|
|
@ -84,6 +84,7 @@ try:
|
|
|
|
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, KeyVaultId
|
|
|
|
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, KeyVaultId
|
|
|
|
from azure.common.credentials import ServicePrincipalCredentials
|
|
|
|
from azure.common.credentials import ServicePrincipalCredentials
|
|
|
|
from azure.keyvault.models.key_vault_error import KeyVaultErrorException
|
|
|
|
from azure.keyvault.models.key_vault_error import KeyVaultErrorException
|
|
|
|
|
|
|
|
from msrestazure.azure_active_directory import MSIAuthentication
|
|
|
|
except ImportError:
|
|
|
|
except ImportError:
|
|
|
|
# This is handled in azure_rm_common
|
|
|
|
# This is handled in azure_rm_common
|
|
|
|
pass
|
|
|
|
pass
|
|
|
@ -128,26 +129,8 @@ class AzureRMKeyVaultSecret(AzureRMModuleBase):
|
|
|
|
for key in list(self.module_arg_spec.keys()) + ['tags']:
|
|
|
|
for key in list(self.module_arg_spec.keys()) + ['tags']:
|
|
|
|
setattr(self, key, kwargs[key])
|
|
|
|
setattr(self, key, kwargs[key])
|
|
|
|
|
|
|
|
|
|
|
|
# Create KeyVault Client using KeyVault auth class and auth_callback
|
|
|
|
# Create KeyVault Client
|
|
|
|
def auth_callback(server, resource, scope):
|
|
|
|
self.client = self.get_keyvault_client()
|
|
|
|
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
|
|
|
|
|
|
|
|
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
tenant = self.credentials.get('tenant')
|
|
|
|
|
|
|
|
if not self.credentials['tenant']:
|
|
|
|
|
|
|
|
tenant = "common"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
authcredential = ServicePrincipalCredentials(
|
|
|
|
|
|
|
|
client_id=self.credentials['client_id'],
|
|
|
|
|
|
|
|
secret=self.credentials['secret'],
|
|
|
|
|
|
|
|
tenant=tenant,
|
|
|
|
|
|
|
|
cloud_environment=self._cloud_environment,
|
|
|
|
|
|
|
|
resource="https://vault.azure.net")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
token = authcredential.token
|
|
|
|
|
|
|
|
return token['token_type'], token['access_token']
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
self.client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
results = dict()
|
|
|
|
results = dict()
|
|
|
|
changed = False
|
|
|
|
changed = False
|
|
|
@ -186,6 +169,35 @@ class AzureRMKeyVaultSecret(AzureRMModuleBase):
|
|
|
|
|
|
|
|
|
|
|
|
return self.results
|
|
|
|
return self.results
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_keyvault_client(self):
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
|
|
|
self.log("Get KeyVaultClient from MSI")
|
|
|
|
|
|
|
|
credentials = MSIAuthentication(resource='https://vault.azure.net')
|
|
|
|
|
|
|
|
return KeyVaultClient(credentials)
|
|
|
|
|
|
|
|
except Exception:
|
|
|
|
|
|
|
|
self.log("Get KeyVaultClient from service principal")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Create KeyVault Client using KeyVault auth class and auth_callback
|
|
|
|
|
|
|
|
def auth_callback(server, resource, scope):
|
|
|
|
|
|
|
|
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
|
|
|
|
|
|
|
|
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
tenant = self.credentials.get('tenant')
|
|
|
|
|
|
|
|
if not self.credentials['tenant']:
|
|
|
|
|
|
|
|
tenant = "common"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
authcredential = ServicePrincipalCredentials(
|
|
|
|
|
|
|
|
client_id=self.credentials['client_id'],
|
|
|
|
|
|
|
|
secret=self.credentials['secret'],
|
|
|
|
|
|
|
|
tenant=tenant,
|
|
|
|
|
|
|
|
cloud_environment=self._cloud_environment,
|
|
|
|
|
|
|
|
resource="https://vault.azure.net")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
token = authcredential.token
|
|
|
|
|
|
|
|
return token['token_type'], token['access_token']
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return KeyVaultClient(KeyVaultAuthentication(auth_callback))
|
|
|
|
|
|
|
|
|
|
|
|
def get_secret(self, name, version=''):
|
|
|
|
def get_secret(self, name, version=''):
|
|
|
|
''' Gets an existing secret '''
|
|
|
|
''' Gets an existing secret '''
|
|
|
|
secret_bundle = self.client.get_secret(self.keyvault_uri, name, version)
|
|
|
|
secret_bundle = self.client.get_secret(self.keyvault_uri, name, version)
|
|
|
|