使用DefaultAzureCredential在本地对Azure Key Vault进行身份验证
我正在尝试运行示例(Ubuntu 19.10),以从Azure密钥库中获取秘密:
I am attempting to run this 'Retrieve a secret from the vault' example locally (Ubuntu 19.10) to retrieve a secret from an Azure Key Vault:
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
client = SecretClient(vault_url="https://<<vaultname>>.vault.azure.com",
credential=DefaultAzureCredential())
secret = client.get_secret("<<mysecret>>")
但是我收到以下错误:
azure.core.exceptions.ClientAuthenticationError:
azure.core.exceptions.ClientAuthenticationError:
此链中没有凭证提供令牌.
No credential in this chain provided a token.
尝试使用的凭证:
EnvironmentCredential:不完整的环境配置.参见 https://aka.ms/python-sdk-identity#environment-variables一个>为预期环境变量
EnvironmentCredential: Incomplete environment configuration. See https://aka.ms/python-sdk-identity#environment-variables for expected environment variables
ImdsCredential:IMDS端点不可用
ImdsCredential: IMDS endpoint unavailable
请访问以下文档
https://aka.ms/python-sdk-identity#defaultazurecredential
了解DefaultAzureCredential支持哪些选项
to learn what options DefaultAzureCredential supports
The documentation on Service-to-Service authentication to Key Vault seems to suggest that I should be able to authenticate by the Azure CLI, and I've followed the steps to login via az login, select the appropriate subscription (which I've done just in case, despite only having one), and verify access via az account get-access-token --resource https://vault.azure.net which does return a token, however still receive the error above.
我是否认为通过cli登录后应该能够进行身份验证是错误的?
Am I wrong in assuming I should be able to authenticate after logging in via the cli?
如果是这样,并且我需要手动设置为 EnvironmentCredential 提供的文档链接中描述的环境变量,我需要为 AZURE_CLIENT_ID 和 AZURE_CLIENT_SECRET ?
And if so, and I need to manually set the environment variables described in the documentation link provided for EnvironmentCredential, what values do I need to supply for AZURE_CLIENT_ID and AZURE_CLIENT_SECRET?
我是否认为通过cli登录后应该能够进行身份验证是错误的?
Am I wrong in assuming I should be able to authenticate after logging in via the cli?
您没看错,在撰写本文时, azure-identity 的当前预览版本1.4.0b2可能是可行的.安装该代码后,登录到CLI后,您的代码即可正常工作.
You're not wrong, it's possible with the current preview version of azure-identity, 1.4.0b2 as I write this. With that installed, your code should work once you've logged in to the CLI.
...我需要为
AZURE_CLIENT_ID和AZURE_CLIENT_SECRET提供什么值?
这些将是服务主体的客户端(或应用程序")ID,以及其机密之一. azure-keyvault-secrets文档描述了如何使用CLI创建服务主体并配置其对Key Vault的访问权限.
These would be the client (or "application") ID of a service principal, and one of its secrets. The azure-keyvault-secrets documentation describes how to create a service principal and configure its access to a Key Vault, using the CLI.
在这里简要地重述该文档,您可以使用以下命令创建服务主体:
Briefly restating that documentation here, you can create a service principal with this command:
az ad sp create-for-rbac --name http://my-application
从该命令的输出中,"appId"是 AZURE_CLIENT_ID 的值,"password"是 AZURE_CLIENT_SECRET 的值.
From the output of that command, "appId" is the value of AZURE_CLIENT_ID and "password" is the value of AZURE_CLIENT_SECRET.
然后,授予服务主体对Key Vault机密的访问权限:
Then, to grant the service principal access to the Key Vault's secrets:
az keyvault set-policy --name <<vaultname>> --spn $AZURE_CLIENT_ID --secret-permissions get set list delete backup recover restore purge