Enable key vault as secret source (#141)

- Add azure key vault client - Make sure logic fall back when environment variable is set / key vault name is not given
feathr-ai · May 5, 2022 · 1d3f793 · 1d3f793
1 parent 16f2814
commit 1d3f793
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 1 deletion.
diff --git a/docs/how-to-guides/azure_resource_provision.json b/docs/how-to-guides/azure_resource_provision.json
@@ -113,6 +113,16 @@
                         "value": "[concat(variables('redisCacheName'),'.redis.cache.windows.net:6380,password=', listKeys(concat('Microsoft.Cache/redis/', variables('redisCacheName')), '2021-06-01').primaryKey, ',ssl=True')]"
                     },
                     "dependsOn": [ "[variables('keyVault')]", "[variables('redisCache')]" ]
+                },
+                {
+                    "type": "Microsoft.KeyVault/vaults/secrets",
+                    "name": "[concat(variables('keyVaultName'), '/REDIS_PASSWORD')]",
+                    "apiVersion": "2021-10-01",
+                    "location": "[resourceGroup().location]",
+                    "properties": {
+                        "value": "[listKeys(concat('Microsoft.Cache/redis/', variables('redisCacheName')), '2021-06-01').primaryKey]"
+                    },
+                    "dependsOn": [ "[variables('keyVault')]", "[variables('redisCache')]" ]
                 }
             ]
         },

diff --git a/feathr_project/feathr/_envvariableutil.py b/feathr_project/feathr/_envvariableutil.py
@@ -1,11 +1,13 @@
 import os
 import yaml
 from loguru import logger
+from feathr.akv_client import AzureKeyVaultClient
 
 
 class _EnvVaraibleUtil(object):
     def __init__(self, config_path):
         self.config_path = config_path
+        self.akv_client = None
 
     def get_environment_variable_with_default(self, *args):
         """Gets the environment variable for the variable key.
@@ -62,5 +64,8 @@ def get_environment_variable(variable_key):
         password = os.environ.get(variable_key)
         if not password:
             logger.info(variable_key +
-                        ' is not set in the environment variables.')
+                        ' is not set in the environment variables, fetching the value from Key Vault')
+            akv_name = os.env.get("KEY_VAULT_NAME")
+            akv_client = AzureKeyVaultClient(akv_name)
+            password = akv_client.get_akv_secret(variable_key)
         return password
diff --git a/feathr_project/feathr/akv_client.py b/feathr_project/feathr/akv_client.py
@@ -0,0 +1,22 @@
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+from loguru import logger
+from azure.core.exceptions import ResourceNotFoundError
+
+class AzureKeyVaultClient:
+    def __init__(self, akv_name: str):
+        self.akv_name = akv_name
+        self.secret_client = None
+
+    def get_akv_secret(self, secret_name: str):
+        if self.secret_client is None:
+            self.secret_client = SecretClient(
+                vault_uri = f"https://{self.akv_name}.vault.azure.net",
+                credential=DefaultAzureCredential()
+            )
+        try:
+            secret = self.secret_client.get_secret(secret_name)
+            logger.debug(f"Secret: {secret_name} is retrieved from Key Vault {self.akv_name}.")
+            return secret.value
+        except ResourceNotFoundError as e:
+            logger.error(f"Secret: {secret_name} cannot be found in Key Vault {self.akv_name}.")