(
            new Uri("https://app-cf.azconfig.io"), credential
        ).Select("*", "label");
        options.ConfigureKeyVault(kv => {
            kv.SetCredential(credential);
        });
    }).Build();
    var test = config.GetValue<string>("secret_name");

But in Python I haven't found any method to add KeyVault handling in AzureAppConfigurationClient, and when you try to retrieve Key Vault referenced secret you simply get string:

'{"uri":"https://kv-name.vault.azure.net/secrets/SecretName"}'.

I've "solved" this writing function:

import json
from pathlib import Path
from azure.appconfiguration import AzureAppConfigurationClient
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

def get_appcf_label(base_url: str, label: str) -> dict:
    """Get app configurations for specified label."""
    credential = DefaultAzureCredential()
    client = AzureAppConfigurationClient(base_url, credential)
    filtered_listed = client.list_configuration_settings(
        key_filter="*", label_filter=label
    )
    config = dict()
    for item in filtered_listed:
        if (
            item.content_type
            == "application/vnd.microsoft.appconfig.keyvaultref+json;charset=utf-8"
        ):
            url_parts = Path(json.loads(item.value)["uri"]).parts
            vault_url = "//".join(url_parts[:2])
            kv_secret = url_parts[-1]
            kv_client = SecretClient(vault_url, credential)
            secret_val = kv_client.get_secret(kv_secret).value
            config.update({item.key: secret_val})
        else:
            config.update({item.key: item.value})
    return config

I don't like this solution, especially string parsing, even though it's working, but I cannot figure out a better way to do it. Do you have any ideas how to do it in a smarter/cleaner way?

Improve this question
2
  • Do you have any concerns about this issue? Commented Dec 30, 2020 at 1:58
  • @Szymon Osiecki Were you able to find any better solution using the SDK itself.? Commented Feb 16, 2022 at 15:00

2 Answers 2

Reset to default
0

You can get value by rest api.

I think this should be the easiest way. In addition, you should consult the information to obtain the Bearer token.

RESR API --Web Apps - Get App Setting Key Vault Reference

You can use import requests in your code. Below post can show you how to send post request.

Using API microsoft translator in a Python script

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

It seems even azure cli does the same, if you need keyvault secret resolve, then it creates a keyvault client. Relevant code from azure cli: /opt/az/lib/python3.11/site-packages/azure/cli/command_modules/appconfig/keyvalue.py

    # fetch key values from user's configstore
    src_kvs = __read_kv_from_config_store(azconfig_client,
                                          key=key,
                                          label=label if label else SearchFilterOptions.EMPTY_LABEL,
                                          prefix_to_remove=prefix if not export_as_reference else "",
                                          snapshot=snapshot,
                                          cli_ctx=cmd.cli_ctx if resolve_keyvault else None)

and the relevant block from _kv_helpers.py

    if cli_ctx:
        from azure.cli.command_modules.keyvault._client_factory import keyvault_data_plane_factory
        keyvault_client = keyvault_data_plane_factory(cli_ctx)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.