{ "cells": [ { "cell_type": "markdown", "source": [ "# How To: Adding Secrets to Azure Key Vault\r\n", "\r\n", "__Notebook Version:__ 1.0<br>\r\n", "__Python Version:__ Python 3.6 - AzureML<br>\r\n", "__Platforms Supported:__<br>\r\n", " - Azure ML\r\n", "__Data Source Required:__<br>\r\n", " - no\r\n", " \r\n", "### Description\r\n", "The sample notebook shows how to add key-value pairs to exisitng Azure Key Vault." ], "metadata": { "nteract": { "transient": { "deleting": false } } } }, { "cell_type": "code", "source": [ "# Install key vault secret module\r\n", "!pip install azure-keyvault-secrets" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1620665719004 } } }, { "cell_type": "code", "source": [ "# Load Python libraries that will be used in this notebook\r\n", "from azure.common.client_factory import get_client_from_cli_profile\r\n", "from azure.common.credentials import get_azure_cli_credentials\r\n", "from azure.mgmt.keyvault import KeyVaultManagementClient\r\n", "from azure.keyvault.secrets import SecretClient\r\n", "from azure.mgmt.resource import ResourceManagementClient\r\n", "from azure.mgmt.keyvault.models import AccessPolicyEntry, VaultProperties, Sku, SecretPermissions, Permissions, VaultCreateOrUpdateParameters, VaultAccessPolicyProperties, VaultAccessPolicyParameters\r\n", "\r\n", "import json\r\n", "import ipywidgets" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290445214 } } }, { "cell_type": "code", "source": [ "# Functions will be used in this notebook\r\n", "def read_config_values(file_path):\r\n", " \"This loads pre-generated parameters for Microsoft Sentinel Workspace\"\r\n", " with open(file_path) as json_file:\r\n", " if json_file:\r\n", " json_config = json.load(json_file)\r\n", " return (json_config[\"tenant_id\"],\r\n", " json_config[\"subscription_id\"],\r\n", " json_config[\"resource_group\"],\r\n", " json_config[\"workspace_id\"],\r\n", " json_config[\"workspace_name\"],\r\n", " json_config[\"user_alias\"],\r\n", " json_config[\"user_object_id\"])\r\n", " return None" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290446027 } } }, { "cell_type": "code", "source": [ "# Calling the above function to populate Microsoft Sentinel workspace parameters\r\n", "# The file, config.json, was generated by the system, however, you may modify the values, or manually set the variables\r\n", "tenant_id, subscription_id, resource_group, workspace_id, workspace_name, user_alias, user_object_id = read_config_values('config.json');" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290448024 } } }, { "cell_type": "code", "source": [ "# Azure CLI is used to get device code to login into Azure, you need to copy the code and open the DeviceLogin site.\r\n", "# You may add [--tenant $tenant_id] to the command\r\n", "!az login --tenant $tenant_id --use-device-code\r\n", "kv_client = get_client_from_cli_profile(KeyVaultManagementClient, subscription_id = subscription_id, api_version=\"2019-09-01\")\r\n", "resource_client = get_client_from_cli_profile(ResourceManagementClient, subscription_id = subscription_id)" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290463622 } } }, { "cell_type": "code", "source": [ "# Get Azure resource groups\r\n", "group_list = resource_client.resource_groups.list()\r\n", "group_dropdown = ipywidgets.Dropdown(options=sorted([g.name for g in group_list]), description='Groups:')\r\n", "display(group_dropdown)" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290467148 } } }, { "cell_type": "code", "source": [ "# Get a list of kay vaults\r\n", "if group_dropdown!= None:\r\n", " kv_list = kv_client.vaults.list_by_resource_group(group_dropdown.value)\r\n", " if kv_list != None:\r\n", " kv_dropdown = ipywidgets.Dropdown(options=sorted([kv.name for kv in kv_list]), description='Key Vaults:')\r\n", " display(kv_dropdown)" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290474397 } } }, { "cell_type": "code", "source": [ "# Set Access Policy for secrets, need to be executed only once on a specific Key Vault\r\n", "properties = {\r\n", " \"access_policies\": [\r\n", " {\r\n", " \"tenant_id\": tenant_id, \r\n", " \"object_id\": user_object_id,\r\n", " \"permissions\": {\r\n", " \"secrets\": [\"get\", \"list\", \"set\"],\r\n", " }\r\n", " }]\r\n", "}\r\n", "\r\n", "result = kv_client.vaults.update_access_policy(resource_group_name=group_dropdown.value, \r\n", " vault_name=kv_dropdown.value, \r\n", " operation_kind=\"ADD\", \r\n", " properties=properties)" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290529986 } } }, { "cell_type": "code", "source": [ "# Initialize secret client for the selected key vault\r\n", "if kv_dropdown.value != None:\r\n", " kv_url = \"https://{0}.vault.azure.net/\".format(kv_dropdown.value)\r\n", " secret_client = get_client_from_cli_profile(SecretClient, vault_url=kv_url.format(kv_dropdown.value), subscription_id = subscription_id)" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621290545687 } } }, { "cell_type": "code", "source": [ "# Add key value pair\r\n", "secret = secret_client.set_secret(\"applicationid\", \"123456_abcd\")" ], "outputs": [], "execution_count": null, "metadata": { "collapsed": true, "jupyter": { "source_hidden": false, "outputs_hidden": false }, "nteract": { "transient": { "deleting": false } }, "gather": { "logged": 1621291008786 } } } ], "metadata": { "kernel_info": { "name": "python3-azureml" }, "kernelspec": { "name": "python3-azureml", "language": "python", "display_name": "Python 3.6 - AzureML" }, "language_info": { "name": "python", "version": "3.6.9", "mimetype": "text/x-python", "codemirror_mode": { "name": "ipython", "version": 3 }, "pygments_lexer": "ipython3", "nbconvert_exporter": "python", "file_extension": ".py" }, "microsoft": { "host": { "AzureML": { "notebookHasBeenCompleted": true } } }, "nteract": { "version": "nteract-front-end@1.0.0" } }, "nbformat": 4, "nbformat_minor": 2 }