fix keyvault auth in msi auth (#53100)

pull/53171/head
Yunge Zhu 6 years ago committed by GitHub
parent 14d4a4fc3b
commit 861b710c73
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -89,6 +89,7 @@ try:
from azure.keyvault.models import KeyAttributes, JsonWebKey from azure.keyvault.models import KeyAttributes, JsonWebKey
from azure.common.credentials import ServicePrincipalCredentials from azure.common.credentials import ServicePrincipalCredentials
from azure.keyvault.models.key_vault_error import KeyVaultErrorException from azure.keyvault.models.key_vault_error import KeyVaultErrorException
from msrestazure.azure_active_directory import MSIAuthentication
from OpenSSL import crypto from OpenSSL import crypto
except ImportError: except ImportError:
# This is handled in azure_rm_common # This is handled in azure_rm_common
@ -137,25 +138,7 @@ class AzureRMKeyVaultKey(AzureRMModuleBase):
setattr(self, key, kwargs[key]) setattr(self, key, kwargs[key])
# Create KeyVaultClient # Create KeyVaultClient
def auth_callback(server, resource, scope): self.client = self.get_keyvault_client()
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
self.client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
results = dict() results = dict()
changed = False changed = False
@ -195,6 +178,35 @@ class AzureRMKeyVaultKey(AzureRMModuleBase):
return self.results return self.results
def get_keyvault_client(self):
try:
self.log("Get KeyVaultClient from MSI")
credentials = MSIAuthentication(resource='https://vault.azure.net')
return KeyVaultClient(credentials)
except Exception:
self.log("Get KeyVaultClient from service principal")
# Create KeyVault Client using KeyVault auth class and auth_callback
def auth_callback(server, resource, scope):
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
return KeyVaultClient(KeyVaultAuthentication(auth_callback))
def get_key(self, name, version=''): def get_key(self, name, version=''):
''' Gets an existing key ''' ''' Gets an existing key '''
key_bundle = self.client.get_key(self.keyvault_uri, name, version) key_bundle = self.client.get_key(self.keyvault_uri, name, version)

@ -84,6 +84,7 @@ try:
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, KeyVaultId from azure.keyvault import KeyVaultClient, KeyVaultAuthentication, KeyVaultId
from azure.common.credentials import ServicePrincipalCredentials from azure.common.credentials import ServicePrincipalCredentials
from azure.keyvault.models.key_vault_error import KeyVaultErrorException from azure.keyvault.models.key_vault_error import KeyVaultErrorException
from msrestazure.azure_active_directory import MSIAuthentication
except ImportError: except ImportError:
# This is handled in azure_rm_common # This is handled in azure_rm_common
pass pass
@ -128,26 +129,8 @@ class AzureRMKeyVaultSecret(AzureRMModuleBase):
for key in list(self.module_arg_spec.keys()) + ['tags']: for key in list(self.module_arg_spec.keys()) + ['tags']:
setattr(self, key, kwargs[key]) setattr(self, key, kwargs[key])
# Create KeyVault Client using KeyVault auth class and auth_callback # Create KeyVault Client
def auth_callback(server, resource, scope): self.client = self.get_keyvault_client()
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
self.client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
results = dict() results = dict()
changed = False changed = False
@ -186,6 +169,35 @@ class AzureRMKeyVaultSecret(AzureRMModuleBase):
return self.results return self.results
def get_keyvault_client(self):
try:
self.log("Get KeyVaultClient from MSI")
credentials = MSIAuthentication(resource='https://vault.azure.net')
return KeyVaultClient(credentials)
except Exception:
self.log("Get KeyVaultClient from service principal")
# Create KeyVault Client using KeyVault auth class and auth_callback
def auth_callback(server, resource, scope):
if self.credentials['client_id'] is None or self.credentials['secret'] is None:
self.fail('Please specify client_id, secret and tenant to access azure Key Vault.')
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
cloud_environment=self._cloud_environment,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
return KeyVaultClient(KeyVaultAuthentication(auth_callback))
def get_secret(self, name, version=''): def get_secret(self, name, version=''):
''' Gets an existing secret ''' ''' Gets an existing secret '''
secret_bundle = self.client.get_secret(self.keyvault_uri, name, version) secret_bundle = self.client.get_secret(self.keyvault_uri, name, version)

Loading…
Cancel
Save