使用带有REST API的python与Azure Key Vault进行交互 [英] Interacting with Azure Key Vault using python w/ rest api

问题描述

我对在Azure中使用最近发布的用于秘密管理的新服务非常感兴趣.我找到了一些示例指南，逐步介绍了如何通过Powershell cmdlet和c#与密钥库进行交互，但是在开始使用其余API方面并没有发现太多.

I am very interested in using the new service recently released for secret management within Azure. I have found a few example guides walking through how to interact with key vault via powershell cmdlets and c#, however haven't found much at all in regards to getting started with using the rest API.

我特别感到困惑的是对带有活动目录的oauth2的处理.我已经编写了oauth2应用程序侦听器，使用AD实例构建了Web应用程序，现在可以生成"access_token".我仍然不清楚如何进行此操作，因为每次尝试使用access_token进行密钥库API调用时，我似乎始终会收到401 HTTP resp代码.

The thing I am particularly confused with is the handling of oauth2 w/ active directory. I have written a oauth2 application listener, built a web application with an AD instance and can now generate a "access_token". It is very unclear to me how to proceed beyond this though, as I seem to consistently receive a 401 HTTP resp code whenever attempting to use my access_token to perform a key vault API call.

任何将azure密钥库与python结合使用的指南/技巧将不胜感激！

Any guides / tips on using azure key vault with python would be greatly appreciated!

推荐答案

在以下代码生效之前，您需要执行一些步骤...希望我能记住一切！

Here are some steps you'll need to do before the following code will work... Hopefully I remembered everything!

1. 您需要在AD中拥有一个至少具有访问权限的应用程序

1. You'll need to have an application in AD with at least get access

注意:无论如何，您都需要获得CLIENT_ID和CLIENT_SECRET 然后运行:

note: you need this to get the CLIENT_ID and CLIENT_SECRET anyway then run:

azure keyvault set-policy --vault-name'VAULTNAME'-spn CLIENT_ID --perms-to-secrets'["get"]'

azure keyvault set-policy --vault-name 'VAULTNAME' --spn CLIENT_ID --perms-to-secrets '["get"]'

您还需要提供您的机密ID，您可以使用Azure CLI使用以下代码获取该机密:

You'll also need the id's for your secrets, which you can get with the Azure CLI using:

azure keyvault秘密节目[vault] [秘密]

azure keyvault secret show [vault] [secret]

或

azure keyvault secret show -h#(如果不清楚)

azure keyvault secret show -h # if this is unclear

复制密钥(URL中的最后一个参数)

Copy the key (last argument in the URL)

然后，以下代码将允许您使用oauth2查询密钥库:

Then the following code will allow you to query the key vault using oauth2:

import json
import requests

AUTHORITY_HOST = "login.windows.net"
TENANT_ID      = < your tenant id >
CLIENT_ID      = < your client id >
CLIENT_SECRET  = < your client secret >
VAULT          = 'MyVault'

data = { "grant_type" : "client_credentials", 
        "client_id" : CLIENT_ID, 
        "client_secret" : CLIENT_SECRET, 
        "resource" : "https://vault.azure.net"
    }

secrets = [( "i_like_pie", "8a7680a2cf5e4d539494aa0ce265297" )]

headers = { "Content-Type" : "application/x-www-form-urlencoded" }

r = requests.post("https://login.windows.net/{}/oauth2/token".format(TENANT_ID), data=data, headers=headers)
access_token = r.json()['access_token']

for secret, secret_id in secrets.iteritems():

    headers = {"Authorization":"Bearer {}".format(access_token) }
    r = requests.get('https://{}.vault.azure.net/secrets/{}/{}?api-version=2015-06-01'.format(VAULT, secret, secret_id), headers=headers)

    print('##### {} #####'.format(secret))
    print(r.json())
    print('')

这篇关于使用带有REST API的python与Azure Key Vault进行交互的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！