From 04245d45d8b02192b0aa30af1eb634fcb5898b42 Mon Sep 17 00:00:00 2001 From: Rickard Eriksson Date: Fri, 1 Dec 2023 10:49:01 +0100 Subject: [PATCH 1/3] Added option for disabling MSI autodiscover feature --- plugins/lookup/azure_keyvault_secret.py | 40 ++++++++++++++----------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index ea2183a5a..1f14c6b56 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -15,6 +15,7 @@ requirements: - requests - azure + - msrest short_description: Read secret from Azure Key Vault. description: - This lookup returns the content of secret saved in Azure Key Vault. @@ -32,6 +33,8 @@ description: Secret of the service principal. tenant_id: description: Tenant id of service principal. + use_msi: + description: MSI token autodiscover, default is true notes: - If version is not provided, this plugin will return the latest version of the secret. - If ansible is running on Azure Virtual Machine with MSI enabled, client_id, secret and tenant isn't required. @@ -74,7 +77,8 @@ vault_url=url, client_id=client_id, secret=secret, - tenant_id=tenant + tenant_id=tenant, + use_msi=false ) }}" @@ -139,22 +143,6 @@ 'Metadata': 'true' } -token = None - -try: - token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers, timeout=(3.05, 27)) - if token_res.ok: - token = token_res.json().get("access_token") - if token is not None: - TOKEN_ACQUIRED = True - else: - display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.') - else: - display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code) -except Exception: - display.v('Unable to fetch MSI token. Will use service principal if provided.') - TOKEN_ACQUIRED = False - def lookup_secret_non_msi(terms, vault_url, kwargs): @@ -187,6 +175,24 @@ class LookupModule(LookupBase): def run(self, terms, variables, **kwargs): ret = [] vault_url = kwargs.pop('vault_url', None) + use_msi = kwargs.pop('use_msi', True) + TOKEN_ACQUIRED = False + token = None + + if use_msi: + try: + token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers, timeout=(3.05, 27)) + if token_res.ok: + token = token_res.json().get("access_token") + if token is not None: + TOKEN_ACQUIRED = True + else: + display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.') + else: + display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code) + except Exception: + display.v('Unable to fetch MSI token. Will use service principal if provided.') + if vault_url is None: raise AnsibleError('Failed to get valid vault url.') if TOKEN_ACQUIRED: From 54577effa145443522eb9da79d46bcfdba6cfab1 Mon Sep 17 00:00:00 2001 From: Rickard Eriksson Date: Mon, 4 Dec 2023 09:25:58 +0100 Subject: [PATCH 2/3] sorting out some linting things and removed msrest module requirement from documentation --- plugins/lookup/azure_keyvault_secret.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 1f14c6b56..6d8396639 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -15,7 +15,6 @@ requirements: - requests - azure - - msrest short_description: Read secret from Azure Key Vault. description: - This lookup returns the content of secret saved in Azure Key Vault. @@ -181,7 +180,10 @@ def run(self, terms, variables, **kwargs): if use_msi: try: - token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers, timeout=(3.05, 27)) + token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', + params=token_params, + headers=token_headers, + timeout=(3.05, 27)) if token_res.ok: token = token_res.json().get("access_token") if token is not None: From 18b2008c42d2e28f45c310e765ac1b9edbdb89c0 Mon Sep 17 00:00:00 2001 From: Rickard Eriksson Date: Mon, 4 Dec 2023 09:26:31 +0100 Subject: [PATCH 3/3] added missing period in documentation --- plugins/lookup/azure_keyvault_secret.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/azure_keyvault_secret.py b/plugins/lookup/azure_keyvault_secret.py index 6d8396639..5e693e4b3 100644 --- a/plugins/lookup/azure_keyvault_secret.py +++ b/plugins/lookup/azure_keyvault_secret.py @@ -33,7 +33,7 @@ tenant_id: description: Tenant id of service principal. use_msi: - description: MSI token autodiscover, default is true + description: MSI token autodiscover, default is true. notes: - If version is not provided, this plugin will return the latest version of the secret. - If ansible is running on Azure Virtual Machine with MSI enabled, client_id, secret and tenant isn't required.