# MLRun secret handling using HashiCorp Vault and Azure key-store

This notebook demonstrates secrets creation and handling in MLRun, both when using Vault and using Azure key-store.


## Create and deploy a function displaying secret values

For this demo we'll use a simple function which gets a list of secret names to show, attempts to get their value from the context, and prints their contents.

In [None]:
import mlrun

In [None]:
# mlrun: start-code

In [None]:
def vault_func(context, secrets: list):
    """Validate that given secrets exists

    :param context: the MLRun context
    :param secrets: name of the secrets that we want to look at
    """
    context.logger.info("running function")
    for sec_name in secrets:
        sec_value = context.get_secret(sec_name)
        context.logger.info("Secret name: {}, value: {}".format(sec_name, sec_value))

    return True

In [None]:
# mlrun: end-code

In [None]:
func = mlrun.code_to_function(name="vault-func", kind="job", image="mlrun/mlrun")

## Working with secrets kept in HashiCorp Vault

### Create a project & initialize Vault support
When a project is created, the `create_vault_secrets` command has to be used to request that the underlying framework is created that will enable Vault secrets to be used with this project. Calling this method on the project will create the following constructs for the project (if not already existing):

1. A k8s serviceaccount (`sa-vault-{project name}`)
2. A Vault policy (`mlrun-project-{project name}`) that enables access to secrets in the project path (`/secrets/secret/mlrun/projects/{proj name}`)
3. A Vault k8s role (`mlrun-role-project-{project name}`) that associates the SA's token with the policy

These configurations are performed on the MLRun API server side, not from the client.
In addition, the command passes a list of secret values to be associated with the project in Vault.

When a project was already initialized in Vault, those secrets can be examined using the `get_vault_secrets` method.
This method runs on the API server but used the client's Vault token, so client needs to be authorized to access Vault to execute it.

In [None]:
proj_name = "vault-mlrun"

proj = mlrun.new_project(proj_name)

project_secrets = {"aws_key": "1234567890", "github_key": "proj1Key!!!"}
proj.create_vault_secrets(project_secrets)

proj.get_vault_secrets()

### Initialize function runtime
The `.with_secrets` function has a '`vault`' secret kind that will pass the specified Vault project secrets to the function context. The function spec
only contains the keys of the secrets ('aws_key' etc.) - the actual secret value is retrieved from Vault and planted in the function 
context in runtime.

In [None]:
task = mlrun.new_task(
    project=proj_name,
    name="vault_test_run",
    handler="vault_func",
    params={"secrets": ["github_key", "aws_key"]},
)

# Add access to project-level secrets
task.with_secrets("vault", ["aws_key"])

### Execute the function
Running the function using the task we've created will show only the value of the `aws_key` secret, since it's the only secret passed to the `task` object. Modifying the `with_secrets` command will result in different secrets being available to the function runtime.

In [None]:
result = func.run(task)

By modifying the call to `with_secrets` so that all project secrets are passed to the runtime, the function will be able to present both the `github_key` and the `aws_key` secret values.

In [None]:
# Access to all project-level secrets can be obtained by passing an empty list of secret names
task.with_secrets("vault", [])

result = func.run(task)

### Run the same function in another project's context
We will create a 2nd project, and assign different secret values to it. When the same function is executed in the new project's runtime context, it will get 
the new project's secrets. When running in this context, the function has no access to other projects' secrets.

In [None]:
proj_name_2 = "vault-mlrun-2"
proj2 = mlrun.new_project(proj_name_2)
proj2.create_vault_secrets(
    {"aws_key": "0987654321", "github_key": "proj2Key???", "password": "myPassword"}
)

In [None]:
task2 = mlrun.new_task(
    project=proj_name_2,
    name="vault_test_run_2",
    handler="vault_func",
    params={"secrets": ["password", "github_key", "aws_key"]},
)
task2.with_secrets("vault", ["aws_key", "github_key", "password"])

result = func.run(task2)

### Project-level client side Vault operations
Client-side Vault integration is possible, assuming that the pod hosting this notebook has Vault connectivity and is properly configured. 
Vault integration can be done using the `.with_secrets()` function, and then by using the `.get_secret()` utility function to extract secret value.

In [None]:
proj.with_secrets("vault", ["github_key"])
proj.get_secret("github_key")

## Working with secrets kept in Azure key vault

### Configuration
To work with Azure key vault, you need to first setup the following:
1. Setup a key vault in your Azure subscription. For the purposes of this demo we'll assume the key vault is called "azure-demo-key-vault"
2. Create a service principal in Azure that will be granted access to the key vault. For creating a service principal through the Azure portal follow the steps in this page: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
3. Assign a key vault access policy to the service principal, as described in https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy-portal
4. Create a secret access key for the service principal, following the steps in: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in. Make sure you have access to the following 3 identifiers:
    1. Directory (tenant) id
    2. Application (client) id
    3. Secret key
5. Generate a new k8s secret containing the above mentioned 3 keys. This can be done using `kubectl` with a command such as the following:

    >``` bash
    > kubectl -n <namespace> create secret generic azure-key-vault-secret \
    >    --from-literal=secret=<secret key> \
    >    --from-literal=tenant_id=<tenant id> \
    >    --from-literal=client_id=<client id>
    >```
    
    The names of the values within the secret are important, make sure you don't change them, as the MLRun code expects them to have these specific names.
6. Populate the key vault with secrets you wish your code to access. In this demo we assume two secrets are created - `demo-secret-1` and `demo-secret-2`.
    
    > *Note:*
    > Azure key vault supports 3 types of entities - keys, secrets and certificates. The MLRun code supports accessing only secrets.

Every pod that needs access to Azure key vault secrets must have this secret mounted. MLRun will automatically mount this secret on execution pods that are generated through its `run` command. 

### Executing code that accesses Azure key vault secrets
To access secrets, the `.with_secrets()` function should be called, specifying a secret source of type `azure_vault`. The name of the key vault and the name of the k8s secret (created in previous section) needs to be specified as part of the secret source definition. The following code generates a new execution task and configures it to access the Azure key vault called `azure-demo-key-vault`, using the `azure-key-vault-secret` k8s secret.

The code tried to retrieve the 2 secrets described above from the key vault. Note that the `with_secrets()` function is called with an empty list of secrets, which will provide access to all the secrets that are accessible within the key vault. If you wish to limit access to specific keys, then modify the code to: `"secrets": ["secret_name",...]` 

In [None]:
proj_name = "azure-key-vault-project"
azure_key_vault_k8s_secret = "azure-key-vault-secret"
azure_key_vault_name = "azure-demo-key-vault"

task = mlrun.new_task(
    project=proj_name,
    name="azure_vault_test_run",
    handler="vault_func",
    out_path="/home/jovyan/examples",
    params={"secrets": ["demo-secret-1", "demo-secret-2"]},
)

task.with_secrets(
    "azure_vault",
    {
        "name": azure_key_vault_name,
        "k8s_secret": azure_key_vault_k8s_secret,
        "secrets": [],
    },
)

The following code executes the secret-printing function defined above with access to the Azure secrets specified in the task properties.

In [None]:
result = func.run(task)