search

Azure / azure-sdk-for-python

This repository is for active development of the Azure SDK for Python. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/python/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-python.
MIT License
4.58k stars 2.79k forks source link

encryptionkey does not support UAMI (User Assigned Managed Identity) auth through SDK #37813

Open aapune opened 4 days ago

aapune commented 4 days ago

Describe the bug

SearchResourceEncryptionKey does not have identity argument to use UAMI like REST api

https://learn.microsoft.com/en-us/python/api/azure-search-documents/azure.search.documents.indexes.models.searchresourceencryptionkey?view=azure-python

identity is not a known attribute of class <class 'azure.search.documents.indexes.models._models.SearchResourceEncryptionKey'> and will be ignored Traceback (most recent call last): File "C:\Users\aanikhindi\PycharmProjects\Azure_Samples_Python\search_index_creation_kv_clientsecret.py", line 61, in result = search_client.create_or_update_index(index) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\core\tracing\decorator.py", line 94, in wrapper_use_tracer return func(*args, *kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\search\documents\indexes_search_index_client.py", line 276, in create_or_update_index result = self._client.indexes.create_or_update( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\core\tracing\decorator.py", line 94, in wrapper_use_tracer return func(args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^ File "C:\Tools\Python_3.11\Lib\site-packages\azure\search\documents\indexes_generated\operations_indexes_operations.py", line 701, in create_or_update raise HttpResponseError(response=response, model=error) azure.core.exceptions.HttpResponseError: () Invalid encryption key: service does not have managed identity defined not is an explicit identity specified or delegated - please define a managed identity for the service, or specify an explicit identity to use for access, or delegate a resource with identity, or alternatively explicitly provide Azure Key Vault access credentials. Code: Message: Invalid encryption key: service does not have managed identity defined not is an explicit identity specified or delegated - please define a managed identity for the service, or specify an explicit identity to use for access, or delegate a resource with identity, or alternatively explicitly provide Azure Key Vault access credentials.

To Reproduce Steps to reproduce the behavior:

  1. Use latest Search SDK
  2. Use KV for encryption
  3. Try creating index with encryption

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

search_service_endpoint = 'https://<>.search.windows.net'

search_client = SearchIndexClient( endpoint=search_service_endpoint, credential=credential, api_version= )

key_vault_key_name = "" key_vault_key_version = "" # Use empty string for the latest version key_vault_uri = "https://<>.vault.azure.net/"

identity = {'type': 'UserAssigned', 'userAssignedIdentity': '/subscriptions/<>/rg-<>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<>'}

encryption_key = SearchResourceEncryptionKey( key_name=key_vault_key_name, key_version=key_vault_key_version, vault_uri=key_vault_uri, identity=identity

**{'identity': {'type': 'UserAssigned', 'userAssignedIdentity': '/subscriptions/<>/resourcegroups/rg-global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aniuami'}}

)

Expected behavior SDK should support identity parameter to pass UAMI or please share way to use UAMI with encryptionkey as identity

Screenshots

Additional context Add any other context about the problem here.

xiangyan99 commented 4 days ago

Thank you for reaching out.

Could you share the repro steps?

Or where can I find search_index_creation_kv_clientsecret.py?

aapune commented 3 days ago

from azure.identity import ClientSecretCredential from azure.search.documents.indexes import SearchIndexClient from azure.search.documents.indexes.models import ( SearchIndex, SimpleField, SearchFieldDataType, SearchResourceEncryptionKey )

search_service_endpoint = 'https://<>.search.windows.net'

tenant_id = <> client_id = <> client_secret = <>

credential = ClientSecretCredential(tenant_id, client_id, client_secret)

search_client = SearchIndexClient( endpoint=search_service_endpoint, credential=credential )

key_vault_key_name = "key1" key_vault_key_version = "" # Use empty string for the latest version key_vault_uri = "https://<>.vault.azure.net/"

Create the encryption key object with the identity - here we want to use UAMI not SMI and needs to mention UAMI details - but not sure how ? because SearchResourceEncryptionKey does not have identity param

encryption_key = SearchResourceEncryptionKey( key_name=key_vault_key_name, key_version=key_vault_key_version, vault_uri=key_vault_uri )

fields = [ SimpleField(name="id", type=SearchFieldDataType.String, key=True), SimpleField(name="title", type=SearchFieldDataType.String, searchable=True),

Add other fields as needed

]

index = SearchIndex( name='test2', fields=fields, encryption_key=encryption_key )

result = search_client.create_or_update_index(index) print(f"Index '{result.name}' created with encryption.")