TechQA.

Use Azure Key Vault to get secrets

2.4k views Asked by At

I want to use Azure Key Vault in a ML notebook to retrieve secrets. The tutorial I followed here suggested to use

from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

vault_url = 'https://<myvaulturl>.vault.azure.net'
az_credential = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=az_credential)

client.get_secret('<mysecret>')

However I get this error ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured. ManagedIdentityCredential: Unexpected response 'None'.
I think it does depend on the fact that I don't have my environment variables set:

AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID

I was wondering if there was any other way to access the vault without using the DefaultAzureCredential class.
Anybody has any idea?

azure azure-keyvault azure-identity azure-secrets
Original Q&A
2

There are 2 answers

2
Stanley Gong On BEST ANSWER

Try to use ClientSecretCredential to do this :

from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential

AZURE_TENANT_ID = ''
AZURE_CLIENT_ID = ''
AZURE_CLIENT_SECRET = ''


cred = ClientSecretCredential(
    client_id = AZURE_CLIENT_ID,
    client_secret = AZURE_CLIENT_SECRET,
    tenant_id = AZURE_TENANT_ID
)

keyVaultName = ''
KVUri = f"https://{keyVaultName}.vault.azure.net"

sc = SecretClient(vault_url=KVUri, credential=cred)
print(sc.get_secret('<secret name>').value)

Result: enter image description here

enter image description here

UPDATE:

  1. You can find your tenant ID here on Azure Portal:

enter image description here

  1. Follow this doc to create an Azure AD app and follow this section to create an app secret. so that you have all 3 params(tenant id, client id and client secret) for ClientSecretCredential

  2. Follow this doc to add this app to the access policy so that this app has permission to query secrets in Azure Key vault.

0
Anand Varkey Philips On

To fetch and write all secrets via azure cli in Mac, i call the below script: sh keyvault-list.sh

#!/usr/bin/env bash
 
echo "Enter the keyvault Name to be used for printing secrets:"
read keyvaultName
 
 
fileName=$keyvaultName+$(date "+%Y-%m-%d %H.%M.%S").txt
echo "Starting secret printing for $keyvaultName to fileName=$fileName"
echo "Starting secret printing for  $keyvaultName!" >> $fileName
 
 
keyvaultEntries=($(az keyvault secret list --vault-name $keyvaultName --query "[*].{name:name}" -o tsv))
 
for i in "${keyvaultEntries[@]}"
do
    # do whatever on "$i" here
    echo "$i"  ::  "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)"
    echo "$i"  ::  "$(az keyvault secret show --name $i --vault-name $keyvaultName -o tsv --query value)" >> $fileName
done

Related Questions in AZURE

Related Questions in AZURE-KEYVAULT

Related Questions in AZURE-IDENTITY

Related Questions in AZURE-SECRETS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions