Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Azure KeyVault listing roles

See original GitHub issue

I was trying to follow the guide -

https://github.com/iscai-msft/azure-sdk-for-python/blob/94b9552b2165a394dbab0703e562a541eab12b4a/sdk/keyvault/azure-keyvault-administration/README.md

and based off that I have the following code -

credentials = UsernamePasswordCredential(client_id=client_id, username=os.getenv('AZURE_USERNAME'),
                                             password=os.getenv('AZURE_PASSWORD')
Subscription = 'xxxxxxxxxx'
KeyVault = 'Test-Key-Vault'
KeyVault_URI = 'https://Test-Key-Vault.vault.azure.net/'

client = KeyVaultAccessControlClient(vault_url=KeyVault_URI, credential=credentials)
role_definitions = client.list_role_definitions(role_scope=KeyVaultRoleScope.global_value)
for role_assignment in role_assignments:
    print(role_assignment.name)
    print(role_assignment.principal_id)
    print(role_assignment.role_definition_id)

This prints nothing or would generate when I look into the logs -

2021-01-22 12:02:53 INFO     Request URL: 'https://MYKEYVAULT.vault.azure.net/keys/providers/Microsoft.Authorization/roleAssignments?api-version=REDACTED'
2021-01-22 12:02:53 INFO     Request method: 'GET'
2021-01-22 12:02:53 INFO     Request headers:
2021-01-22 12:02:53 INFO         'Accept': 'application/json'
2021-01-22 12:02:53 INFO         'x-ms-client-request-id': 'REDACTED'
2021-01-22 12:02:53 INFO         'User-Agent': 'azsdk-python-keyvault-administration/4.0.0b2 Python/3.9.0 (macOS-10.15.6-x86_64-i386-64bit)'
2021-01-22 12:02:53 INFO         'Content-Length': '0'
2021-01-22 12:02:53 INFO     No body was attached to the request
2021-01-22 12:02:54 INFO     Response status: 404
2021-01-22 12:02:54 INFO     Response headers:
2021-01-22 12:02:54 INFO         'Content-Type': 'text/html'
2021-01-22 12:02:54 INFO         'X-Powered-By': 'REDACTED'
2021-01-22 12:02:54 INFO         'Strict-Transport-Security': 'REDACTED'
2021-01-22 12:02:54 INFO         'X-Content-Type-Options': 'REDACTED'
2021-01-22 12:02:54 INFO         'Date': 'Fri, 22 Jan 2021 17:02:54 GMT'
2021-01-22 12:02:54 INFO         'Content-Length': '1245'
Traceback (most recent call last):
  File "<input>", line 3, in <module>
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/azure/core/paging.py", line 129, in __next__
    return next(self._page_iterator)
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/azure/core/paging.py", line 76, in __next__
    self._response = self._get_next(self.continuation_token)
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/azure/keyvault/administration/_generated/v7_2_preview/operations/_role_assignments_operations.py", line 310, in get_next
    error = self._deserialize(models.KeyVaultError, response)
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/msrest/serialization.py", line 1357, in __call__
    data = self._unpack_content(response_data, content_type)
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/msrest/serialization.py", line 1509, in _unpack_content
    return RawDeserializer.deserialize_from_http_generics(
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/msrest/pipeline/universal.py", line 226, in deserialize_from_http_generics
    return cls.deserialize_from_text(body_bytes, content_type)
  File "/Users/USER/Documents/Automation Projects/Azure_Key_Management/venv/lib/python3.9/site-packages/msrest/pipeline/universal.py", line 203, in deserialize_from_text
    raise DeserializationError("Cannot deserialize content-type: {}".format(content_type))
msrest.exceptions.DeserializationError: Cannot deserialize content-type: text/html

While I can see there are roles associated with the KeyVault. My purpose is to get the Access policies and the IAM role assignments (to see roles that have been inherited).

Issue Analytics

State:
Created 3 years ago
Comments:14 (8 by maintainers)

Top GitHub Comments

1reaction

mccoypcommented, Feb 10, 2021

Hello, apologies for the delayed response! I’m glad to hear that the timeout issue seems particular to the IDE and that there are workarounds.

Paring down the permissions you return sounds like a reasonable idea. There are quite a few permissions that pertain to Key Vault, as listed here. Most fall under Microsoft.KeyVault/vaults/*, but there are some permissions that you may be interested that have a different structure (like Microsoft.KeyVault/locations/deletedVaults/purge/action for purging vaults).

Actions with non-Microsoft.KeyVault prefixes may be relevant depending on your use case, but none of these would, to my knowledge, grant data action permissions within a vault indirectly. They pop up among permissions for managing a vault because of their pertinence to actions that are useful, but not Key Vault-specific. The Key Vault Administrator (preview) built-in role is an example of this; you can scroll down the page to see more Key Vault built-in roles for more examples.

1reaction

mccoypcommented, Jan 29, 2021

Thank you for the details! I’ll try to tackle each question and issue here:

Not sure if there is async variant that can be used here, to make this faster. I couldn’t find async clients or examples in the documentation for the following -
from azure.identity import UsernamePasswordCredential
from azure.mgmt.resource.subscriptions import SubscriptionClient
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.keyvault import KeyVaultManagementClient
from azure.mgmt.authorization import AuthorizationManagementClient

UsernamePasswordCredential: There’s an async library for Azure Identity (azure.identity.aio), though there’s no UsernamePasswordCredential for async. I would recommend using an AzureCliCredential or VisualStudioCodeCredential if you prefer logging in with a username and password (in this case, you would just log in through your preferred platform before using the credential).

SubscriptionClient: There is an async SubscriptionClient in azure.mgmt.resources.subscription.aio.

ResourceManagementClient: There is an azure.mgmt.resource.aio async library, but unfortunately there’s no async ResourceManagementClient at this time.

KeyVaultManagementClient: There is an async KeyVaultManagementClient in azure.mgmt.keyvault.aio.

AuthorizationManagementClient: There is an async AuthorizationManagementClient in azure.mgmt.authorization.aio, which is good because you’re right; looking through all the access policies for a subscription can take quite a while.

In general, to find async libraries on docs.microsoft.com, they’ll be underneath the general package name in the table of contents on the left side of the page. The screenshot below shows how you can find azure.mgmt.resource.aio: going to the page for the sync package (in this case, azure-mgmt-resource at the top of the red box) will reveal a dropdown that contains the async package name under the “Overview” page for the sync package. Async package names follow the pattern of “[sync package name].aio”.

ToCAsync

When I did this to catch the above error, I run into the following error not sure why it would even show deleted resource groups -
try:
    key_vault_list = [key_vault.as_dict() for key_vault in key_vault_iterator]
except ResourceNotFoundError:
    print(f'Ran into problem.. for resource group = {resource_group}')

If I had to guess, I would think that deleted resource groups have been coming up because of how long the script takes to run. It’s likely that at least one resource group would be deleted within a subscription during execution if this is taking 3+ hours, so fetching the group name at the start and attempting to work with it later on could cause issues. I would recommend ignoring this exception and moving on to the next group (even if using async clients).

The error that I run into -

Exception in thread Thread-2:
...
TimeoutError: [Errno 60] Operation timed out
...
_shaded_thriftpy.transport.TTransportException: TTransportException(type=4, message='End of file reading from transport')

Based on the exceptions and corresponding details, these errors don’t seem to be coming from the SDK’s side. Without personally having seen something like this before, I would think that these could be stemming from how long it’s taking to execute this code. I would recommend trying to adapt your code to use async clients where possible, and seeing if performance improvements would mitigate this. If that’s difficult to do, I would suggest reducing the scope of your search – maybe try limiting your search to a single subscription first, or even a set of resource groups.

I hope this helps! Please feel free to comment again with any new or persisting issues.