使用python中的天蓝色密钥库来保护您的秘密安全-优快云博客

When you are developing applications, you often encounter that point where you have to connect your work to other applications and resources. As you just want to check quickly if the connection method is going to work, you write down the username and password in your code as unaltered strings, run the code. And Voilà! It’s working! Now it’s time for that well deserved cup of coffee…

您正在开发的应用W¯¯母鸡，你经常会遇到这一点，你有你的工作连接到其他应用程序和资源。正如您只是想快速检查连接方法是否会起作用一样，您将用户名和密码记为未更改的字符串，然后运行代码。还有Voilà！工作正常！现在该喝一杯当之无愧的咖啡了……

… while sipping your brown liquid of victouriousness, you commit your changes and push the code to the application repository which you share with various colleagues. And there it is, the credentials are accessible by multiple persons and those people that have (unwanted) access to their computers.

……一边喝着棕色的酒，一边进行更改，并将代码推送到与各个同事共享的应用程序存储库中。在那里，凭据可以由多个人和(不需要的)访问其计算机的人访问。

Now, let’s make sure this won’t happen to you!

现在，让我们确保这不会发生在您身上！

I am assuming that you have an active Azure subscription, Python 2.7 or 3.5+ and the Azure CLI installed.

我假设您有一个活动的Azure订阅， Python 2.7或3.5+和安装的Azure CLI 。

创建和配置Azure资源 (Create and configure Azure resources)

Let’s start by creating an Azure resource group and the Key Vault:

首先创建一个Azure资源组和密钥保管库：

$ az login$ az group create --name <keyVaultGroup> -l westeurope$ az keyvault create --name <myUniqueKeyVaultName> -g <keyVaultGroup>

Retrieve and remember the Key Vault properties.vaultUri:

检索并记住密钥库properties.vaultUri ：

$ az keyvault show -n <myUniqueKeyVaultName> --query "properties.vaultUri" -o json

The Key Vault URL should look something like this: https://myuniquekeyvaultname.vault.azure.net/

密钥保管库URL应该如下所示： https://myuniquekeyvaultname.vault.azure.net/ : https://myuniquekeyvaultname.vault.azure.net/

Now create a service principal to manage access policies:

现在创建一个服务主体来管理访问策略：

$ az ad sp create-for-rbac --name <http://my-key-vault-principal-name> --sdk-auth

Take note of the output, especially the clientId, clientSecret and the tenantId, it should look like this:

记下输出，尤其是clientId ， clientSecret和tenantId ，它应该看起来像这样：

{
  "clientId": "d55c654c-22df-4641-91a9-3e8b567d6253",
  "clientSecret": "1pXue~dOK6TTCf1NVTBcMaFrQwnIWjS_tO",
  "subscriptionId": "d410egf1-7e00-45x3-beab-081531f878ed",
  "tenantId": "45c8b1a0-8c74-43f9-9fd5-110f80d9a6f9",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

Create an access policy that gives the service principal access to the Key Vault. Note that the --spn ID is the clientId from the output of the previous step:

创建访问策略，使服务主体可以访问Key Vault。 请注意 ， --spn ID是上一步输出的clientId ：

$ az keyvault set-policy -n <myUniqueKeyVaultName> --spn <the-previous-clientId> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey

设置环境变量 (Set the environment variables)

The Azure Identity client library, which we are going to use in Python in a moment, will look up the environment service principal variables to authenticate itself to the Key Vault.

我们稍后将在Python中使用的Azure Identity客户端库将查找环境服务主体变量以向Key Vault进行身份验证。

的Linux (Linux)

Open a terminal and edit the .profile file in the $HOME directory:

打开一个终端并编辑$HOME目录中的.profile文件：

$ cd ~ && nano .profile

Now add the specifics of the service principal to the end of the file and save it:

现在，将服务主体的细节添加到文件的末尾并保存：

AZURE_CLIENT_ID="<the-previous-clientId>"
AZURE_CLIENT_SECRET="<the-previous-clientSecret>"
AZURE_TENANT_ID="<the-previous-tenantId>"
VAULT_URL="<the-previous-properties.vaultUri>"

视窗 (Windows)

Open CMD with administrator rights and set the specifics of the service principal as environment variables:

使用管理员权限打开CMD并将服务主体的详细信息设置为环境变量：

$ SETX AZURE_CLIENT_ID "<the-previous-clientId>"
$ SETX AZURE_CLIENT_SECRET "<the-previous-clientSecret>"
$ SETX AZURE_TENANT_ID "<the-previous-tenantId>"
$ SETX VAULT_URL "<the-previous-properties.vaultUri>"

Python实现 (Python implemenatation)

安装要求 (Install the requirements)

Install the necessary packages:

安装必要的软件包：

pip install azure.keyvault
pip install azure.identity

设定秘密 (Set secrets)

The following example adds a secret to the Key Vault:

以下示例将密钥添加到密钥库：

import osfrom azure.identity import EnvironmentCredential
from azure.keyvault.secrets import SecretClientVAULT_URL = os.environ["VAULT_URL"]credential = EnvironmentCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)client.set_secret(
    "<my-password-reference>",
    "<the-actual-password>",
)

获取秘密 (Get secrets)

The following example gets a secret from the Key Vault, use the client from the ‘Set secrets’ step:

以下示例从“密钥保管箱”中获取一个秘密，并从“设置秘密”步骤中使用客户端：

password = client.get_secret("<my-password-reference>").value

删除机密 (Delete secrets)

The following example deletes a secret from the Key Vault, use the client from the ‘Set secrets’ step:

以下示例从“密钥保管箱”中删除一个机密，并在“设置机密”步骤中使用客户端：

client.begin_delete_secret("<my-password-reference>")

That’s it, now you can push any code to any (public) repository without risking credential exposure, your secrets are safe!

就是这样，现在您可以将任何代码推送到任何(公共)存储库，而不必担心暴露证书的风险，您的秘密是安全的！

翻译自: https://medium.com/analytics-vidhya/keep-your-secrets-safe-with-azure-key-vault-in-python-9848be3230db