awx_plugins.credentials.azure_kv module

Microsoft Azure Key Vault Lookup Plugin.

This module defines a credential lookup plugin to authenticate and retrieve secrets from an Azure Key Vault. If the Client ID, Tenant ID, and Client Secret are provided it will create a credential with those. If one is missing, it will attempt to use the Managed Identity of an Azure VM to create a credential.

Functions:

  • azure_keyvault_backend(): Creates a credential either with the fields provided or via the VM environment, and retrieves the secret from the Key Vault.

  • azure_keyvault_plugin: Defines the credential plugin interface.

awx_plugins.credentials.azure_kv._initialize_credential(tenant: str = '', client: str = '', secret: str = '') azure.core.credentials.TokenCredential
Parameters:

  • tenant (str, default: '')

  • client (str, default: '')

  • secret (str, default: '')

Return type:

azure.core.credentials.TokenCredential

awx_plugins.credentials.azure_kv.azure_keyvault_backend(*, url: str, client: str = '', secret: str = '', tenant: str = '', secret_field: str, secret_version: str = '') str | None

Get a credential and retrieve a secret from an Azure Key Vault.

An empty string for an optional parameter counts as not provided.

Parameters:

  • url (str) – An Azure Key Vault URI.

  • client (str, default: '') – The Client ID (optional).

  • secret (str, default: '') – The Client Secret (optional).

  • tenant (str, default: '') – The Tenant ID (optional).

  • secret_field (str) – The name of the secret to retrieve from the vault.

  • secret_version (str, default: '') – The version of the secret to retrieve (optional).

Return type:

str | None

Returns:

The secret from the Key Vault.

Raises:

RuntimeError – If the software is not being run on an Azure VM.