python-configuration icon indicating copy to clipboard operation
python-configuration copied to clipboard

Published 20 hours ago verified publisher icon tr11

Feature: Use Managed Identity for accessing Azure Key Vault

Open 0brstmgns opened this issue 3 years ago • 4 comments

Hello,

I am using this library inside an Azure Function. Therefore it would be helpful to be able to use Managed Identity authentication for accessing Key Vaults.

With the current implementation, using the ClientSecretCredential class, you have to provide the TENANT_ID, CLIENT_ID, CLIENT_SECRET.

Would it make sense for you to add support for the DefaultAzureCredential class?

Currently it looks like this:

credentials = ClientSecretCredential(
            client_id=az_client_id,
            client_secret=az_client_secret,
            tenant_id=az_tenant_id)
vault_url = "https://{az_vault_name}.vault.azure.net/".format(az_vault_name=az_vault_name)

The following would allow the usage of a Managed Identity (and also several other kind of credentials):

credentials = DefaultAzureCredential()
vault_url = "https://{az_vault_name}.vault.azure.net/".format(az_vault_name=az_vault_name)

Best regards, Marc

0brstmgns avatar Dec 03 '21 13:12 0brstmgns

Hi Marc, thanks for reporting this. Does this break any existing functionality?

tr11 avatar Dec 22 '21 04:12 tr11

Hi, I don't see any further impact on the functionality of the framework. There would have to be a decision made on how the feature can be added in a way existing users of the frameworks azure component are not affected by the change when updating...

0brstmgns avatar Dec 22 '21 08:12 0brstmgns

I would like to +1 this feature. By using the DefaultAzureCredential, it will allow users avoid having to hard code any credentials, as it supports a bunch of methods for authenticating, including the environment variables, managed identity, Azure CLI, etc. See the docs here: https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python

I would be open to doing a pull request for adding this if the maintainers are open to that. This could be added to the current design in a non-breaking way by making the current init method parameters as optional. Then by default if the client id and client secret parameters are not passed it, it can then use the DefaultAzureCredential instead.

bigdatamoore avatar Apr 21 '23 15:04 bigdatamoore

Can you put a PR together with this functionality? I don't really have access to a good Azure environment anymore which makes it hard to test it properly.

tr11 avatar Aug 04 '23 23:08 tr11