Azure-sdk-for-python: ImportError: cannot import name 'KeyVaultClient'

Created on 12 Nov 2019 · 11Comments · Source: Azure/azure-sdk-for-python

Hello all,

we are running the following code since 2018 without problems but some days ago it started to fail with:

ImportError: cannot import name 'KeyVaultClient'

from azure.keyvault import KeyVaultClient, KeyVaultAuthentication
from azure.common.credentials import ServicePrincipalCredentials

credentials = None

def kvauth_callback(server, resource, scope):
    credentials = ServicePrincipalCredentials(
        client_id = os.environ['KV_CLIENT'], #client id
        secret = os.environ['KV_SECRET'],
        tenant = os.environ['KV_TENANT'],
        resource = "https://vault.azure.net"
    )
    token = credentials.token
    return token['token_type'], token['access_token']


def get_kvvalue(name, version):
    client = KeyVaultClient(KeyVaultAuthentication(kvauth_callback))

    try:
        secret_bundle = client.get_secret(os.environ['KV_VAULT'], name, version)
        return secret_bundle.value
    except:
        return ''

This code runs in Docker and the installation in the Dockerfile is done as follows:

RUN pip3.6 install azure-keyvault

Do we have to install a specific version to make it work again?

Client KeyVault customer-reported

Source

nuarhu

All 11 comments

@nuarhu thanks for letting us know! Adding my team members to help you address that //cc: @mayurid @chlowell

kaerm on 12 Nov 2019

@nuarhu , as we've been revamping the Azure SDKs, we have made the latest version of azure-keyvault a metapackage for our new SDKs. If you would like to continue using your code as is, make sure when you're installing from pip that you specify version less than or equal to 1.1.0: https://pypi.org/project/azure-keyvault/1.1.0/.

If you would like to try using our new key vault SDKs, we have separate packages for keys, secrets, and certificates and you can use the latest azure-keyvault to download and use them: https://pypi.org/project/azure-keyvault/4.0.0/

Hope this helps!

iscai-msft on 12 Nov 2019

@iscai-msft
As we have been using pip install azure-keyvault, this was already installing version 4.0.0 which obviously does not work with the above code.

If we would want to use the current version 4.0.0 instead of downgrading - would we have to change the import statements? Comparing our code to the current documentation, I fail to find the differences.

Downgrading is only a temporary workaround, imho.

nuarhu on 13 Nov 2019

@nuarhu downgrading would not be a temporary workaround because azure-keyvault is not being deprecated, you just need to add an upper-bound constraint for your azure-keyvault package (say, you can use 2.0.0 as your upper-bound because we follow semantic versioning). This way you won't have to rewrite your code that will work as long as you specify this upper-bound on the package.

If you would like to use our new libraries, you would have to rewrite your code because the code that works for azure-keyvault will not work with our new libraries. Our new libraries have separate packages for keys, secrets, and certificates. From the code you've shared, I see you are getting secrets, so you would need to at least use the azure-keyvault-secrets library. At this link you can find how to get a secret as well. We would also highly recommend you use the authentication method specified in the link as that will automatically work with our libraries.

P.S. Could you point me to the current documentation you are referring to? The code we have for our new libraries is very different, so there are definite differences between your code and the current documented code samples and I would like to clear up that confusion.

Thanks!

iscai-msft on 13 Nov 2019

@iscai-msft
Here is the link to the documentation: https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python

nuarhu on 14 Nov 2019

👍1

@nuarhu - We are in the process of updating documentation to reflect the recent release. In the meantime, you can reference the Key Vault samples found here:
https://docs.microsoft.com/en-us/samples/azure/azure-sdk-for-python/azure-key-vault-keys-client-library-python-samples/

https://docs.microsoft.com/en-us/samples/azure/azure-sdk-for-python/azure-key-vault-secrets-client-library-python-samples/

Stop gap solution for you:

pip install azure-keyvault==1.1.0

Here's how you would modify your code for v4:

pip install azure-keyvault==4.0.0

import datetime
import os
from dotenv import load_dotenv
load_dotenv()
from azure.keyvault.secrets import SecretClient
from azure.identity import ClientSecretCredential
from azure.core.exceptions import HttpResponseError


def get_kvvalue(name, version):

    credential = ClientSecretCredential(os.environ["KV_TENANT"], os.environ["KV_CLIENT"], os.environ["KV_SECRET"])

    client = SecretClient(os.environ["KV_VAULT"], credential)

    try:

        secret_bundle = client.get_secret(name, version)
        return secret_bundle.value
    except:
        print(sys.exc_info())
        return ''

print(get_kvvalue("MySecret", "467c6d9609344d3899dc71743e6ac9a9"))

You can decide if you want to move credential out of get_kvvalue (if it is shared).

As an aside, have a look at DefaultAzureCredential, as it helps make your code more portable from dev environments to production environments. https://azuresdkdocs.blob.core.windows.net/$web/python/azure-identity/1.0.0/index.html#id2

jongio on 15 Nov 2019

@jonigo - both the links you sent throw back 404
@isaci-msft - What about using the Secretclient with the CLI profile credentials and not SPN?
For example -

from azure.common.client_factory import get_client_from_cli_profile
from azure.keyvault.secrets import SecretClient
key_vault_client = get_client_from_cli_profile(SecretClient)

This doesn't work and throws: