import os import logging from azure.identity.aio import ManagedIdentityCredential, AzureCliCredential, ChainedTokenCredential from azure.keyvault.secrets.aio import SecretClient as AsyncSecretClient from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError class KeyVaultClient: """ KeyVaultClient provides methods to retrieve secrets from an Azure Key Vault. """ def __init__(self): self.key_vault_name = os.getenv("AZURE_KEY_VAULT_NAME") if not self.key_vault_name: logging.error("[keyvault] AZURE_KEY_VAULT_NAME environment variable not set.") raise ValueError("AZURE_KEY_VAULT_NAME environment variable not set.") self.kv_uri = f"https://{self.key_vault_name}.vault.azure.net" # Initialize the ChainedTokenCredential with ManagedIdentityCredential and AzureCliCredential try: self.credential = ChainedTokenCredential( ManagedIdentityCredential(), AzureCliCredential() ) logging.debug("[keyvault] Initialized ChainedTokenCredential with ManagedIdentityCredential and AzureCliCredential.") except Exception as e: logging.error(f"[keyvault] Failed to initialize ChainedTokenCredential: {e}") raise self.clients = {} # Cache SecretClient instances if needed async def get_secret(self, secret_name): """ Retrieves the value of a secret from Azure Key Vault. Parameters: secret_name (str): The name of the secret to retrieve. Returns: str: The value of the secret, or None if not found or an error occurs. """ if not self.key_vault_name: logging.error("[keyvault] Key Vault name is not configured.") return None try: async with AsyncSecretClient(vault_url=self.kv_uri, credential=self.credential) as client: retrieved_secret = await client.get_secret(secret_name) logging.debug(f"[keyvault] Successfully retrieved secret '{secret_name}'.") return retrieved_secret.value except ClientAuthenticationError: logging.error(f"[keyvault] Authentication failed when reading '{secret_name}'. Please check your credentials.") return None except ResourceNotFoundError: logging.debug(f"[keyvault] Secret '{secret_name}' not found in the Key Vault.") return None except Exception as e: logging.error(f"[keyvault] An unexpected error occurred when reading '{secret_name}': {e}") return None async def close(self): """ Closes the credential client session. """ if self.credential: await self.credential.close() logging.debug("[keyvault] Credential has been closed.")