mirror of
https://github.com/ansible/awx.git
synced 2026-03-25 12:55:04 -02:30
add credential plugin support for Azure Key Vault
This commit is contained in:
Ryan Petrello
committed by
Jake McDermott
Jake McDermott
parent
0a87469225
commit
4ed5bca5e3
62
awx/main/credential_plugins/azure_kv.py
Normal file
62
awx/main/credential_plugins/azure_kv.py
Normal file
@@ -0,0 +1,62 @@
|
|||||||
|
from .plugin import CredentialPlugin
|
||||||
|
|
||||||
|
from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
|
||||||
|
from azure.common.credentials import ServicePrincipalCredentials
|
||||||
|
|
||||||
|
|
||||||
|
azure_keyvault_inputs = {
|
||||||
|
'fields': [{
|
||||||
|
'id': 'url',
|
||||||
|
'label': 'Vault URL (DNS Name)',
|
||||||
|
'type': 'string',
|
||||||
|
}, {
|
||||||
|
'id': 'client',
|
||||||
|
'label': 'Client ID',
|
||||||
|
'type': 'string'
|
||||||
|
}, {
|
||||||
|
'id': 'secret',
|
||||||
|
'label': 'Client Secret',
|
||||||
|
'type': 'string',
|
||||||
|
'secret': True,
|
||||||
|
}, {
|
||||||
|
'id': 'tenant',
|
||||||
|
'label': 'Tenant ID',
|
||||||
|
'type': 'string'
|
||||||
|
}, {
|
||||||
|
'id': 'secret_field',
|
||||||
|
'label': 'Secret Name',
|
||||||
|
'type': 'string',
|
||||||
|
'help_text': 'The name of the secret to look up.',
|
||||||
|
}, {
|
||||||
|
'id': 'secret_version',
|
||||||
|
'label': 'Secret Version',
|
||||||
|
'type': 'string',
|
||||||
|
'help_text': 'Used to specify a specific secret version (if left empty, the latest version will be used).',
|
||||||
|
}],
|
||||||
|
'required': ['url', 'client', 'secret', 'tenant'],
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def azure_keyvault_backend(**kwargs):
|
||||||
|
url = kwargs['url']
|
||||||
|
|
||||||
|
def auth_callback(server, resource, scope):
|
||||||
|
credentials = ServicePrincipalCredentials(
|
||||||
|
url = url,
|
||||||
|
client_id = kwargs['client'],
|
||||||
|
secret = kwargs['secret'],
|
||||||
|
tenant = kwargs['tenant'],
|
||||||
|
resource = "https://vault.azure.net",
|
||||||
|
)
|
||||||
|
token = credentials.token
|
||||||
|
return token['token_type'], token['access_token']
|
||||||
|
|
||||||
|
kv = KeyVaultClient(KeyVaultAuthentication(auth_callback))
|
||||||
|
return kv.get_secret(url, kwargs['secret_field'], kwargs.get('secret_version', '')).value
|
||||||
|
|
||||||
|
|
||||||
|
azure_keyvault_plugin = CredentialPlugin(
|
||||||
|
'Microsoft Azure Key Vault',
|
||||||
|
inputs=azure_keyvault_inputs,
|
||||||
|
backend=azure_keyvault_backend
|
||||||
|
)
|
||||||
@@ -2,6 +2,7 @@ ansible-runner==1.3.1
|
|||||||
appdirs==1.4.2
|
appdirs==1.4.2
|
||||||
asgi-amqp==1.1.3
|
asgi-amqp==1.1.3
|
||||||
asgiref==1.1.2
|
asgiref==1.1.2
|
||||||
|
azure-keyvault==1.1.0
|
||||||
boto==2.47.0
|
boto==2.47.0
|
||||||
channels==1.1.8
|
channels==1.1.8
|
||||||
celery==4.2.1
|
celery==4.2.1
|
||||||
@@ -39,7 +40,7 @@ python-radius==1.0
|
|||||||
python3-saml==1.4.0
|
python3-saml==1.4.0
|
||||||
social-auth-core==3.0.0
|
social-auth-core==3.0.0
|
||||||
social-auth-app-django==2.1.0
|
social-auth-app-django==2.1.0
|
||||||
requests<2.16 # Older versions rely on certify
|
requests==2.21.0
|
||||||
requests-futures==0.9.7
|
requests-futures==0.9.7
|
||||||
service-identity==17.0.0
|
service-identity==17.0.0
|
||||||
slackclient==1.1.2
|
slackclient==1.1.2
|
||||||
|
|||||||
@@ -4,6 +4,7 @@
|
|||||||
#
|
#
|
||||||
# pip-compile requirements/requirements.in
|
# pip-compile requirements/requirements.in
|
||||||
#
|
#
|
||||||
|
adal==1.2.1 # via msrestazure
|
||||||
amqp==2.3.2 # via kombu
|
amqp==2.3.2 # via kombu
|
||||||
ansible-runner==1.3.1
|
ansible-runner==1.3.1
|
||||||
appdirs==1.4.2
|
appdirs==1.4.2
|
||||||
@@ -14,13 +15,18 @@ asn1crypto==0.24.0 # via cryptography
|
|||||||
attrs==18.2.0 # via automat, service-identity, twisted
|
attrs==18.2.0 # via automat, service-identity, twisted
|
||||||
autobahn==19.2.1 # via daphne
|
autobahn==19.2.1 # via daphne
|
||||||
automat==0.7.0 # via twisted
|
automat==0.7.0 # via twisted
|
||||||
|
azure-common==1.1.18 # via azure-keyvault
|
||||||
|
azure-keyvault==1.1.0
|
||||||
|
azure-nspkg==3.0.2 # via azure-keyvault
|
||||||
billiard==3.5.0.5 # via celery
|
billiard==3.5.0.5 # via celery
|
||||||
boto==2.47.0
|
boto==2.47.0
|
||||||
celery==4.2.1
|
celery==4.2.1
|
||||||
|
certifi==2018.11.29 # via msrest, requests
|
||||||
cffi==1.12.1 # via cryptography
|
cffi==1.12.1 # via cryptography
|
||||||
channels==1.1.8
|
channels==1.1.8
|
||||||
|
chardet==3.0.4 # via requests
|
||||||
constantly==15.1.0 # via twisted
|
constantly==15.1.0 # via twisted
|
||||||
cryptography==2.5 # via pyopenssl
|
cryptography==2.5 # via adal, azure-keyvault, pyopenssl
|
||||||
daphne==1.3.0
|
daphne==1.3.0
|
||||||
defusedxml==0.5.0
|
defusedxml==0.5.0
|
||||||
django-auth-ldap==1.7.0
|
django-auth-ldap==1.7.0
|
||||||
@@ -41,11 +47,11 @@ djangorestframework==3.7.7
|
|||||||
future==0.16.0 # via django-radius
|
future==0.16.0 # via django-radius
|
||||||
hvac==0.7.1
|
hvac==0.7.1
|
||||||
hyperlink==18.0.0 # via twisted
|
hyperlink==18.0.0 # via twisted
|
||||||
idna==2.8 # via hyperlink
|
idna==2.8 # via hyperlink, requests
|
||||||
incremental==17.5.0 # via twisted
|
incremental==17.5.0 # via twisted
|
||||||
inflect==2.1.0 # via jaraco.itertools
|
inflect==2.1.0 # via jaraco.itertools
|
||||||
irc==16.2
|
irc==16.2
|
||||||
isodate==0.6.0 # via python3-saml
|
isodate==0.6.0 # via msrest, python3-saml
|
||||||
jaraco.classes==2.0 # via jaraco.collections
|
jaraco.classes==2.0 # via jaraco.collections
|
||||||
jaraco.collections==2.0 # via irc, jaraco.text
|
jaraco.collections==2.0 # via irc, jaraco.text
|
||||||
jaraco.functools==2.0 # via irc, jaraco.text, tempora
|
jaraco.functools==2.0 # via irc, jaraco.text, tempora
|
||||||
@@ -62,6 +68,8 @@ markdown==2.6.11
|
|||||||
markupsafe==1.1.0 # via jinja2
|
markupsafe==1.1.0 # via jinja2
|
||||||
more-itertools==6.0.0 # via irc, jaraco.functools, jaraco.itertools
|
more-itertools==6.0.0 # via irc, jaraco.functools, jaraco.itertools
|
||||||
msgpack-python==0.5.6 # via asgi-amqp
|
msgpack-python==0.5.6 # via asgi-amqp
|
||||||
|
msrest==0.6.4 # via azure-keyvault, msrestazure
|
||||||
|
msrestazure==0.6.0 # via azure-keyvault
|
||||||
netaddr==0.7.19 # via pyrad
|
netaddr==0.7.19 # via pyrad
|
||||||
oauthlib==2.0.6 # via django-oauth-toolkit, requests-oauthlib, social-auth-core
|
oauthlib==2.0.6 # via django-oauth-toolkit, requests-oauthlib, social-auth-core
|
||||||
ordereddict==1.1
|
ordereddict==1.1
|
||||||
@@ -75,7 +83,7 @@ pyasn1==0.4.5 # via pyasn1-modules, python-ldap, service-identity
|
|||||||
pycparser==2.19 # via cffi
|
pycparser==2.19 # via cffi
|
||||||
pygerduty==0.37.0
|
pygerduty==0.37.0
|
||||||
pyhamcrest==1.9.0 # via twisted
|
pyhamcrest==1.9.0 # via twisted
|
||||||
pyjwt==1.7.1 # via social-auth-core, twilio
|
pyjwt==1.7.1 # via adal, social-auth-core, twilio
|
||||||
pyopenssl==19.0.0 # via service-identity
|
pyopenssl==19.0.0 # via service-identity
|
||||||
pyparsing==2.2.0
|
pyparsing==2.2.0
|
||||||
pyrad==2.1 # via django-radius
|
pyrad==2.1 # via django-radius
|
||||||
@@ -90,8 +98,8 @@ python3-saml==1.4.0
|
|||||||
pytz==2018.9 # via celery, django, irc, tempora, twilio
|
pytz==2018.9 # via celery, django, irc, tempora, twilio
|
||||||
pyyaml==3.13 # via djangorestframework-yaml
|
pyyaml==3.13 # via djangorestframework-yaml
|
||||||
requests-futures==0.9.7
|
requests-futures==0.9.7
|
||||||
requests-oauthlib==1.2.0 # via social-auth-core
|
requests-oauthlib==1.2.0 # via msrest, social-auth-core
|
||||||
requests[security]==2.15.1
|
requests[security]==2.21.0
|
||||||
service-identity==17.0.0
|
service-identity==17.0.0
|
||||||
simplejson==3.16.0 # via uwsgitop
|
simplejson==3.16.0 # via uwsgitop
|
||||||
six==1.12.0 # via asgi-amqp, asgiref, autobahn, automat, cryptography, django-extensions, irc, isodate, jaraco.classes, jaraco.collections, jaraco.itertools, jaraco.logging, jaraco.stream, pygerduty, pyhamcrest, pyopenssl, pyrad, python-dateutil, python-memcached, slackclient, social-auth-app-django, social-auth-core, tacacs-plus, tempora, twilio, txaio, websocket-client
|
six==1.12.0 # via asgi-amqp, asgiref, autobahn, automat, cryptography, django-extensions, irc, isodate, jaraco.classes, jaraco.collections, jaraco.itertools, jaraco.logging, jaraco.stream, pygerduty, pyhamcrest, pyopenssl, pyrad, python-dateutil, python-memcached, slackclient, social-auth-app-django, social-auth-core, tacacs-plus, tempora, twilio, txaio, websocket-client
|
||||||
@@ -104,6 +112,7 @@ twilio==6.10.4
|
|||||||
twisted==18.9.0 # via daphne
|
twisted==18.9.0 # via daphne
|
||||||
txaio==18.8.1 # via autobahn
|
txaio==18.8.1 # via autobahn
|
||||||
typing==3.6.6 # via django-extensions
|
typing==3.6.6 # via django-extensions
|
||||||
|
urllib3==1.24.1 # via requests
|
||||||
uwsgi==2.0.17
|
uwsgi==2.0.17
|
||||||
uwsgitop==0.10.0
|
uwsgitop==0.10.0
|
||||||
vine==1.2.0 # via amqp
|
vine==1.2.0 # via amqp
|
||||||
|
|||||||
1
setup.py
1
setup.py
@@ -116,6 +116,7 @@ setup(
|
|||||||
],
|
],
|
||||||
'awx.credential_plugins': [
|
'awx.credential_plugins': [
|
||||||
'hashivault = awx.main.credential_plugins.hashivault:hashivault_plugin',
|
'hashivault = awx.main.credential_plugins.hashivault:hashivault_plugin',
|
||||||
|
'azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin',
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
data_files = proc_data_files([
|
data_files = proc_data_files([
|
||||||
|
|||||||
@@ -4,3 +4,4 @@ awx-manage = awx:manage
|
|||||||
|
|
||||||
[awx.credential_plugins]
|
[awx.credential_plugins]
|
||||||
hashivault = awx.main.credential_plugins.hashivault:hashivault_plugin
|
hashivault = awx.main.credential_plugins.hashivault:hashivault_plugin
|
||||||
|
azure_kv = awx.main.credential_plugins.azure_kv:azure_keyvault_plugin
|
||||||
|
|||||||
Reference in New Issue
Block a user