在 Azure Data Science Virtual Machine 上安全存储访问凭据Store access credentials securely on an Azure Data Science Virtual Machine

通常,云应用程序中的代码包含用于对云服务进行身份验证的凭据。It's common for the code in cloud applications to contain credentials for authenticating to cloud services. 如何管理和保护这些凭据是构建云应用程序的已知挑战。How to manage and secure these credentials is a well-known challenge in building cloud applications. 理想情况下,凭据应永远不会出现在开发者工作站上,也永远不会被签入源代码管理系统中。Ideally, credentials should never appear on developer workstations or get checked in to source control.

Azure 资源的托管标识功能为 Azure 服务提供了 Azure Active Directory (Azure AD) 中的自动托管标识,更巧妙地解决了这个问题。The managed identities for Azure resources feature makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). 可以使用此标识向支持 Azure AD 身份验证的任何服务进行身份验证,而无需在代码中放入任何凭据。You can use this identity to authenticate to any service that supports Azure AD authentication without having any credentials in your code.

保护凭据的一个常见方法是结合使用 Windows Installer (MSI) 和 Azure Key Vault(一项安全存储机密和加密密钥的托管 Azure 服务)。One way to secure credentials is to use Windows Installer (MSI) in combination with Azure Key Vault, a managed Azure service to store secrets and cryptographic keys securely. 可以使用托管标识访问密钥保管库,然后从该密钥保管库检索授权机密和加密密钥。You can access a key vault by using the managed identity and then retrieve the authorized secrets and cryptographic keys from the key vault.

Azure 资源的托管标识和 Key Vault 文档包含用于深入了解这些服务信息的综合资源。The documentation about managed identities for Azure resources and Key Vault comprises a comprehensive resource for in-depth information on these services. 本文的其余部分将介绍数据科学虚拟机 (DSVM) 上 MSI 和 Key Vault 的基本使用步骤,以访问 Azure 资源。The rest of this article walks through the basic use of MSI and Key Vault on the Data Science Virtual Machine (DSVM) to access Azure resources.

在 DSVM 上创建托管标识Create a managed identity on the DSVM

# Prerequisite: You have already created a Data Science VM in the usual way.

# Create an identity principal for the VM.
az vm assign-identity -g <Resource Group Name> -n <Name of the VM>
# Get the principal ID of the DSVM.
az resource list -n <Name of the VM> --query [*].identity.principalId --out tsv

为 VM 主体分配 Key Vault 访问权限Assign Key Vault access permissions to a VM principal

# Prerequisite: You have already created an empty Key Vault resource on Azure by using the Azure portal or Azure CLI.

# Assign only get and set permissions but not the capability to list the keys.
az keyvault set-policy --object-id <Principal ID of the DSVM from previous step> --name <Key Vault Name> -g <Resource Group of Key Vault>  --secret-permissions get set

从 DSVM 访问 Key Vault 中的机密Access a secret in the key vault from the DSVM

# Get the access token for the VM.
x=`curl http://localhost:50342/oauth2/token --data "resource=https://vault.azure.net" -H Metadata:true`
token=`echo $x | python -c "import sys, json; print(json.load(sys.stdin)['access_token'])"`

# Access the key vault by using the access token.
curl https://<Vault Name>.vault.azure.cn/secrets/SQLPasswd?api-version=2016-10-01 -H "Authorization: Bearer $token"

从 DSVM 访问存储密钥Access storage keys from the DSVM

# Prerequisite: You have granted your VMs MSI access to use storage account access keys based on instructions at https://docs.azure.cn/active-directory/managed-service-identity/tutorial-linux-vm-access-storage. This article describes the process in more detail.

y=`curl http://localhost:50342/oauth2/token --data "resource=https://management.azure.com/" -H Metadata:true`
ytoken=`echo $y | python -c "import sys, json; print(json.load(sys.stdin)['access_token'])"`
curl https://management.azure.com/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroup of Storage account>/providers/Microsoft.Storage/storageAccounts/<Storage Account Name>/listKeys?api-version=2016-12-01 --request POST -d "" -H "Authorization: Bearer $ytoken"

# Now you can access the data in the storage account from the retrieved storage account keys.

从 Python 访问 Key VaultAccess the key vault from Python

from azure.keyvault import KeyVaultClient
from msrestazure.azure_active_directory import MSIAuthentication

"""MSI Authentication example."""

# Get credentials.
credentials = MSIAuthentication(
    resource='https://vault.azure.net'
)

# Create a Key Vault client.
key_vault_client = KeyVaultClient(
    credentials
)

key_vault_uri = "https://<key Vault Name>.vault.azure.cn/"

secret = key_vault_client.get_secret(
    key_vault_uri,  # Your key vault URL.
    # The name of your secret that already exists in the key vault.
    "SQLPasswd",
    ""              # The version of the secret; empty string for latest.
)
print("My secret value is {}".format(secret.value))

从 Azure CLI 访问 Key VaultAccess the key vault from Azure CLI

# With managed identities for Azure resources set up on the DSVM, users on the DSVM can use Azure CLI to perform the authorized functions. The following commands enable access to the key vault from Azure CLI without requiring login to an Azure account.
# Prerequisites: MSI is already set up on the DSVM as indicated earlier. Specific permissions, like accessing storage account keys, reading specific secrets, and writing new secrets, are provided to the MSI.

# Authenticate to Azure CLI without requiring an Azure account. 
az login --msi

# Retrieve a secret from the key vault. 
az keyvault secret show --vault-name <Vault Name> --name SQLPasswd

# Create a new secret in the key vault.
az keyvault secret set --name MySecret --vault-name <Vault Name> --value "Helloworld"

# List access keys for the storage account.
az storage account keys list -g <Storage Account Resource Group> -n <Storage Account Name>