auth ==== .. py:module:: auth .. autoapi-nested-parse:: Helper functions for Azure authentication. Classes ------- .. autoapisummary:: auth.CredentialHandler auth.EnvCredentialHandler Functions --------- .. autoapisummary:: auth.get_sp_secret auth.get_client_secret_sp_credential auth.get_service_principal_credentials auth.get_compute_node_identity_reference Module Contents --------------- .. py:class:: CredentialHandler Data structure for Azure credentials. Lazy and cached: credentials are retrieved from a keyvault only when needed and are cached thereafter. .. py:attribute:: azure_subscription_id :type: str :value: None .. py:attribute:: azure_resource_group_name :type: str :value: None .. py:attribute:: azure_user_assigned_identity :type: str :value: None .. py:attribute:: azure_subnet_id :type: str :value: None .. py:attribute:: azure_keyvault_endpoint :type: str :value: None .. py:attribute:: azure_keyvault_sp_secret_id :type: str :value: None .. py:attribute:: azure_tenant_id :type: str :value: None .. py:attribute:: azure_sp_client_id :type: str :value: None .. py:attribute:: azure_batch_endpoint_subdomain :type: str :value: 'batch.azure.com/' .. py:attribute:: azure_batch_account :type: str :value: None .. py:attribute:: azure_batch_location :type: str :value: None .. py:attribute:: azure_batch_resource_url :type: str :value: 'https://batch.core.windows.net/' .. py:attribute:: azure_blob_storage_endpoint_subdomain :type: str :value: 'blob.core.windows.net/' .. py:attribute:: azure_blob_storage_account :type: str :value: None .. py:attribute:: azure_container_registry_account :type: str :value: None .. py:attribute:: azure_container_registry_domain :type: str :value: 'azurecr.io' .. py:method:: require_attr(attributes: str | list[str], goal: str = None) Check that attributes required for a given operation are defined. Raises an informative error message if the required attribute is not defined. Parameters ---------- attributes String of list of strings naming the required attribute(s). goal String naming the value that the attributes are required for obtaining, to make error messages more informative. If ``None``, use a more generic message. Default ``None``. Returns ------- None ``None`` on success. Raises ------ AttributeError If any required ``attributes`` are ``None``. .. py:property:: azure_batch_endpoint :type: str Azure batch endpoint URL. Constructed programmatically from account name, location, and subdomain. Returns ------- str The endpoint URL. .. py:property:: azure_blob_storage_endpoint :type: str Azure blob storage endpoint URL. Constructed programmatically from the account name and endpoint subdomain. Returns ------- str The endpoint URL. .. py:property:: azure_container_registry_endpoint :type: str Azure container registry endpoint URL. Constructed programmatically from the account name and registry domain. Returns ------- str The endpoint URL. .. py:property:: user_credential :type: azure.identity.ChainedTokenCredential Azure user credential. Returns ------- ChainedTokenCredential The Azure user credential. .. py:property:: service_principal_secret A service principal secret. Returns ------- str The secret. .. py:property:: batch_service_principal_credentials Service Principal credentials for authenticating to Azure Batch. Returns ------- ServicePrincipalCredentials The credentials. .. py:property:: client_secret_sp_credential A client secret credential created using :obj:`self.service_principal_secret`. Returns ------- ClientSecretCredential The credential. .. py:property:: compute_node_identity_reference An object defining a compute node identity reference. Specifically, a :class:`models.ComputeNodeIdentityReference` object associated to the :class:`CredentialHandler`'s user-assigned identity. Returns ------- models.ComputeNodeIdentityReference The identity reference. .. py:property:: azure_container_registry An object pointing to an Azure Container Registry. Specifically, a :class:`models.ContainerRegistry` instance corresponding to the particular Azure Container Registry account specified in the :class:`CredentialHandler`, if any, with authentication via the ``compute_node_identity_reference`` defined by :class:`CredentialHandler`, if any. Returns ------- models.ContainerRegistry A properly instantiated :class:`models.ContainerRegistry` object. .. py:class:: EnvCredentialHandler(**kwargs) Bases: :py:obj:`CredentialHandler` Azure Credentials populated from available environment variables. Subclass of :class:`CredentialHandler` that populates attributes from environment variables at instantiation, with the opportunity to override those values via keyword arguments passed to the constructor. Parameters ---------- **kwargs Keyword arguments defining additional attributes or overriding those set in the environment variables. Passed as the ``config_dict`` argument to :func:`config.get_config_val`. .. py:function:: get_sp_secret(vault_url: str, vault_sp_secret_id: str, user_credential: azure.identity.ChainedTokenCredential = None) -> str Get a service principal secret from an Azure keyvault. Parameters ---------- vault_url URL for the Azure keyvault to access. vault_sp_secret_id Service principal secret ID within the keyvault. user_credential User credential for the Azure user, as an azure-identity :class:`UserCredential` class instance. If `None`, attempt to use a :class:`ChainedTokenCredential` instantiated at runtime that prefers, in order, a newly instantiated :class:`AzureCliCredential` (get credentials associated to the user logged in via the Azure CLI (i.e. ``az login`` at the command line). Default ``None``. Returns ------- str The retrieved value of the service principal secret. .. py:function:: get_client_secret_sp_credential(vault_url: str, vault_sp_secret_id: str, tenant_id: str, application_id: str, user_credential: azure.identity.ChainedTokenCredential = None) -> azure.identity.ClientSecretCredential Get a ClientSecretCredential for a given Azure service principal. Parameters ---------- vault_url URL for the Azure keyvault to access. vault_sp_secret_id Service principal secret ID within the keyvault. tenant_id Tenant ID for the service principal credential. application_id Application ID for the service principal credential. user_credential User credential for the Azure user, as an azure-identity UserCredential class instance. Passed to :func:`get_sp_secret`. If ``None`` (default), :func:`get_sp_secret` will attempt to use a :class:`ChainedTokenCredential` instantiated at runtime. See its documentation for more. Returns ------- ClientSecretCredential A :class:`ClientSecretCredential` for the given service principal. .. py:function:: get_service_principal_credentials(vault_url: str, vault_sp_secret_id: str, tenant_id: str, application_id: str, resource_url: str = d.default_azure_batch_resource_url, user_credential: azure.identity.ChainedTokenCredential = None) -> azure.common.credentials.ServicePrincipalCredentials Get a :class:`ServicePrincipalCredentials` object for a given Azure service principal. Parameters ---------- vault_url URL for the Azure keyvault to access. vault_sp_secret_id : str Service principal secret ID within the keyvault. tenant_id Tenant ID for the service principal credential. application_id Application ID for the service principal credential. resource_url URL of the Azure resource. Defaults to the value of :obj:`~defaults.default_azure_batch_resource_url`. user_credential User credential for the Azure user, as an azure-identity UserCredential class instance. Passed to :func:`get_sp_secret`. If ``None``, :func:`get_sp_secret` will attempt to use a :class:`ChainedTokenCredential` instantiated at runtime. See the :func:`get_sp_secret` documentation for details. Default ``None``. Returns ------- ServicePrincipalCredentials A :class:`ServicePrincipalCredentials` object for the service principal. .. py:function:: get_compute_node_identity_reference(credential_handler: CredentialHandler = None) -> azure.batch.models.ComputeNodeIdentityReference Get a valid :class:`models.ComputeNodeIdentityReference` using credentials obtained via a :class:`CredentialHandler`: either a user-provided one or a default based on environment variables. Parameters ---------- credential_handler Credential handler for connecting and authenticating to Azure resources. If ``None``, create a blank :class:`EnvCredentialHandler`, which attempts to obtain needed credentials using information available in local environment variables (see its documentation for details). Returns ------- models.ComputeNodeIdentityReference A :class:`models.ComputeNodeIdentityReference` created according to the specified configuration.