skip to Main Content

We are running Python scripts in Azure Data Factory using Batch Service of Azure Data Factory.
We are reading secrets from key vault using Service Principle for which we need to hardcode the Client Id, Client Secret which has the access to read secret values.
Is there any way to overcome this problem so that there is no requirement of hardcoding the Service Principle.
Can we use Managed Identities in this case?

We tried using Managed Identities and we created a User Managed identity to access the key vault.
The Batch Account and Azure Data Factory has been provided the access to this User Managed Identity.
But we are unable to find the next steps in the same case.

We have User-Assigned managed identity which has been associated to both Data Factory and Batch Account and this Managed Identity has Secret read permissions as well.
enter image description here

Running the below python script to read the Secrets.

enter image description here

But the issue now we are facing is defined below:
enter image description here

The managed identity has the following associated resources :
enter image description here

2

Answers


  1. Chosen as BEST ANSWER

    When we are developing Azure Batch Account and deploying pools in the Batch Account the created Managed Identity should have Secrets Read permissions.

    The Managed Identity should be associated to the below mentioned resources in this case .

    1. Azure Data Factory
    2. Azure Batch Account 3. Pool developed under Batch Account

    We were not associating Managed Identity to the pool created and was facing this error. The below Python Script worked for me. enter image description here

    Thanks


  2. DefaultAzureCredential failed to retrieve a token from the included credentials.
    Attempted credentials:
        EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    Visit https://aka.ms/azsdk/python/identity/environmentcredential/troubleshoot to troubleshoot this issue.
        ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable
    

    Managed identity doesn’t have permission to get the secret; that may be the reason for the error above. Give the required permission to the managed identity in Key Vault by following the procedure below:

    Create an access policy in Key Vault as follows:

    Go to access policies in Key Vault, click on Create, select the permissions and the identity, and then click on Review+create, as shown below:

    enter image description here

    After creating the access policy, you will be able to get the secret from Key Vault successfully using the code below:

    from azure.keyvault.secrets import SecretClient  
    from azure.identity import DefaultAzureCredential, AzureCliCredential
    
    keyvault_credential = AzureCliCredential()
    secret_client = SecretClient("https://aksvs.vault.azure.net", keyvault_credential)  
    secret = secret_client.get_secret("secret")
    print(secret.name)  
    print(secret.value)
    

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search