From fe24302189f758dd7cc671a66e3cc35a0d86c5b7 Mon Sep 17 00:00:00 2001
From: "Tong Xu (MSFT)" <57166602+v-xuto@users.noreply.github.com>
Date: Wed, 30 Sep 2020 20:33:29 +0800
Subject: [PATCH] Delete the sample in v4 and update the readme (#7)
* Delete the sample in v4 and update the readme
* update
* update Readme
* Update by comments
* Update Readme
---
...pPythonDeployment => .skipPythonDeployment | 0
README.md | 51 ++++---
v3/azuredeploy.json => azuredeploy.json | 0
v3/example.py => example.py | 5 +
requirements.txt | 2 +
v3/requirements.txt | 2 -
v4/.skipPythonDeployment | 0
v4/azuredeploy.json | 128 ------------------
v4/example.py | 43 ------
v4/requirements.txt | 3 -
v4/web.config | 13 --
v3/web.config => web.config | 0
12 files changed, 36 insertions(+), 211 deletions(-)
rename v3/.skipPythonDeployment => .skipPythonDeployment (100%)
rename v3/azuredeploy.json => azuredeploy.json (100%)
rename v3/example.py => example.py (88%)
create mode 100644 requirements.txt
delete mode 100644 v3/requirements.txt
delete mode 100644 v4/.skipPythonDeployment
delete mode 100644 v4/azuredeploy.json
delete mode 100644 v4/example.py
delete mode 100644 v4/requirements.txt
delete mode 100644 v4/web.config
rename v3/web.config => web.config (100%)
diff --git a/v3/.skipPythonDeployment b/.skipPythonDeployment
similarity index 100%
rename from v3/.skipPythonDeployment
rename to .skipPythonDeployment
diff --git a/README.md b/README.md
index 0baf0e0..d865263 100644
--- a/README.md
+++ b/README.md
@@ -11,10 +11,22 @@ urlFragment: get-set-keyvault-secrets-managed-id-python
# How to set and get secrets from Azure Key Vault with Azure Managed Identities and Python
-## SDK Versions
-In this sample, you will find the following folders:
-* **v3** - references Key Vault SDK v3
-* **v4** - references Key Vault SDK v4
+## This sample shows how to do the following operations of Key Vault secret with Key Vault SDK
+- Get Key Vault MSIAuthentication or ServicePrincipalCredentials
+- Create a Key Vault client
+- Get an existing secret
+
+## Use latest Key Vault SDK
+The Key Vault SDK package version in this repo is **0.3.x**. It's strongly recommended that you use the [latest](https://pypi.org/project/azure-keyvault-secrets/) version of the Key Vault secret SDK package, please refer to the following examples:
+
+ * [helloworld.py](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/keyvault/azure-keyvault-secrets/samples/hello_world.py) - Examples for common Key Vault secret tasks:
+
+ * Get DefaultAzureCredential
+ * Create a secret client
+ * Create a new secret
+ * Get an existing secret
+ * Update an existing secret
+ * Delete a secret
## Background
For service to service authentication, the approach involved creating an Azure AD application and associated credential, and using that credential to get a token. While this approach works well, there are two shortcomings:
@@ -31,14 +43,14 @@ To run and deploy this sample, you need the following:
2. [Azure CLI 2.0] to run the application on your local development machine.
### Step 1: Create an App Service with an Azure Managed Identity
-
+
Use the "Deploy to Azure" button to deploy an ARM template to create the following resources:
1. App Service with [Azure Managed Identities].
2. Key Vault with a secret, and an access policy that grants the App Service access to **Get Secrets**.
->Note: When filling out the template you will see a textbox labeled 'Key Vault Secret'. Enter a secret value there. A secret with the name 'secret' and value from what you entered will be created in the Key Vault.
+>Note: When preparing the deployment, there will be a few required fields to fill out (subscription, resource group, region, website name, Key Vault name, and secret value). The secret value will be the value of the secret named "secret" created in the Key Vault upon deployment.
Review the resources created using the Azure portal. You should see an App Service and a Key Vault. View the access policies of the Key Vault to see that the App Service has access to it.
@@ -53,7 +65,7 @@ Using the Azure Portal, go to the Key Vault's access policies, and grant yoursel
1. Search for your Key Vault in “Search Resources dialog box” in Azure Portal.
2. Select "Overview", and click on Access policies
-3. Click on "Add New", select "Secret Management" from the dropdown for "Configure from template"
+3. Click on "Add Access Policy", select "Secret Management" from the dropdown for "Configure from template"
4. Click on "Select Principal", add your account
5. Save the Access Policies
@@ -83,25 +95,20 @@ You can also create an Azure service principal either through
```
git clone https://github.com/Azure-Samples/azure-sdk-for-python-keyvault-secrets-get-set-managedid.git
+ cd azure-sdk-for-python-keyvault-secrets-get-set-managedid
```
-4. Run the following command to install dependencies for "SDK version 3" and "SDK version 4":
-
-- SDK version 4
-
-```
-cd v4
-pip install -r requirements.txt
-```
+4. Run the following command to install dependencies:
-- SDK version 3
-```
-cd v3
-pip install -r requirements.txt
-```
+ ```
+ pip install -r requirements.txt
+ ```
-5. Set up the environment variable `KEY_VAULT_URL` with your KeyVault URL or replace the variable in the example file.
+5. Set up the environment variable `KEY_VAULT_URI` with your KeyVault URI or replace the variable in the example file.
+ ```
+ SET KEY_VAULT_URI=https://{your vault name}.vault.azure.net/ # setting environment variable in Windows command prompt
+ ```
6. Export these environment variables into your current shell or update the credentials in the example file.
@@ -124,7 +131,7 @@ pip install -r requirements.txt
## Deploying on Azure Web App
-1. Set the `KEY_VAULT_URL` environment variable using the "Application Settings" of your Web App.
+1. Set the `KEY_VAULT_URI` environment variable using the "Application Settings" of your Web App.
1. Connect to the [Kudu console] and install the dependencies. If you installed the Python 3.6.2x86 extension, the command line will be:
diff --git a/v3/azuredeploy.json b/azuredeploy.json
similarity index 100%
rename from v3/azuredeploy.json
rename to azuredeploy.json
diff --git a/v3/example.py b/example.py
similarity index 88%
rename from v3/example.py
rename to example.py
index 2af5d0a..3b3885f 100644
--- a/v3/example.py
+++ b/example.py
@@ -1,3 +1,4 @@
+# This file uses an outdated library. Please see the readme to find the latest version.
from msrestazure.azure_active_directory import MSIAuthentication, ServicePrincipalCredentials
from azure.keyvault import KeyVaultClient
import os
@@ -6,6 +7,7 @@
app = Flask(__name__)
+# Deprecated Libraries
def get_key_vault_credentials():
"""This tries to get a token using MSI, or fallback to SP env variables.
"""
@@ -28,13 +30,16 @@ def run_example():
# Get credentials
credentials = get_key_vault_credentials()
+ # Deprecated Libraries
# Create a KeyVault client
key_vault_client = KeyVaultClient(
credentials
)
+ # Deprecated Libraries
key_vault_uri = os.environ.get("KEY_VAULT_URI")
+ # Deprecated Libraries
secret = key_vault_client.get_secret(
key_vault_uri, # Your KeyVault URL
"secret", # Name of your secret. If you followed the README 'secret' should exists
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..3edd042
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,2 @@
+azure-keyvault==0.3.6
+flask
\ No newline at end of file
diff --git a/v3/requirements.txt b/v3/requirements.txt
deleted file mode 100644
index a9122bc..0000000
--- a/v3/requirements.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-azure-keyvault>=0.3.6
-flask
\ No newline at end of file
diff --git a/v4/.skipPythonDeployment b/v4/.skipPythonDeployment
deleted file mode 100644
index e69de29..0000000
diff --git a/v4/azuredeploy.json b/v4/azuredeploy.json
deleted file mode 100644
index 040f62d..0000000
--- a/v4/azuredeploy.json
+++ /dev/null
@@ -1,128 +0,0 @@
-{
- "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "webSiteName": {
- "type": "string",
- "maxLength": 15,
- "metadata": {
- "description": "Name of the Web App."
- }
- },
- "skuName": {
- "type": "string",
- "defaultValue": "F1",
- "allowedValues": [
- "F1",
- "D1",
- "B1",
- "B2",
- "B3",
- "S1",
- "S2",
- "S3",
- "P1",
- "P2",
- "P3",
- "P4"
- ],
- "metadata": {
- "description": "Describes plan's pricing tier and instance size. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
- }
- },
- "keyVaultName": {
- "type": "string",
- "metadata": {
- "description": "Key Vault to be created. Web site will be granted access to this Key Vault."
- }
- },
- "keyVaultSecret": {
- "type": "string",
- "metadata": {
- "description": "Secret to add to the Key Vault"
- }
- }
- },
- "variables": {
- "hostingPlanName": "[concat('hostingplan', uniqueString(resourceGroup().id))]",
- "identityResourceId" : "[concat(resourceId('Microsoft.Web/sites', parameters('webSiteName')),'/providers/Microsoft.ManagedIdentity/Identities/default')]"
- },
- "resources": [
- {
- "apiVersion": "2016-03-01",
- "name": "[variables('hostingPlanName')]",
- "type": "Microsoft.Web/serverfarms",
- "location": "[resourceGroup().location]",
- "tags": {
- "displayName": "HostingPlan"
- },
- "sku": {
- "name": "[parameters('skuName')]",
- "capacity": 1
- },
- "properties": {
- "name": "[variables('hostingPlanName')]"
- }
- },
- {
- "apiVersion": "2016-03-01",
- "name": "[parameters('webSiteName')]",
- "type": "Microsoft.Web/sites",
- "location": "[resourceGroup().location]",
- "identity": {
- "type": "SystemAssigned"
- },
- "dependsOn": [
- "[variables('hostingPlanName')]"
- ],
- "tags": {
- "[concat('hidden-related:', resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName')))]": "empty",
- "displayName": "Website"
- },
- "properties": {
- "name": "[parameters('webSiteName')]",
- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"
- }
- },
- {
- "type": "Microsoft.KeyVault/vaults",
- "name": "[parameters('keyVaultName')]",
- "apiVersion": "2015-06-01",
- "location": "[resourceGroup().location]",
- "tags": {},
- "properties": {
- "sku": {
- "family": "A",
- "name": "Standard"
- },
- "tenantId": "[reference(variables('identityResourceId'), '2015-08-31-PREVIEW').tenantId]",
- "accessPolicies": [
- {
- "tenantId": "[reference(variables('identityResourceId'), '2015-08-31-PREVIEW').tenantId]",
- "objectId": "[reference(variables('identityResourceId'), '2015-08-31-PREVIEW').principalId]",
- "permissions": {
- "secrets": [
- "get"
- ]
- }
- }
- ],
- "enabledForDeployment": false
- },
- "dependsOn": [
- "[concat('Microsoft.Web/sites/', parameters('webSiteName'))]"
- ]
- },
- {
- "type": "Microsoft.KeyVault/vaults/secrets",
- "name": "[concat(parameters('keyVaultName'), '/', 'secret')]",
- "apiVersion": "2015-06-01",
- "properties": {
- "value": "[parameters('keyVaultSecret')]"
- },
- "dependsOn": [
- "[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
- ]
- }
- ]
-}
\ No newline at end of file
diff --git a/v4/example.py b/v4/example.py
deleted file mode 100644
index 975c28c..0000000
--- a/v4/example.py
+++ /dev/null
@@ -1,43 +0,0 @@
-from azure.keyvault.secrets import SecretClient
-from azure.identity import DefaultAzureCredential
-
-import os
-
-from flask import Flask
-app = Flask(__name__)
-
-
-def run_example():
- """Azure Managed Identities Authentication example."""
-
- # Get credentials
- credentials = DefaultAzureCredential()
-
- key_vault_uri = os.environ.get("KEY_VAULT_URI")
-
- # Create a secret client
- secret_client = SecretClient(
- key_vault_uri, # Your KeyVault URL
- credentials
- )
-
- secret = secret_client.get_secret("secret") # Name of your secret. If you followed the README 'secret' should exists
-
- return "My secret value is {}".format(secret.value)
-
-
-@app.route('/')
-def hello_world():
- try:
- return run_example()
- except Exception as err:
- return str(err)
-
-
-@app.route('/ping')
-def ping():
- return "Hello world"
-
-
-if __name__ == '__main__':
- app.run()
diff --git a/v4/requirements.txt b/v4/requirements.txt
deleted file mode 100644
index f949fee..0000000
--- a/v4/requirements.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-azure-keyvault-secrets==4.0.0
-azure-identity==1.0.1
-flask
diff --git a/v4/web.config b/v4/web.config
deleted file mode 100644
index 2b71d03..0000000
--- a/v4/web.config
+++ /dev/null
@@ -1,13 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/v3/web.config b/web.config
similarity index 100%
rename from v3/web.config
rename to web.config