Azure SPN for Access to Azure Key Vault? Best solution for automated scripts?


For access to the Defender API we are using jupyter lab and an "on premises" Ubuntu server, I have the following credentials we use in our notebooks like this. 

tenantId =  # Paste your tenant ID here 
appId =  # Paste your own app ID here
appSecret =  # Paste your own app secret here


We have a tight budget but I do have access to Azure Key Vault and want to start using it for our notebooks and automated tasks that interact with the Defender API.  I'm assuming something like this...

tenantId = # Paste your own tenant ID here
appId = # Paste your own app ID hereDDDD
appSecret = STORE THIS IN AZURE KEY VAULT and retrieve with getsecrets.  


I'm trying to understand the best, most professional, way to access the Azure Key Vault?

I can't use 'az login' for automated task scripts? What's the best way to do this? Do I get our Azure Administrator to create a Azure SPN for me, specifically for access to the Azure Key Vault, assign that SPN to the Access Policy of the Key Vault?

And then I use created SPNs clientId, clientSecret, and tenantId to access the key vault and grab the secret like this? 

credentials = ServicePrincipalCredentials(
        client_id = '',
        secret = '',
        tenant = '',
        resource = ""
    token = credentials.token
    return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret_bundle = client.get_secret("https://vault_url", "secret_id", "")


I'd appreciate any suggestions that could clarify this for me, thanks!! 

1 Reply