auth#

Helper functions for Azure authentication.

Classes#

`CredentialHandler`	Data structure for Azure credentials.
`EnvCredentialHandler`	Azure Credentials populated from available environment variables.

Functions#

`get_sp_secret`(→ str)	Get a service principal secret from an Azure keyvault.
`get_client_secret_sp_credential`(...)	Get a ClientSecretCredential for a given Azure service principal.
`get_service_principal_credentials`(...)	Get a `ServicePrincipalCredentials` object for a given Azure service principal.
`get_compute_node_identity_reference`(...)	Get a valid `models.ComputeNodeIdentityReference` using

Module Contents#

class CredentialHandler#

Data structure for Azure credentials. Lazy and cached: credentials are retrieved from a keyvault only when needed and are cached thereafter.

azure_subscription_id: str = None#

azure_resource_group_name: str = None#

azure_user_assigned_identity: str = None#

azure_subnet_id: str = None#

azure_keyvault_endpoint: str = None#

azure_keyvault_sp_secret_id: str = None#

azure_tenant_id: str = None#

azure_sp_client_id: str = None#

azure_batch_endpoint_subdomain: str = 'batch.azure.com/'#

azure_batch_account: str = None#

azure_batch_location: str = None#

azure_batch_resource_url: str = 'https://batch.core.windows.net/'#

azure_blob_storage_endpoint_subdomain: str = 'blob.core.windows.net/'#

azure_blob_storage_account: str = None#

azure_container_registry_account: str = None#

azure_container_registry_domain: str = 'azurecr.io'#

require_attr(attributes: str | list[str], goal: str = None)#

Check that attributes required for a given operation are defined. Raises an informative error message if the required attribute is not defined.

Parameters#

attributes: String of list of strings naming the required attribute(s).
goal: String naming the value that the attributes are required for obtaining, to make error messages more informative. If None, use a more generic message. Default None.

Returns#

None: None on success.

Raises#

AttributeError: If any required attributes are None.

property azure_batch_endpoint: str#

Azure batch endpoint URL. Constructed programmatically from account name, location, and subdomain.

Returns#

str: The endpoint URL.

property azure_blob_storage_endpoint: str#

Azure blob storage endpoint URL. Constructed programmatically from the account name and endpoint subdomain.

Returns#

str: The endpoint URL.

property azure_container_registry_endpoint: str#

Azure container registry endpoint URL. Constructed programmatically from the account name and registry domain.

Returns#

str: The endpoint URL.

property user_credential: azure.identity.ChainedTokenCredential#

Azure user credential.

Returns#

ChainedTokenCredential: The Azure user credential.

property service_principal_secret#

A service principal secret.

Returns#

str: The secret.

property batch_service_principal_credentials#

Service Principal credentials for authenticating to Azure Batch.

Returns#

ServicePrincipalCredentials: The credentials.

property client_secret_sp_credential#

A client secret credential created using self.service_principal_secret.

Returns#

ClientSecretCredential: The credential.

property compute_node_identity_reference#

An object defining a compute node identity reference.

Specifically, a models.ComputeNodeIdentityReference object associated to the CredentialHandler’s user-assigned identity.

Returns#

models.ComputeNodeIdentityReference: The identity reference.

property azure_container_registry#

An object pointing to an Azure Container Registry.

Specifically, a models.ContainerRegistry instance corresponding to the particular Azure Container Registry account specified in the CredentialHandler, if any, with authentication via the compute_node_identity_reference defined by CredentialHandler, if any.

Returns#

models.ContainerRegistry: A properly instantiated models.ContainerRegistry object.

class EnvCredentialHandler(**kwargs)#

Bases: CredentialHandler

Azure Credentials populated from available environment variables.

Subclass of CredentialHandler that populates attributes from environment variables at instantiation, with the opportunity to override those values via keyword arguments passed to the constructor.

Parameters#

**kwargs: Keyword arguments defining additional attributes or overriding those set in the environment variables. Passed as the config_dict argument to config.get_config_val().

get_sp_secret(vault_url: str, vault_sp_secret_id: str, user_credential: azure.identity.ChainedTokenCredential = None) → str#

Get a service principal secret from an Azure keyvault.

Parameters#

vault_url: URL for the Azure keyvault to access.
vault_sp_secret_id: Service principal secret ID within the keyvault.
user_credential: User credential for the Azure user, as an azure-identity UserCredential class instance. If None, attempt to use a ChainedTokenCredential instantiated at runtime that prefers, in order, a newly instantiated AzureCliCredential (get credentials associated to the user logged in via the Azure CLI (i.e. az login at the command line). Default None.

Returns#

str: The retrieved value of the service principal secret.

get_client_secret_sp_credential(vault_url: str, vault_sp_secret_id: str, tenant_id: str, application_id: str, user_credential: azure.identity.ChainedTokenCredential = None) → azure.identity.ClientSecretCredential#

Get a ClientSecretCredential for a given Azure service principal.

Parameters#

vault_url: URL for the Azure keyvault to access.
vault_sp_secret_id: Service principal secret ID within the keyvault.
tenant_id: Tenant ID for the service principal credential.
application_id: Application ID for the service principal credential.
user_credential: User credential for the Azure user, as an azure-identity UserCredential class instance. Passed to get_sp_secret(). If None (default), get_sp_secret() will attempt to use a ChainedTokenCredential instantiated at runtime. See its documentation for more.

Returns#

ClientSecretCredential: A ClientSecretCredential for the given service principal.

get_service_principal_credentials(vault_url: str, vault_sp_secret_id: str, tenant_id: str, application_id: str, resource_url: str = d.default_azure_batch_resource_url, user_credential: azure.identity.ChainedTokenCredential = None) → azure.common.credentials.ServicePrincipalCredentials#

Get a ServicePrincipalCredentials object for a given Azure service principal.

Parameters#

vault_url: URL for the Azure keyvault to access.
vault_sp_secret_idstr: Service principal secret ID within the keyvault.
tenant_id: Tenant ID for the service principal credential.
application_id: Application ID for the service principal credential.
resource_url: URL of the Azure resource. Defaults to the value of default_azure_batch_resource_url.
user_credential: User credential for the Azure user, as an azure-identity UserCredential class instance. Passed to get_sp_secret(). If None, get_sp_secret() will attempt to use a ChainedTokenCredential instantiated at runtime. See the get_sp_secret() documentation for details. Default None.

Returns#

ServicePrincipalCredentials: A ServicePrincipalCredentials object for the service principal.

get_compute_node_identity_reference(credential_handler: CredentialHandler = None) → azure.batch.models.ComputeNodeIdentityReference#

Get a valid models.ComputeNodeIdentityReference using credentials obtained via a CredentialHandler: either a user-provided one or a default based on environment variables.

Parameters#

credential_handler: Credential handler for connecting and authenticating to Azure resources. If None, create a blank EnvCredentialHandler, which attempts to obtain needed credentials using information available in local environment variables (see its documentation for details).

Returns#

models.ComputeNodeIdentityReference: A models.ComputeNodeIdentityReference created according to the specified configuration.