Azure SPN for Access to Azure Key Vault? Best solution for automated scripts?

Contributor

For access to the Defender API we are using jupyter lab and an "on premises" Ubuntu server, I have the following credentials we use in our notebooks like this. 

tenantId =  # Paste your tenant ID here 
appId =  # Paste your own app ID here
appSecret =  # Paste your own app secret here

 

We have a tight budget but I do have access to Azure Key Vault and want to start using it for our notebooks and automated tasks that interact with the Defender API.  I'm assuming something like this...

tenantId = # Paste your own tenant ID here
appId = # Paste your own app ID hereDDDD
appSecret = STORE THIS IN AZURE KEY VAULT and retrieve with getsecrets.  

 

I'm trying to understand the best, most professional, way to access the Azure Key Vault?

I can't use 'az login' for automated task scripts? What's the best way to do this? Do I get our Azure Administrator to create a Azure SPN for me, specifically for access to the Azure Key Vault, assign that SPN to the Access Policy of the Key Vault?

And then I use created SPNs clientId, clientSecret, and tenantId to access the key vault and grab the secret like this? 

credentials = ServicePrincipalCredentials(
        client_id = '',
        secret = '',
        tenant = '',
        resource = "https://vault.azure.net"
    token = credentials.token
    return token['token_type'], token['access_token']
client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
secret_bundle = client.get_secret("https://vault_url", "secret_id", "")
print(secret_bundle.value)

 

I'd appreciate any suggestions that could clarify this for me, thanks!! 

1 Reply