Is there a way authenticate a python app to Azure without adding secrets to my code? Because I'm on untrusted computing resources I can't save my secrets as environment variables nor store "config" files locally.
Given:
- A service principal has been created via the portal for this app (
python-sp) - Service principal has been assigned a
Contributorrole to Azure Key Vault
Example:
- I want to use the python sdk to programmatically create and manage Azure resources
- To create a new Resource Group, I first need to authenticate the python app. The only method I've been able to find which does not require a
clientSecretto be added to the code is to useaz login...
sp_name = 'python-sp'
sp_file = 'sp_creds.json'
!az login
!az ad sp create-for-rbac -n $sp_name --sdk-auth > $sp_file
!export AZURE_AUTH_LOCATION=$sp_file
with open(sp_file) as data_file:
sp_details = json.load(data_file)
os.remove(sp_file)
Unfortunately this requires interaction so the code isn't really headless. Aside from that, the credentials are in a json file in memory, even if only for a few moments.
How do I instead access Azure Key Vault to retrieve authentication keys/secrets?
- I can't access Azure Key Vault without some kind of credential in the code.
The methods listed here all seem to require a credential be stored and accessed in some file or hardcoded.
Chicken and egg! But I guess it makes sense. Any ideas?
