Skip to content

Azure Key Vault

Bases: PluginResolver, AzureKeyVaulMixin

Resolver for the Azure Key Vault.

Methods:

Name Description
__init__

Initializes the resolver with optional credentials. If no credential is provided, they'll be infered from the default credentials, if condigured.
__call__

Resolves the secret by its name and returns the decoded secret data.
Example

Example 1: retrieve a given version of your secret 

>>> from azure.identity import DefaultAzureCredential
>>> my_credentials = DefaultAzureCredential()
>>> resolver = AzureKeyVaultResolver(credentials=my_credentials)
>>> secret_data = resolver("keyvault/MyKeyVault123/secret/SecretName/version/339d8635b22344b2b6117588ef94a22q")
>>> print(secret_data)

Example 2: retrieve the latest version of your secret 

>>> resolver = AzureKeyVaultResolver()
>>> secret_data = resolver("keyvault/MyKeyVault123/secret/SecretName")
>>> print(secret_data)

Source code in omegaconf_cloud_resolvers/resolvers/az/keyvault.py 
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
class AzureKeyVaultResolver(PluginResolver, AzureKeyVaulMixin):
    """
    Resolver for the Azure Key Vault.

    Methods:
        __init__(credential=None, *args, **kwargs):
            Initializes the resolver with optional credentials.
            If no credential is provided, they'll be infered from the default credentials,
            if condigured.

        __call__(name):
            Resolves the secret by its name and returns the decoded secret data.

    Example:
        Example 1: retrieve a given version of your secret
        ```python
        >>> from azure.identity import DefaultAzureCredential
        >>> my_credentials = DefaultAzureCredential()
        >>> resolver = AzureKeyVaultResolver(credentials=my_credentials)
        >>> secret_data = resolver("keyvault/MyKeyVault123/secret/SecretName/version/339d8635b22344b2b6117588ef94a22q")
        >>> print(secret_data)
        ```

        Example 2: retrieve the latest version of your secret
        ```python
        >>> resolver = AzureKeyVaultResolver()
        >>> secret_data = resolver("keyvault/MyKeyVault123/secret/SecretName")
        >>> print(secret_data)
        ```
    """

    def __call__(self, name: str) -> str:
        """
        Resolves the secret by its name and returns the decoded secret data.

        Args:
            name (str): The name of the secret to resolve.
                Names must follow the following syntax:
                `keyvault/<keyvault_id>/secret/<secret_name>`,
                 `keyvault/<keyvault_id>/secret/<secret_name>/version/<version>`

        Returns:
            (str): The secret data.

        Raises:
            ValueError: If the secret name cannot be parsed or if required components are missing.

        """
        name_fields = self._parse_secret_name(name)
        response = self.client(
            keyvault=name_fields["keyvault"],
            secret=name_fields["secret"],
            version=name_fields["version"],
        )
        return response.value

    def _parse_secret_name(self, name: str) -> Dict[str, str]:
        """
        Parses the secret name and returns a dictionary with the necessary components.

        Args:
            name (str): The name of the secret to parse.

        Returns:
            Dict[str, str]: A dictionary containing the components of the secret name.

        Raises:
            ValueError: If the secret name cannot be parsed or if required components are missing.
        """
        secret_dict = {}
        if "/" not in name:
            raise ValueError(
                "You must provide at least `keyvault/<keyvault_id>/secret/<secret_id>`"
            )

        secret_comps = iter(name.split("/"))
        try:
            secret_dict = {k: v for k, v in zip(secret_comps, secret_comps)}
        except Exception:
            ValueError("Failure parsing secret name.")

        if not {"secret", "keyvault"}.issubset(secret_dict.keys()):
            raise ValueError(
                "You must provide at least `keyvault/<keyvault_id>/secret/<secret_id>`"
            )
        if "version" not in secret_dict.keys():
            secret_dict["version"] = None
        return secret_dict

__call__(name)

Resolves the secret by its name and returns the decoded secret data.

Parameters:

Name Type Description Default
name str

The name of the secret to resolve. Names must follow the following syntax: keyvault/<keyvault_id>/secret/<secret_name>, keyvault/<keyvault_id>/secret/<secret_name>/version/<version>

 required

Returns:

Type Description
str

The secret data.

Raises:

Type Description
ValueError

If the secret name cannot be parsed or if required components are missing.
Source code in omegaconf_cloud_resolvers/resolvers/az/keyvault.py 
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
def __call__(self, name: str) -> str:
    """
    Resolves the secret by its name and returns the decoded secret data.

    Args:
        name (str): The name of the secret to resolve.
            Names must follow the following syntax:
            `keyvault/<keyvault_id>/secret/<secret_name>`,
             `keyvault/<keyvault_id>/secret/<secret_name>/version/<version>`

    Returns:
        (str): The secret data.

    Raises:
        ValueError: If the secret name cannot be parsed or if required components are missing.

    """
    name_fields = self._parse_secret_name(name)
    response = self.client(
        keyvault=name_fields["keyvault"],
        secret=name_fields["secret"],
        version=name_fields["version"],
    )
    return response.value