{"id":55158,"date":"2022-07-07T16:42:32","date_gmt":"2022-07-07T11:12:32","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=55158"},"modified":"2022-07-18T22:44:13","modified_gmt":"2022-07-18T17:14:13","slug":"azure-account-authentication-using-python3","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/azure-account-authentication-using-python3\/","title":{"rendered":"Azure Account Authentication Using Python3"},"content":{"rendered":"

Need for Authentication:<\/b><\/h4>\n

To communicate with Azure Resources we need to do authentication, suppose you have an application that monitors Azure resources. To fetch azure resources data from the azure account, we need a connection string or secrets to do Azure Authentication. Ather that, these all secrets are shared with the application developer who integrates secrets into the code itself. <\/span>As we all know, Python is one of the most popular programming language because of its simplified syntax and it also provides great support for writing scripts to interact with cloud resources.\u00a0<\/span><\/p>\n

Azure SDK is an Azure Software Development Kit for Python3, which allows Python developers to write software that makes use of Azure services.<\/span><\/p>\n

The Azure Authentication process requires:<\/b><\/h4>\n

Step 1.<\/strong> Create Azure account
\n<\/span><\/p>\n

Step 2.<\/strong> Get Subscription and Tenant Id.
\n<\/span><\/p>\n

Step 3.<\/strong> Registered Your Application
\n<\/span><\/p>\n

Step 4.<\/strong> Create New Client Secret in Registered Application and Save Value Id.
\n<\/span><\/p>\n

Step 5.<\/strong> Grant Reader permission to Registered App.
\n<\/span><\/p>\n

Step 6.<\/strong> Now use Client Secret value, subscription, tenant, and Client(Application) Id in Azure SDK script to fetch Azure Resource data. (Here we are fetching a list of Azure VM using these keys).<\/span><\/p>\n

Workflow Diagram to authenticate your azure account to interact with Azure Resources using Azure Python SDK<\/span><\/p>\n

\"\"<\/p>\n

Step1<\/b>:<\/b> Create an Azure account\u00a0<\/b><\/h3>\n

Link: <\/span>https:\/\/www.acronis.com\/en-sg\/articles\/create-microsoft-azure-account\/<\/span><\/a><\/p>\n

Step2:<\/b> Get a Subscription and Tenant Id<\/b><\/h3>\n

To get your Azure Subscription and Tenant Id of your Azure account, use your local terminal or use the azure cloud shell terminal in the Azure Portal.<\/span><\/p>\n

Open your Azure portal \u2192 <\/span>Go to Subscription<\/b> \u2192 Copy and <\/span>save your subscription id<\/b> \u2192 then go to <\/span>Azure Active Directory<\/b> \u2192 Copy and <\/span>save your tenant id<\/b> for later use.<\/span><\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0OR<\/b><\/p>\n

Open your Azure Cloud Shell Terminal and use the below command to get your Account Subscription and Tenant Id.<\/span><\/p>\n

> <\/span>az account show<\/b><\/p><\/blockquote>\n

\"\"<\/p>\n

Step 3<\/b>:<\/b>\u00a0 <\/b>Registered Your Application<\/b><\/h3>\n

you must have sufficient permission to register your application in your Azure AD. If you have a user role, you must make sure that non-administrators can register applications. <\/span>You can ask for an Application Developer Role.<\/span><\/p>\n

You can also check your access by going into <\/span>Subscription<\/b>\u2192 <\/span>IAM<\/b>\u2192 <\/span>view my access.<\/b><\/p>\n

\"\"<\/p>\n

\"\"<\/p>\n

\u00a0To register your app in Azure Portal:<\/b><\/p>\n

    \n
  1. Sign in to your Azure portal and go to Azure Active Directory<\/span>
    \nFrom Manage, Select App Registration\"\"<\/li>\n
  2. Select <\/span>App Registration<\/b> \u2192 <\/span>Add<\/b> New Registration<\/b><\/b>\"\"<\/li>\n
  3. Enter a name for the Application. ( Azure-Integration)<\/span>\"\"<\/li>\n
  4. In the <\/span>Add a Redirect Url<\/b> \u2192 <\/span>Add a Platform<\/b> \u2192 <\/span>select Web<\/b> and <\/span>add your app URL (https:\/\/<\/b>xyz.com<\/b><\/a>) as the sign-on URL<\/b> and <\/span>Create the Application \u2192 Register<\/b>\"\"\"\"<\/li>\n<\/ol>\n
      \n
    1. From Overview of Registered App, copy the Application\/Client Id and save it anywhere for later use<\/span>\"\"<\/li>\n<\/ol>\n

      Step4:<\/b> Create New Client Secret in Registered Application and Save Value Id<\/b><\/h3>\n

      To create a client secret associated with your app:<\/b><\/p>\n

        \n
      1. In Azure, under the application, you have just created, select Certificates & Secrets<\/span>\"\"<\/li>\n
      2. Under these <\/span>Certificates & Secrets<\/b> \u2192 <\/span>Add new Client Secret<\/b> -> <\/span>Give Description<\/b> \u2192 <\/span>Select <\/b>
        \nexpiration time \u2192 Copy Value somewhere else because it hides sometimes\u00a0<\/b>\"\"<\/li>\n<\/ol>\n

        Step5: <\/b>Grant Reader permission to Registered App<\/b><\/h3>\n

        \u00a0 \u00a0 \u00a0 Grant Reader permission to your Application:<\/span><\/p>\n

          \n
        1. Go to <\/span>Subscriptions <\/b>\u2192 and open the <\/span>Subscription that you want Your app<\/b> ( Monitoring Webapp ) to monitor.
          \n\"\"
          \n<\/span><\/li>\n
        2. Click on <\/span>Subscription <\/b>\u2192 Select <\/span>Access control (IAM)<\/b> \u2192 <\/span>Add role Assignment<\/b> \u2192 <\/span>Add Member <\/b>\u2192<\/span> Select your app and add and save<\/b>\"\"\"\"<\/li>\n<\/ol>\n

          Step6:<\/b> Fetch the number of VM’s data in our Azure Account using Azure SDK with Keys<\/strong><\/h3>\n

          resources.py :<\/b><\/p>\n

          from azure.mgmt.compute import ComputeManagementClient\r\nfrom azure.common.credentials import ServicePrincipalCredentials\r\nimport os<\/span>\r\nSubscription_Id = os.environ[\u201csubscription_id\u201d]<\/span>\r\nTenant_Id = os.environ[\u201ctenant_id\u201d]<\/span>\r\nClient_Id = os.environ[\u201cclient_id\u201d]<\/span>\r\nSecret = os.environ[\u201csecret\u201d]<\/span>\r\n\r\ncredential = ServicePrincipalCredentials(<\/span>\r\n\u00a0 \u00a0 \u00a0 \u00a0 client_id=Client_Id,<\/span>\r\n\u00a0 \u00a0 \u00a0 \u00a0 secret=Secret,<\/span>\r\n\u00a0 \u00a0 \u00a0 \u00a0 tenant=Tenant_Id<\/span>\r\n\u00a0 \u00a0 \u00a0 \u00a0 )<\/span>\r\n\r\ncompute_client = ComputeManagementClient(credential, Subscription_Id)<\/span>\r\n\r\nvm_list = compute_client.virtual_machines.list('azure-poc')<\/span>\r\n# vm_list = compute_client.virtual_machines.list('resource_groupname')<\/span>\r\ni= <\/span>0<\/span>\r\nfor vm <\/span>in<\/span> vm_list:<\/span>\r\n\u00a0 \u00a0 array = vm.id.split(<\/span>\"\/\"<\/span>)<\/span>\r\n\u00a0 \u00a0 resource_group = array[<\/span>4<\/span>]<\/span>\r\n\u00a0 \u00a0 vm_name = array[-<\/span>1<\/span>]<\/span>\r\n\u00a0 \u00a0 statuses = compute_client.virtual_machines.instance_view(resource_group, vm_name).statuses<\/span>\r\n\u00a0 \u00a0 status = len(statuses) >= <\/span>2<\/span> and<\/span> statuses[<\/span>1<\/span>]<\/span>\r\n\r\n\u00a0 \u00a0 <\/span>if<\/span> status <\/span>and<\/span> status.code == 'PowerState\/running':<\/span>\r\n\u00a0 \u00a0 \u00a0 \u00a0 print(vm_name)<\/span><\/pre>\n
          Output<\/span>:\u00a0<\/span><\/p>\n
          \"\"Rotate Client Secrets Credentials:<\/b><\/p>\n
          It will be required to update the application’s authentication credentials using the Azure Portal, once the client secret expires (<\/span>the<\/b> maximum expiration date available in Azure is 2 years<\/b>). <\/span>Go to <\/span>App Registration<\/b> \u2192 Select <\/span>Your App<\/b> \u2192 Go into <\/span>Client Secret<\/b> \u2014><\/span>Edit the Client Secret field with the new value <\/b>and confirm with <\/span>Save<\/b> Changes.<\/span><\/p>\n
          \"\"<\/p>\n
          Use Case Of Managed Identity:<\/b><\/h3>\n
          Using a managed identity, you can authenticate to any service that supports Azure AD authentication without exposing credentials.<\/span><\/p>\n
          Azure Managed Identity\u00a0<\/span><\/p>\n
            \n
          • User Assigned Managed Identities\u00a0<\/span><\/li>\n
          • System Assigned Managed Identities\u00a0<\/span><\/li>\n<\/ul>\n
            \"\"<\/p>\n
            But as we can see, the system assigned managed not to work for us where you have to monitor thousands of services because we need to create thousands of managed identities for each azure resource to communicate with them.<\/span><\/p>\n
            Same, In the case of User assigned managed identity, we need to grant permission every time whenever newly resource group is created in our Azure Infra. So it is also not good, as we need to add every time newly created resource group. <\/span>It is clearly seen that there is no other way to do authentication Using Python SDK except App Registration.<\/span><\/p>\n
            Can we Use Azure Key Vault to store secrets, Instead of passing Direct Client Id and Client Secret Id in code:<\/b><\/p>\n
            As we know, Azure Vault is the most secure way to handle such a situation in today\u2019s scenarios. But it is not free to use, you have to pay $0.03 for a 10k transaction in the standard pricing tier. So It is not beneficial in that scenario where you have to fetch the secret key from the vault to communicate with azure resources more frequently.<\/span><\/p>\n
            No, We can\u2019t fetch the ClientId and Client SecretId directly from Key Vault because Key Vault Url is not a Global URL, before accessing it we need to authenticate Key Vault and for authentication, we are using the app Registration Secret.<\/span><\/p>\n
            Conclusion<\/strong><\/h2>\n
            If you want to communicate with more than one service using the same credential in the entire subscription, then go with Azure App Registration Authentication. If your code runs in any Azure service, go with Azure Managed Identities Approach. If you want to store those credentials in Keyvault, then you need to authenticate the key vault first and then use their credentials in code but when your client’s secret expires you need to create a new Key vault again and provide the reader permission again to it.<\/p>\n
             <\/p>\n
            <\/div>","protected":false},"excerpt":{"rendered":"
            Need for Authentication: To communicate with Azure Resources we need to do authentication, suppose you have an application that monitors Azure resources. To fetch azure resources data from the azure account, we need a connection string or secrets to do Azure Authentication. Ather that, these all secrets are shared with the application developer who integrates […]<\/p>\n","protected":false},"author":1435,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":136},"categories":[4308,2348],"tags":[4990],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/55158"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1435"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=55158"}],"version-history":[{"count":10,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/55158\/revisions"}],"predecessor-version":[{"id":55315,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/55158\/revisions\/55315"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=55158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=55158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=55158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}