wapacro / az-keyvault-php Goto Github PK

I'm trying to fetch information from an azure app configuration and not an azure keyvault. Would it be possible to fetch it using app configuration API?

I was trying to get this working on a PHP app running on one of our Azure VMs running Ubuntu 20.04 and PHP 7.4.3 and encountered a couple of problems.

1. It blew up because the IDENTITY_ENDPOINT and IDENTITY_HEADER env vars are not present. Instead, I found that by using the instructions at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad and simply using the "standard" local endpoint, http://169.254.169.254/metadata/identity/oauth2/token, and the Metadata: true header, I could get the token I needed (the VM had identity setup in Azure portal).

2. After that, the next problem was with the secret version; I don't care about it. So I tried calling getSecret with just the secret name but the default null secretVersion caused an error with the sprintf in endpoint construction as well as in the SecretEntity response instantiation. Neither like a null where a string should be. Once I ?? coalesced them to the empty string, I was able to grab the secret out of the vault.

So maybe there can be and alternative setting or subclass that uses the standard local URL and metadata instead of the IDENTITY_* env vars.

The initialization of the my keyvault

$secret = new AzKeyVault\Secret('https://my-custom.vault.azure.net/');

causes this error:

NOTICE: PHP message: PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 3: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01 in /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211,
#0 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(158): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array),
#1 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(110): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),
#2 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),
#3 /www/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke(Object(GuzzleHttp\Psr7\Request), Array)

GMP is installed, the command php -info | grep "GMP"returns

GMP version => 6.1.2.

Also the application is allowed to access the keyvault through service principal.

Versions of installed packages:

brick/math                  0.9.1     Arbitrary-precision arithmetic library
fgrosse/phpasn1             v2.2.0    A PHP Framework that allows you to encode and decode arbitrary ASN.1 structures using the ITU-T X.690 Encoding Rules.
firebase/php-jwt            v5.2.0    A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
grpc/grpc                   1.30.0    gRPC library for PHP
guzzlehttp/guzzle           7.2.0     Guzzle is a PHP HTTP client library
guzzlehttp/promises         1.4.0     Guzzle promises library
guzzlehttp/psr7             1.7.0     PSR-7 message implementation that also provides common utility methods
monolog/monolog             2.1.1     Sends your logs to files, sockets, inboxes, databases and various web services
psr/cache                   1.0.1     Common interface for caching libraries
psr/http-client             1.0.1     Common interface for HTTP clients
psr/http-message            1.0.1     Common interface for HTTP messages
psr/log                     1.1.3     Common interface for logging libraries
ralouphie/getallheaders     3.0.3     A polyfill for getallheaders.
react/promise               v2.8.0    A lightweight implementation of CommonJS Promises/A for PHP
rize/uri-template           0.3.2     PHP URI Template (RFC 6570) supports both expansion & extraction
spatie/macroable            1.0.1     A trait to dynamically add methods to a class
spatie/url                  1.3.5     Parse, build and manipulate URL's
spomky-labs/base64url       v2.0.4    Base 64 URL Safe Encoding/Decoding PHP Library
wapacro/az-keyvault-php     v2.0.0    PHP Library to work with Azure KeyVault using managed identity
web-token/jwt-core          v2.2.5    Core component of the JWT Framework.

Do you have any suggestions?

Overall this code works great. When I was working with standard Azure I had no problems at all.

When I tried on our GovCloud installation I had an issue because of the embedded URL in the Vault/Client code. I was able to fix it easily, for me, to work for either by adding a flag to the constructor:

Vault.php:
public function __construct(string $url = null, $client = null, $is_govcloud = false) {
$this->client = $client ?? new Client($is_govcloud);

    if ($url) {
        $this->setKeyVault($url);
    }
}

Client.php:
public function __construct($is_govcloud = false) {
$this->client = new \GuzzleHttp\Client();
$this->accessToken = $this->getAccessToken($is_govcloud);
}

and

protected function getAccessToken($is_govcloud = false) {
    // Get MSI endpoint & token from environment (App Service) or use hardcoded values in case of VM
    $endpoint = $this->env('IDENTITY_ENDPOINT', 'http://169.254.169.254/metadata/identity/oauth2/token');
    $idHeaderValue = $this->env('IDENTITY_HEADER', 'true');
    $idHeaderName = !empty($this->env('IDENTITY_HEADER')) ? 'X-IDENTITY-HEADER' : 'Metadata';
    $resource = $is_govcloud ? 'https://vault.usgovcloudapi.net' : 'https://vault.azure.net';

    $endpoint = Url::fromString($endpoint)->withQueryParameter('resource', $resource);
    return 'Bearer ' . $this->get($endpoint, $idHeaderValue, $idHeaderName, self::OAUTH_API_VERSION)->access_token;
}

Note: the resource URL is different for GovCloud. This simple fix made it work for either.

$client = new AzKeyVault\Secret($URL, null, true);

Hopefully, this makes sense. If you'd like I could send you the files I changed.

This fixes the 401 Audience error that people see on GovCloud sometimes.

Hi,

From my azure app service i m getting this error:

error 7: Failed to connect to 169.254.169.254 port 80: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01

So i can't get the token from the AD.
Any idea?

Thanks,

When I try to use the setSecret(string, string) method, I receive the following error message.

Passing in the "body" request option as an array to send a request is not supported. Please use the "form_params" request option to send a application/x-www-form-urlencoded request, or the "multipart" request option to send a multipart/form-data request.

Possibly related with https://stackoverflow.com/a/34411797/878514

getSecrets() function will fetch secret names in KeyVault upto max 25 but how can I use these names to fetch actual secret value dynamically?

1. There's getSecret() function for which we have to pass the secret name manually but I would like to know how can I do this dynamically
2. How can i fetch more than 25 secrets?

Feature Request: Set a secret in a specified key vault.

https://docs.microsoft.com/en-us/rest/api/keyvault/setsecret/setsecret

Does it support non azure app?
If I'm not wrong, it seems to me that it support only azure app

Feature Request: List secrets in a specified key vault.

In the real world scenario, you probably have to work with all secrets in a specified key vault.

https://docs.microsoft.com/en-us/rest/api/keyvault/getsecrets/getsecrets

https://stackoverflow.com/questions/58856673/azure-key-vault-and-managed-identity-local-development-with-rest

The project is great for our apps deployed on Azure VMs, but we have some devs who want to run our app on their local machine for development purposes. Any ideas how we could use az-keyvault-php so is basically the same experience whether inside Azure or on a local machine (connected to our Azure VPN)?