无法使用python'KeyVaultManagementClient'对象从Azure密钥存储库获取机密/证书,对象没有属性'get_secret'
提前感谢,我正在尝试使用Python创建一个VM。在部署时,它将检查密钥库中是否存在证书,并将其复制到VM中。
我得到错误'KeyVaultManagementClient'对象在函数“get_certificates”上没有属性'get_secret'。是否有任何功能,获得证书/机密使用我的互动登录方式?或者这只在应用程序id和secret方法中可用。
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.compute.models import DiskCreateOption
from azure.mgmt.network.v2017_03_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2017_03_01.models import SecurityRule
import azure.mgmt.network.models
from msrestazure.azure_active_directory import AADTokenCredentials
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.datalake.analytics.job import DataLakeAnalyticsJobManagementClient
from azure.mgmt.datalake.analytics.job.models import JobInformation, JobState, USqlJobProperties
import adal, uuid, time
SUBSCRIPTION_ID = 'xxx-xxxx-xxxx-xxxx-xxxx'
GROUP_NAME = 'RAH-AQ'
Vault_Name = 'aqrahkeyvault'
LOCATION = ''
certificate_as_secret = ''
def authenticate_device_code():
"""
Authenticate the end-user using device auth.
"""
authority_host_uri = 'https://login.microsoftonline.com'
tenant = 'xxxx-xxxx-xxxx-xxxx-xxxx'
authority_uri = authority_host_uri + '/' + tenant
resource_uri = 'https://management.core.windows.net/'
client_id = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'
context = adal.AuthenticationContext(authority_uri, api_version=None)
code = context.acquire_user_code(resource_uri, client_id)
print(code['message'])
mgmt_token = context.acquire_token_with_device_code(resource_uri, code, client_id)
credentials = AADTokenCredentials(mgmt_token, client_id)
return credentials
def get_keyvault(kv_client):
myvault = kv_client.vaults.get(resource_group_name=GROUP_NAME,vault_name= Vault_Name)
return myvault
def get_certificates(myvault):
global certificate_as_secret
certificate_as_secret = kv_client.get_secret(
myvault.properties.vault_uri,
staticwebsite,
"" # Latest version
)
if __name__ == "__main__":
credentials = authenticate_device_code()
resource_group_client = ResourceManagementClient(
credentials,
SUBSCRIPTION_ID
)
network_client = NetworkManagementClient(
credentials,
SUBSCRIPTION_ID
)
compute_client = ComputeManagementClient(
credentials,
SUBSCRIPTION_ID
)
kv_client = KeyVaultManagementClient(
credentials,
SUBSCRIPTION_ID
)
creation_result_keyvault = get_keyvault(kv_client)
print("------------------------------------------------------")
print(creation_result_keyvault)
creation_result_certificates = get_certificates(creation_result_keyvault)
print("------------------------------------------------------")
print(creation_result_certificates)
共有1个答案
要获得Azure Keyvault中的秘密,需要使用包Azure.Keyvault。代码如下所示:
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials
def auth_callback(server, resource, scope):
credentials = ServicePrincipalCredentials(
client_id = '',
secret = '',
tenant = '',
resource = "https://vault.azure.net"
)
token = credentials.token
return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret_bundle = client.get_secret(VAULT_URL, SECRET_ID, SECRET_VERSION)
print(secret_bundle.value)
还有一点你要注意。关键是您需要添加策略以允许服务主体获得秘密。密钥库->访问策略->添加新的->秘密管理。
-
问题内容: 我尝试从KeyStore获取密钥。我通过Keytool创建了一个密钥库: keytool -genkeypair -dname“ cn = Mark Jones,ou = JavaSoft,o = Sun,c = US” -alias business2 -keypass abcdtest -keystore C:\ workspace \ XMLSample \ keystore \
-
我有一个webjob从azure key vault service获得证书,并且在本地从KV访问/检索该证书没有问题。但是,当部署这个webjob时,我会得到以下错误: 我已经用AAD注册了应用程序(这个webjob托管的地方),它对kv空间有只读访问权限。我找到了几个相关的(我想..?)关于这方面的帖子:
-
资源组 集成帐户 密钥库 Active Directory 使用命令set-azurermkeyvaultaccesspolicy向我的用户授予所有密钥和机密的权限 每当我转到集成帐户>Certificates>Add>choose[Certificate Type]=“Private”时,组合框资源组和密钥库会自动填充,但密钥名称会抛出以下错误: 与密钥库[MY_KEY_VAULT]通信失败。请
-
2)生成CA证书请求 3)生成自签有效期-10年 4)使用KeyStoreExplorer这样的程序将密钥对(私钥和自签名证书)导入到新的JKS中
-
null 更新: 对于用户分配的标识,需要指定对象id或客户端id。