search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.63k stars 2.83k forks source link

encryptionkey does not support UAMI (User Assigned Managed Identity) auth through SDK #37813

Closed aapune closed 1 hour ago

aapune commented 1 month ago

Describe the bug

SearchResourceEncryptionKey does not have identity argument to use UAMI like REST api

https://learn.microsoft.com/en-us/python/api/azure-search-documents/azure.search.documents.indexes.models.searchresourceencryptionkey?view=azure-python

identity is not a known attribute of class <class 'azure.search.documents.indexes.models._models.SearchResourceEncryptionKey'> and will be ignored Traceback (most recent call last): File "C:\Users\aanikhindi\PycharmProjects\Azure_Samples_Python\search_index_creation_kv_clientsecret.py", line 61, in result = search_client.create_or_update_index(index) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\core\tracing\decorator.py", line 94, in wrapper_use_tracer return func(*args, *kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\search\documents\indexes_search_index_client.py", line 276, in create_or_update_index result = self._client.indexes.create_or_update( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\core\tracing\decorator.py", line 94, in wrapper_use_tracer return func(args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 701, in create_or_update raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Invalid encryption key: service does not have managed identity defined not is an explicit identity specified or delegated - please define a managed identity for the service, or specify an explicit identity to use for access, or delegate a resource with identity, or alternatively explicitly provide Azure Key Vault access credentials. Code: Message: Invalid encryption key: service does not have managed identity defined not is an explicit identity specified or delegated - please define a managed identity for the service, or specify an explicit identity to use for access, or delegate a resource with identity, or alternatively explicitly provide Azure Key Vault access credentials.

To Reproduce Steps to reproduce the behavior:

  1. Use latest Search SDK
  2. Use KV for encryption
  3. Try creating index with encryption

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

search_service_endpoint = 'https://<>.search.windows.net'

search_client = SearchIndexClient( endpoint=search_service_endpoint, credential=credential, api_version= )

key_vault_key_name = "" key_vault_key_version = "" # Use empty string for the latest version key_vault_uri = "https://<>.vault.azure.net/"

identity = {'type': 'UserAssigned', 'userAssignedIdentity': '/subscriptions/<>/rg-<>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<>'}

encryption_key = SearchResourceEncryptionKey( key_name=key_vault_key_name, key_version=key_vault_key_version, vault_uri=key_vault_uri, identity=identity

**{'identity': {'type': 'UserAssigned', 'userAssignedIdentity': '/subscriptions/<>/resourcegroups/rg-global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aniuami'}}

)

Expected behavior SDK should support identity parameter to pass UAMI or please share way to use UAMI with encryptionkey as identity

Screenshots

Additional context Add any other context about the problem here.

xiangyan99 commented 1 month ago

Thank you for reaching out.

Could you share the repro steps?

Or where can I find search_index_creation_kv_clientsecret.py?

aapune commented 1 month ago

from azure.identity import ClientSecretCredential from azure.search.documents.indexes import SearchIndexClient from azure.search.documents.indexes.models import ( SearchIndex, SimpleField, SearchFieldDataType, SearchResourceEncryptionKey )

search_service_endpoint = 'https://<>.search.windows.net'

tenant_id = <> client_id = <> client_secret = <>

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

search_client = SearchIndexClient( endpoint=search_service_endpoint, credential=credential )

key_vault_key_name = "key1" key_vault_key_version = "" # Use empty string for the latest version key_vault_uri = "https://<>.vault.azure.net/"

Create the encryption key object with the identity - here we want to use UAMI not SMI and needs to mention UAMI details - but not sure how ? because SearchResourceEncryptionKey does not have identity param

encryption_key = SearchResourceEncryptionKey( key_name=key_vault_key_name, key_version=key_vault_key_version, vault_uri=key_vault_uri )

fields = [ SimpleField(name="id", type=SearchFieldDataType.String, key=True), SimpleField(name="title", type=SearchFieldDataType.String, searchable=True),

Add other fields as needed

]

index = SearchIndex( name='test2', fields=fields, encryption_key=encryption_key )

result = search_client.create_or_update_index(index) print(f"Index '{result.name}' created with encryption.")

mattgotteiner commented 1 month ago

Hi @aapune ,

Here is one potential workaround so you can use the latest version of the SDK to create an index with an encryption key using UAMI

import os

os.environ["KEY_NAME"] = "key name"
os.environ["KEY_VERSION"] = "key version"
os.environ["VAULT_URI"] = "https://keyvault.vault.azure.net/"
os.environ["UAMI_RESOURCE_ID"] = "/subscriptions/xxx/resourcegroups/yyy/providers/microsoft.managedidentity/userassignedidentities/my-uami"
os.environ["SEARCH_SERVICE_ENDPOINT"] = "https://service.search.windows.net"

from azure.search.documents.indexes import SearchIndexClient
from azure.search.documents.indexes.models import (
    SearchIndex,
    SearchField
)
from azure.identity import DefaultAzureCredential
from azure.search.documents.indexes._generated.models import SearchResourceEncryptionKey, SearchIndexerDataUserAssignedIdentity

SearchResourceEncryptionKey._to_generated = lambda self: self
SearchIndexerDataUserAssignedIdentity._to_generated = lambda self: self

search_index = SearchIndex(
    name="sdk-with-uami-key",
    fields=[
        SearchField(name="key",type="Edm.String",key=True)
    ],
    encryption_key=SearchResourceEncryptionKey(
        key_name=os.environ["KEY_NAME"],
        key_version=os.environ["KEY_VERSION"],
        vault_uri=os.environ["VAULT_URI"],
        identity=SearchIndexerDataUserAssignedIdentity(resource_id=os.environ["UAMI_RESOURCE_ID"])
    )
)
search_index_client = SearchIndexClient(endpoint=os.environ["SEARCH_SERVICE_ENDPOINT"], credential=DefaultAzureCredential())
search_index_client.create_or_update_index(search_index)
aapune commented 3 weeks ago

Thanks @mattgotteiner & team.

I hope this fix will be available soon on stable version.

Many thanks

xiangyan99 commented 1 week ago

Please try azure-search-documents 11.5.2

github-actions[bot] commented 1 week ago

Hi @aapune. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

github-actions[bot] commented 1 hour ago

Hi @aapune, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.