使用带有REST API的python与Azure Key Vault进行交互
我对在Azure中使用最近发布的用于秘密管理的新服务非常感兴趣.我找到了一些示例指南,逐步介绍了如何通过Powershell cmdlet和c#与密钥库进行交互,但是在开始使用其余API方面并没有发现太多.
I am very interested in using the new service recently released for secret management within Azure. I have found a few example guides walking through how to interact with key vault via powershell cmdlets and c#, however haven't found much at all in regards to getting started with using the rest API.
我特别感到困惑的是对带有活动目录的oauth2的处理.我已经编写了oauth2应用程序侦听器,使用AD实例构建了Web应用程序,现在可以生成"access_token".我仍然不清楚如何进行此操作,因为每次尝试使用access_token进行密钥库API调用时,我似乎始终会收到401 HTTP resp代码.
The thing I am particularly confused with is the handling of oauth2 w/ active directory. I have written a oauth2 application listener, built a web application with an AD instance and can now generate a "access_token". It is very unclear to me how to proceed beyond this though, as I seem to consistently receive a 401 HTTP resp code whenever attempting to use my access_token to perform a key vault API call.
任何将azure密钥库与python结合使用的指南/技巧将不胜感激!
Any guides / tips on using azure key vault with python would be greatly appreciated!
在以下代码生效之前,您需要执行一些步骤...希望我能记住一切!
Here are some steps you'll need to do before the following code will work... Hopefully I remembered everything!
-
您需要在AD中拥有一个至少具有访问权限的应用程序
You'll need to have an application in AD with at least get access
注意:无论如何,您都需要获得CLIENT_ID和CLIENT_SECRET 然后运行:
note: you need this to get the CLIENT_ID and CLIENT_SECRET anyway then run:
azure keyvault set-policy --vault-name'VAULTNAME'-spn CLIENT_ID --perms-to-secrets'["get"]'
azure keyvault set-policy --vault-name 'VAULTNAME' --spn CLIENT_ID --perms-to-secrets '["get"]'
您还需要提供您的机密ID,您可以使用Azure CLI使用以下代码获取该机密:
You'll also need the id's for your secrets, which you can get with the Azure CLI using:
azure keyvault秘密节目[vault] [秘密]
azure keyvault secret show [vault] [secret]
或
azure keyvault secret show -h#(如果不清楚)
azure keyvault secret show -h # if this is unclear
复制密钥(URL中的最后一个参数)
Copy the key (last argument in the URL)
然后,以下代码将允许您使用oauth2查询密钥库:
Then the following code will allow you to query the key vault using oauth2:
import json
import requests
AUTHORITY_HOST = "login.windows.net"
TENANT_ID = < your tenant id >
CLIENT_ID = < your client id >
CLIENT_SECRET = < your client secret >
VAULT = 'MyVault'
data = { "grant_type" : "client_credentials",
"client_id" : CLIENT_ID,
"client_secret" : CLIENT_SECRET,
"resource" : "https://vault.azure.net"
}
secrets = [( "i_like_pie", "8a7680a2cf5e4d539494aa0ce265297" )]
headers = { "Content-Type" : "application/x-www-form-urlencoded" }
r = requests.post("https://login.windows.net/{}/oauth2/token".format(TENANT_ID), data=data, headers=headers)
access_token = r.json()['access_token']
for secret, secret_id in secrets.iteritems():
headers = {"Authorization":"Bearer {}".format(access_token) }
r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(VAULT, secret, secret_id), headers=headers)
print('##### {} #####'.format(secret))
print(r.json())
print('')