HTTP-来自Python的请求Azure Function应用程序与来自Azure Key Vault的客户端证书

a64a0gku  于 2023-08-02  发布在  Python
关注(0)|答案(1)|浏览(94)

我想从Python Azure函数应用程序发送HTTPS-Request。我需要使用存储在Azure Key Vault中的客户端证书对此请求进行身份验证。
当使用从磁盘加载的pkcs 12容器测试HTTPS-Request时,一切正常:

from requests import Session
from requests_pkcs12 import Pkcs12Adapter

url = 'https://example/api/profile'

with Session() as s:
    s.mount(url, Pkcs12Adapter(pkcs12_filename='cert.pfx', pkcs12_password='cert_password'))
    r = s.get(url, verify='ca_cert.pem')

print(r.status_code)
print(r.text)

字符串
事实证明,使用来自KeyVault的证书有点复杂。
我尝试使用CertificateClient类获取pkcs 12 cert对象,并使用SecretClient类获取密码:

from requests import Session
from requests_pkcs12 import Pkcs12Adapter
from azure.keyvault.certificates import CertificateClient

pkcs12_name = 'cert_name'
pkcs12_pass_name = 'cert_password_name'
vault_name = 'vault-name'

credential = DefaultAzureCredential()

cert_client = CertificateClient("https://" + vault_name + ".vault.azure.net/", credential)
cert = cert_client.get_certificate(pkcs12_name)

secret_client = SecretClient("https://" + vault_name + ".vault.azure.net/", credential)
secret = secret_client.get_secret(pkcs12_pass_name)

# debugging
logging.info('--== PKCS12 DETAILS ==--')
logging.info(cert.name)
logging.info(cert.properties.version)
logging.info('--== SECRET DETAILS ==--')
logging.info(secret.name)
logging.info(secret.properties)


这工作得很好-我得到了证书和密码。但是,如何像处理本地文件那样将其传递给pkcs 12适配器呢?我不能提供文件路径,但我知道有一个参数pkcs12_data,它允许读取字节流。

with Session() as s:
    s.mount(url, Pkcs12Adapter(pkcs12_data=cert, pkcs12_password=secret)) # <---- how to pass cert?
    r = s.get(url, verify='ca_cert.pem')

t0ybt7op

t0ybt7op1#

我尝试了下面的代码与应用程序注册客户端ID,秘密,和租户ID获得证书和密码从密钥库中的功能。

验证码:

import logging
import azure.functions as func
from azure.identity import ClientSecretCredential
from azure.keyvault.secrets import SecretClient

client_id = '<client_ID>'
client_secret = '<client_secrete>'
tenant_id = '<tenant_ID>'

vault_url = 'https://kamkeyvaul.vault.azure.net'

def main(req: func.HttpRequest, context: func.Context) -> func.HttpResponse:
    try:
        credentials = ClientSecretCredential(
            client_id=client_id,
            client_secret=client_secret,
            tenant_id=tenant_id
        )

        client = SecretClient(vault_url=vault_url, credential=credentials)
        certificate_secret = client.get_secret("<certificate_name>").value
        password_secret = client.get_secret("<password_secrete>").value

        logging.info("Certificate Secret: %s", certificate_secret)
        logging.info("Password Secret: %s", password_secret)

        return func.HttpResponse("Secrets retrieved successfully.", status_code=200)
    except Exception as e:
        logging.error(f"An error occurred: {e}")
        return func.HttpResponse("Internal Server Error", status_code=500)

字符串

requirements.txt:

azure-functions
azure-identity
azure-keyvault-certificates
azure-keyvault-secrets
requests
requests_pkcs12


我在Azure Portalfunction app给出了托管Identity如下:


的数据
在运行代码之前,我给了function appapp registration权限,在Azure Portalkey vault中获取证书和密码,如下所示:


输出:

它成功运行并给出如下证书和密码,



通过输出URL,我在browser上得到了如下:



我的证书密码如下:


相关问题