From e957801db130ee3098db83f35fb1f5703fd7206e Mon Sep 17 00:00:00 2001 From: Stefan Seiz Date: Tue, 12 May 2020 09:00:57 +0200 Subject: [PATCH 01/17] Keyvault Lookup Plugin Added --- plugins/lookup/azure_keyvault_secret.py | 178 ++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 plugins/lookup/azure_keyvault_secret.py diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py new file mode 100644 index 000000000..fcc71308d --- /dev/null +++ b/plugins/lookup/azure_keyvault_secret.py @@ -0,0 +1,178 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = """ + lookup: azure_keyvault_secret + author: + - Hai Cao + version_added: 2.7 + requirements: + - requests + - azure + - msrest + short_description: Read secret from Azure Key Vault. + description: + - This lookup returns the content of secret saved in Azure Key Vault. + - When ansible host is MSI enabled Azure VM, user don't need provide any credential to access to Azure Key Vault. + options: + _terms: + description: Secret name, version can be included like secret_name/secret_version. + required: True + vault_url: + description: Url of Azure Key Vault. + required: True + client_id: + description: Client id of service principal that has access to the Azure Key Vault + secret: + description: Secret of the service principal. + tenant_id: + description: Tenant id of service principal. + notes: + - If version is not provided, this plugin will return the latest version of the secret. + - If ansible is running on Azure Virtual Machine with MSI enabled, client_id, secret and tenant isn't required. + - For enabling MSI on Azure VM, please refer to this doc https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/ + - After enabling MSI on Azure VM, remember to grant access of the Key Vault to the VM by adding a new Acess Policy in Azure Portal. + - If MSI is not enabled on ansible host, it's required to provide a valid service principal which has access to the key vault. + - To use a plugin from a collection, please reference the full namespace, collection name, and lookup plugin name that you want to use. +""" + +EXAMPLE = """ +- name: Look up secret when ansible host is MSI enabled Azure VM + debug: msg="the value of this secret is {{lookup('azure.azcollection.azure_keyvault_secret','testSecret/version',vault_url='https://yourvault.vault.azure.net')}}" + +- name: Look up secret when ansible host is general VM + vars: + url: 'https://yourvault.vault.azure.net' + secretname: 'testSecret/version' + client_id: '123456789' + secret: 'abcdefg' + tenant: 'uvwxyz' + debug: msg="the value of this secret is {{lookup('azure.azcollection.azure_keyvault_secret',secretname,vault_url=url, cliend_id=client_id, secret=secret, tenant_id=tenant)}}" + +# Example below creates an Azure Virtual Machine with SSH public key from key vault using 'azure_keyvault_secret' lookup plugin. +- name: Create Azure VM + hosts: localhost + connection: local + no_log: True + vars: + resource_group: myResourceGroup + vm_name: testvm + location: eastus + ssh_key: "{{ lookup('azure.azcollection.azure_keyvault_secret','myssh_key') }}" + - name: Create VM + azure_rm_virtualmachine: + resource_group: "{{ resource_group }}" + name: "{{ vm_name }}" + vm_size: Standard_DS1_v2 + admin_username: azureuser + ssh_password_enabled: false + ssh_public_keys: + - path: /home/azureuser/.ssh/authorized_keys + key_data: "{{ ssh_key }}" + network_interfaces: "{{ vm_name }}" + image: + offer: UbuntuServer + publisher: Canonical + sku: 16.04-LTS + version: latest +""" + +RETURN = """ + _raw: + description: secret content string +""" + +from ansible.errors import AnsibleError, AnsibleParserError +from ansible.plugins.lookup import LookupBase +from ansible.utils.display import Display +import requests + +display = Display() + +TOKEN_ACQUIRED = False + +token_params = { + 'api-version': '2018-02-01', + 'resource': 'https://vault.azure.net' +} +token_headers = { + 'Metadata': 'true' +} +token = None +try: + token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers) + if token_res.ok: + token = token_res.json().get("access_token") + if token is not None: + TOKEN_ACQUIRED = True + else: + display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.') + else: + display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code) +except requests.exceptions.RequestException: + display.v('Unable to fetch MSI token. Will use service principal if provided.') + TOKEN_ACQUIRED = False + + + +def lookup_secret_non_msi(terms, vault_url, kwargs): + import logging + logging.getLogger('msrestazure.azure_active_directory').addHandler(logging.NullHandler()) + logging.getLogger('msrest.service_client').addHandler(logging.NullHandler()) + + try: + from azure.common.credentials import ServicePrincipalCredentials + from azure.keyvault import KeyVaultClient + from msrest.exceptions import AuthenticationError, ClientRequestError + from azure.keyvault.models.key_vault_error import KeyVaultErrorException + except ImportError: + raise AnsibleError('The azure_keyvault_secret lookup plugin requires azure.keyvault and azure.common.credentials to be installed.') + + client_id = kwargs.pop('client_id', None) + secret = kwargs.pop('secret', None) + tenant_id = kwargs.pop('tenant_id', None) + + try: + credentials = ServicePrincipalCredentials( + client_id=client_id, + secret=secret, + tenant=tenant_id + ) + client = KeyVaultClient(credentials) + except AuthenticationError: + raise AnsibleError('Invalid credentials provided.') + + ret = [] + for term in terms: + try: + secret_val = client.get_secret(vault_url, term, '').value + ret.append(secret_val) + except ClientRequestError: + raise AnsibleError('Error occurred in request') + except KeyVaultErrorException: + raise AnsibleError('Failed to fetch secret ' + term + '.') + return ret + + +class LookupModule(LookupBase): + + def run(self, terms, variables, **kwargs): + + ret = [] + vault_url = kwargs.pop('vault_url', None) + if vault_url is None: + raise AnsibleError('Failed to get valid vault url.') + if TOKEN_ACQUIRED: + secret_params = {'api-version': '2016-10-01'} + secret_headers = {'Authorization': 'Bearer ' + token} + for term in terms: + try: + secret_res = requests.get(vault_url + '/secrets/' + term, params=secret_params, headers=secret_headers) + ret.append(secret_res.json()["value"]) + except requests.exceptions.RequestException: + raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') + except KeyError: + raise AnsibleError('Failed to fetch secret ' + term + '.') + return ret + else: + return lookup_secret_non_msi(terms, vault_url, kwargs) From aeef7a22b8540d7ab87f0830571d4cc0f92fac80 Mon Sep 17 00:00:00 2001 From: Stefan Seiz Date: Tue, 12 May 2020 09:00:57 +0200 Subject: [PATCH 02/17] Keyvault Lookup Plugin Added --- plugins/lookup/azure_keyvault_secret.py | 178 ++++++++++++++++++++++++ 1 file changed, 178 insertions(+) create mode 100644 plugins/lookup/azure_keyvault_secret.py diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py new file mode 100644 index 000000000..fcc71308d --- /dev/null +++ b/plugins/lookup/azure_keyvault_secret.py @@ -0,0 +1,178 @@ +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = """ + lookup: azure_keyvault_secret + author: + - Hai Cao + version_added: 2.7 + requirements: + - requests + - azure + - msrest + short_description: Read secret from Azure Key Vault. + description: + - This lookup returns the content of secret saved in Azure Key Vault. + - When ansible host is MSI enabled Azure VM, user don't need provide any credential to access to Azure Key Vault. + options: + _terms: + description: Secret name, version can be included like secret_name/secret_version. + required: True + vault_url: + description: Url of Azure Key Vault. + required: True + client_id: + description: Client id of service principal that has access to the Azure Key Vault + secret: + description: Secret of the service principal. + tenant_id: + description: Tenant id of service principal. + notes: + - If version is not provided, this plugin will return the latest version of the secret. + - If ansible is running on Azure Virtual Machine with MSI enabled, client_id, secret and tenant isn't required. + - For enabling MSI on Azure VM, please refer to this doc https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/ + - After enabling MSI on Azure VM, remember to grant access of the Key Vault to the VM by adding a new Acess Policy in Azure Portal. + - If MSI is not enabled on ansible host, it's required to provide a valid service principal which has access to the key vault. + - To use a plugin from a collection, please reference the full namespace, collection name, and lookup plugin name that you want to use. +""" + +EXAMPLE = """ +- name: Look up secret when ansible host is MSI enabled Azure VM + debug: msg="the value of this secret is {{lookup('azure.azcollection.azure_keyvault_secret','testSecret/version',vault_url='https://yourvault.vault.azure.net')}}" + +- name: Look up secret when ansible host is general VM + vars: + url: 'https://yourvault.vault.azure.net' + secretname: 'testSecret/version' + client_id: '123456789' + secret: 'abcdefg' + tenant: 'uvwxyz' + debug: msg="the value of this secret is {{lookup('azure.azcollection.azure_keyvault_secret',secretname,vault_url=url, cliend_id=client_id, secret=secret, tenant_id=tenant)}}" + +# Example below creates an Azure Virtual Machine with SSH public key from key vault using 'azure_keyvault_secret' lookup plugin. +- name: Create Azure VM + hosts: localhost + connection: local + no_log: True + vars: + resource_group: myResourceGroup + vm_name: testvm + location: eastus + ssh_key: "{{ lookup('azure.azcollection.azure_keyvault_secret','myssh_key') }}" + - name: Create VM + azure_rm_virtualmachine: + resource_group: "{{ resource_group }}" + name: "{{ vm_name }}" + vm_size: Standard_DS1_v2 + admin_username: azureuser + ssh_password_enabled: false + ssh_public_keys: + - path: /home/azureuser/.ssh/authorized_keys + key_data: "{{ ssh_key }}" + network_interfaces: "{{ vm_name }}" + image: + offer: UbuntuServer + publisher: Canonical + sku: 16.04-LTS + version: latest +""" + +RETURN = """ + _raw: + description: secret content string +""" + +from ansible.errors import AnsibleError, AnsibleParserError +from ansible.plugins.lookup import LookupBase +from ansible.utils.display import Display +import requests + +display = Display() + +TOKEN_ACQUIRED = False + +token_params = { + 'api-version': '2018-02-01', + 'resource': 'https://vault.azure.net' +} +token_headers = { + 'Metadata': 'true' +} +token = None +try: + token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers) + if token_res.ok: + token = token_res.json().get("access_token") + if token is not None: + TOKEN_ACQUIRED = True + else: + display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.') + else: + display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code) +except requests.exceptions.RequestException: + display.v('Unable to fetch MSI token. Will use service principal if provided.') + TOKEN_ACQUIRED = False + + + +def lookup_secret_non_msi(terms, vault_url, kwargs): + import logging + logging.getLogger('msrestazure.azure_active_directory').addHandler(logging.NullHandler()) + logging.getLogger('msrest.service_client').addHandler(logging.NullHandler()) + + try: + from azure.common.credentials import ServicePrincipalCredentials + from azure.keyvault import KeyVaultClient + from msrest.exceptions import AuthenticationError, ClientRequestError + from azure.keyvault.models.key_vault_error import KeyVaultErrorException + except ImportError: + raise AnsibleError('The azure_keyvault_secret lookup plugin requires azure.keyvault and azure.common.credentials to be installed.') + + client_id = kwargs.pop('client_id', None) + secret = kwargs.pop('secret', None) + tenant_id = kwargs.pop('tenant_id', None) + + try: + credentials = ServicePrincipalCredentials( + client_id=client_id, + secret=secret, + tenant=tenant_id + ) + client = KeyVaultClient(credentials) + except AuthenticationError: + raise AnsibleError('Invalid credentials provided.') + + ret = [] + for term in terms: + try: + secret_val = client.get_secret(vault_url, term, '').value + ret.append(secret_val) + except ClientRequestError: + raise AnsibleError('Error occurred in request') + except KeyVaultErrorException: + raise AnsibleError('Failed to fetch secret ' + term + '.') + return ret + + +class LookupModule(LookupBase): + + def run(self, terms, variables, **kwargs): + + ret = [] + vault_url = kwargs.pop('vault_url', None) + if vault_url is None: + raise AnsibleError('Failed to get valid vault url.') + if TOKEN_ACQUIRED: + secret_params = {'api-version': '2016-10-01'} + secret_headers = {'Authorization': 'Bearer ' + token} + for term in terms: + try: + secret_res = requests.get(vault_url + '/secrets/' + term, params=secret_params, headers=secret_headers) + ret.append(secret_res.json()["value"]) + except requests.exceptions.RequestException: + raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') + except KeyError: + raise AnsibleError('Failed to fetch secret ' + term + '.') + return ret + else: + return lookup_secret_non_msi(terms, vault_url, kwargs) From d1c99f2c9469f79596b7f5404ebcb1e0d383e0aa Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Fri, 1 Apr 2022 22:03:52 +0200 Subject: [PATCH 03/17] Apply suggestions from code review Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index fcc71308d..a5cd6a6c8 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -5,7 +5,7 @@ lookup: azure_keyvault_secret author: - Hai Cao - version_added: 2.7 + version_added: 1.12.0 requirements: - requests - azure @@ -85,7 +85,10 @@ from ansible.errors import AnsibleError, AnsibleParserError from ansible.plugins.lookup import LookupBase from ansible.utils.display import Display -import requests +try: + import requests +except ImportError: + pass display = Display() From b9382f40faeaefb3271c28c90069bfa60cdec85e Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Fri, 1 Apr 2022 22:26:08 +0200 Subject: [PATCH 04/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Triantafyllos <88321799+ttsakpc@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index a5cd6a6c8..5ac2efd8f 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -103,7 +103,7 @@ } token = None try: - token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers) + token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers, timeout=(3.05, 27)) if token_res.ok: token = token_res.json().get("access_token") if token is not None: From 62b297d4cd5b82b6b9a1735f6fda615b1292ac65 Mon Sep 17 00:00:00 2001 From: Stefan Seiz Date: Mon, 4 Apr 2022 11:32:52 +0200 Subject: [PATCH 05/17] linting --- plugins/lookup/azure_keyvault_secret.py | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 5ac2efd8f..040f37c02 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -38,7 +38,14 @@ EXAMPLE = """ - name: Look up secret when ansible host is MSI enabled Azure VM - debug: msg="the value of this secret is {{lookup('azure.azcollection.azure_keyvault_secret','testSecret/version',vault_url='https://yourvault.vault.azure.net')}}" + debug: + msg: "the value of this secret is {{ + lookup( + 'azure.azcollection.azure_keyvault_secret', + 'testSecret/version', + vault_url='https://yourvault.vault.azure.net' + ) + }}" - name: Look up secret when ansible host is general VM vars: @@ -47,7 +54,17 @@ client_id: '123456789' secret: 'abcdefg' tenant: 'uvwxyz' - debug: msg="the value of this secret is {{lookup('azure.azcollection.azure_keyvault_secret',secretname,vault_url=url, cliend_id=client_id, secret=secret, tenant_id=tenant)}}" + debug: + msg: "the value of this secret is {{ + lookup( + 'azure.azcollection.azure_keyvault_secret', + secretname, + vault_url=url, + cliend_id=client_id, + secret=secret, + tenant_id=tenant + ) + }}" # Example below creates an Azure Virtual Machine with SSH public key from key vault using 'azure_keyvault_secret' lookup plugin. - name: Create Azure VM @@ -117,7 +134,6 @@ TOKEN_ACQUIRED = False - def lookup_secret_non_msi(terms, vault_url, kwargs): import logging logging.getLogger('msrestazure.azure_active_directory').addHandler(logging.NullHandler()) From b8ac6152852c26503dacad256fb7c580c4a45852 Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Wed, 6 Apr 2022 12:50:53 +0200 Subject: [PATCH 06/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 040f37c02..a8a470159 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -38,7 +38,7 @@ EXAMPLE = """ - name: Look up secret when ansible host is MSI enabled Azure VM - debug: + debug: msg: "the value of this secret is {{ lookup( 'azure.azcollection.azure_keyvault_secret', From 90f34be87aa26c128dcfd7a8648f036afb325159 Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Wed, 6 Apr 2022 12:51:02 +0200 Subject: [PATCH 07/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index a8a470159..d3ec00178 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -39,7 +39,7 @@ EXAMPLE = """ - name: Look up secret when ansible host is MSI enabled Azure VM debug: - msg: "the value of this secret is {{ + msg: "the value of this secret is {{ lookup( 'azure.azcollection.azure_keyvault_secret', 'testSecret/version', From 0fe16cd3fe0db4b5c814e0ffac3d3a364e076a4a Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 09:28:15 +0200 Subject: [PATCH 08/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index d3ec00178..4088bb63a 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -188,7 +188,10 @@ def run(self, terms, variables, **kwargs): try: secret_res = requests.get(vault_url + '/secrets/' + term, params=secret_params, headers=secret_headers) ret.append(secret_res.json()["value"]) - except requests.exceptions.RequestException: + except KeyError: + raise AnsibleError('Failed to fetch secret ' + term + '.') + except Exception: + raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') except KeyError: raise AnsibleError('Failed to fetch secret ' + term + '.') From a5dce0f56de2dcca6fff9b4dc372416bc81c22cb Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 09:28:28 +0200 Subject: [PATCH 09/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 4088bb63a..bc086b2a6 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -129,7 +129,7 @@ display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.') else: display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code) -except requests.exceptions.RequestException: +except Exception: display.v('Unable to fetch MSI token. Will use service principal if provided.') TOKEN_ACQUIRED = False From e5f5bc3d31067e2f920e5a3d201ba681524c73ad Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 09:35:42 +0200 Subject: [PATCH 10/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index bc086b2a6..ca5f16693 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -192,7 +192,6 @@ def run(self, terms, variables, **kwargs): raise AnsibleError('Failed to fetch secret ' + term + '.') except Exception: raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') - raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') except KeyError: raise AnsibleError('Failed to fetch secret ' + term + '.') return ret From 36804d19ca93bf73577e54a6937c73b0abfa2ccf Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 09:36:04 +0200 Subject: [PATCH 11/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index ca5f16693..3438d7b08 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -192,7 +192,6 @@ def run(self, terms, variables, **kwargs): raise AnsibleError('Failed to fetch secret ' + term + '.') except Exception: raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') - except KeyError: raise AnsibleError('Failed to fetch secret ' + term + '.') return ret else: From fee5bdb892cc9901b00103256190fb4ad7ae15ad Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 09:36:14 +0200 Subject: [PATCH 12/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 3438d7b08..1efc01281 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -192,7 +192,6 @@ def run(self, terms, variables, **kwargs): raise AnsibleError('Failed to fetch secret ' + term + '.') except Exception: raise AnsibleError('Failed to fetch secret: ' + term + ' via MSI endpoint.') - raise AnsibleError('Failed to fetch secret ' + term + '.') return ret else: return lookup_secret_non_msi(terms, vault_url, kwargs) From 1f3eb52017992be01703691cac256dcb110454b8 Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 09:40:49 +0200 Subject: [PATCH 13/17] Update azure_keyvault_secret.py --- plugins/lookup/azure_keyvault_secret.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 1efc01281..82ecf00a5 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -105,7 +105,7 @@ try: import requests except ImportError: - pass + raise AnsibleError('The azure_keyvault_secret lookup plugin requires requests to be installed.') display = Display() @@ -115,10 +115,13 @@ 'api-version': '2018-02-01', 'resource': 'https://vault.azure.net' } + token_headers = { 'Metadata': 'true' } + token = None + try: token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers, timeout=(3.05, 27)) if token_res.ok: @@ -136,6 +139,7 @@ def lookup_secret_non_msi(terms, vault_url, kwargs): import logging + logging.getLogger('msrestazure.azure_active_directory').addHandler(logging.NullHandler()) logging.getLogger('msrest.service_client').addHandler(logging.NullHandler()) @@ -176,9 +180,9 @@ def lookup_secret_non_msi(terms, vault_url, kwargs): class LookupModule(LookupBase): def run(self, terms, variables, **kwargs): - ret = [] vault_url = kwargs.pop('vault_url', None) + if vault_url is None: raise AnsibleError('Failed to get valid vault url.') if TOKEN_ACQUIRED: From 15dd49bebe9b44f1512a4e1fe7bea1a708f870fe Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 14:57:40 +0200 Subject: [PATCH 14/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 82ecf00a5..043862c2c 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -105,7 +105,7 @@ try: import requests except ImportError: - raise AnsibleError('The azure_keyvault_secret lookup plugin requires requests to be installed.') + pass display = Display() From 023297c5b57e0dbbdd990e5077ff14197b5b997a Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 21:10:41 +0200 Subject: [PATCH 15/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 043862c2c..ccac459fe 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -139,7 +139,6 @@ def lookup_secret_non_msi(terms, vault_url, kwargs): import logging - logging.getLogger('msrestazure.azure_active_directory').addHandler(logging.NullHandler()) logging.getLogger('msrest.service_client').addHandler(logging.NullHandler()) From 9f1b6ad472c65cba74e8e9bf758866b479f3a74d Mon Sep 17 00:00:00 2001 From: Stefan Seiz <54583628+taasest8@users.noreply.github.com> Date: Thu, 7 Apr 2022 21:10:49 +0200 Subject: [PATCH 16/17] Update plugins/lookup/azure_keyvault_secret.py Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com> --- plugins/lookup/azure_keyvault_secret.py | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index ccac459fe..9b3efae09 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -181,7 +181,6 @@ class LookupModule(LookupBase): def run(self, terms, variables, **kwargs): ret = [] vault_url = kwargs.pop('vault_url', None) - if vault_url is None: raise AnsibleError('Failed to get valid vault url.') if TOKEN_ACQUIRED: From 808203eaa3e7020ffe14be845225a4df8d142036 Mon Sep 17 00:00:00 2001 From: Zooopx Date: Thu, 14 Apr 2022 17:48:56 +0800 Subject: [PATCH 17/17] fix doc error --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 9b3efae09..dcf7bb12a 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -60,7 +60,7 @@ 'azure.azcollection.azure_keyvault_secret', secretname, vault_url=url, - cliend_id=client_id, + client_id=client_id, secret=secret, tenant_id=tenant )