wapacro / az-keyvault-php Goto Github PK
View Code? Open in Web Editor NEWLibrary to easily work with Azure Key Vault using managed identities
Home Page: https://packagist.org/packages/wapacro/az-keyvault-php
License: MIT License
Library to easily work with Azure Key Vault using managed identities
Home Page: https://packagist.org/packages/wapacro/az-keyvault-php
License: MIT License
I'm trying to fetch information from an azure app configuration and not an azure keyvault. Would it be possible to fetch it using app configuration API?
I was trying to get this working on a PHP app running on one of our Azure VMs running Ubuntu 20.04 and PHP 7.4.3 and encountered a couple of problems.
It blew up because the IDENTITY_ENDPOINT
and IDENTITY_HEADER
env vars are not present. Instead, I found that by using the instructions at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad and simply using the "standard" local endpoint, http://169.254.169.254/metadata/identity/oauth2/token, and the Metadata: true
header, I could get the token I needed (the VM had identity setup in Azure portal).
After that, the next problem was with the secret version; I don't care about it. So I tried calling getSecret
with just the secret name but the default null secretVersion
caused an error with the sprintf
in endpoint construction as well as in the SecretEntity response instantiation. Neither like a null where a string should be. Once I ?? coalesced them to the empty string, I was able to grab the secret out of the vault.
So maybe there can be and alternative setting or subclass that uses the standard local URL and metadata instead of the IDENTITY_*
env vars.
The initialization of the my keyvault
$secret = new AzKeyVault\Secret('https://my-custom.vault.azure.net/');
causes this error:
NOTICE: PHP message: PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 3: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01 in /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211,
#0 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(158): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array),
#1 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(110): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),
#2 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),
#3 /www/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke(Object(GuzzleHttp\Psr7\Request), Array)
GMP is installed, the command php -info | grep "GMP"
returns
GMP version => 6.1.2.
Also the application is allowed to access the keyvault through service principal.
Versions of installed packages:
brick/math 0.9.1 Arbitrary-precision arithmetic library
fgrosse/phpasn1 v2.2.0 A PHP Framework that allows you to encode and decode arbitrary ASN.1 structures using the ITU-T X.690 Encoding Rules.
firebase/php-jwt v5.2.0 A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
grpc/grpc 1.30.0 gRPC library for PHP
guzzlehttp/guzzle 7.2.0 Guzzle is a PHP HTTP client library
guzzlehttp/promises 1.4.0 Guzzle promises library
guzzlehttp/psr7 1.7.0 PSR-7 message implementation that also provides common utility methods
monolog/monolog 2.1.1 Sends your logs to files, sockets, inboxes, databases and various web services
psr/cache 1.0.1 Common interface for caching libraries
psr/http-client 1.0.1 Common interface for HTTP clients
psr/http-message 1.0.1 Common interface for HTTP messages
psr/log 1.1.3 Common interface for logging libraries
ralouphie/getallheaders 3.0.3 A polyfill for getallheaders.
react/promise v2.8.0 A lightweight implementation of CommonJS Promises/A for PHP
rize/uri-template 0.3.2 PHP URI Template (RFC 6570) supports both expansion & extraction
spatie/macroable 1.0.1 A trait to dynamically add methods to a class
spatie/url 1.3.5 Parse, build and manipulate URL's
spomky-labs/base64url v2.0.4 Base 64 URL Safe Encoding/Decoding PHP Library
wapacro/az-keyvault-php v2.0.0 PHP Library to work with Azure KeyVault using managed identity
web-token/jwt-core v2.2.5 Core component of the JWT Framework.
Do you have any suggestions?
Overall this code works great. When I was working with standard Azure I had no problems at all.
When I tried on our GovCloud installation I had an issue because of the embedded URL in the Vault/Client code. I was able to fix it easily, for me, to work for either by adding a flag to the constructor:
Vault.php:
public function __construct(string $url = null, $client = null, $is_govcloud = false) {
$this->client = $client ?? new Client($is_govcloud);
if ($url) {
$this->setKeyVault($url);
}
}
Client.php:
public function __construct($is_govcloud = false) {
$this->client = new \GuzzleHttp\Client();
$this->accessToken = $this->getAccessToken($is_govcloud);
}
and
protected function getAccessToken($is_govcloud = false) {
// Get MSI endpoint & token from environment (App Service) or use hardcoded values in case of VM
$endpoint = $this->env('IDENTITY_ENDPOINT', 'http://169.254.169.254/metadata/identity/oauth2/token');
$idHeaderValue = $this->env('IDENTITY_HEADER', 'true');
$idHeaderName = !empty($this->env('IDENTITY_HEADER')) ? 'X-IDENTITY-HEADER' : 'Metadata';
$resource = $is_govcloud ? 'https://vault.usgovcloudapi.net' : 'https://vault.azure.net';
$endpoint = Url::fromString($endpoint)->withQueryParameter('resource', $resource);
return 'Bearer ' . $this->get($endpoint, $idHeaderValue, $idHeaderName, self::OAUTH_API_VERSION)->access_token;
}
Note: the resource URL is different for GovCloud. This simple fix made it work for either.
$client = new AzKeyVault\Secret($URL, null, true);
Hopefully, this makes sense. If you'd like I could send you the files I changed.
This fixes the 401 Audience error that people see on GovCloud sometimes.
Hi,
From my azure app service i m getting this error:
error 7: Failed to connect to 169.254.169.254 port 80: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://169.254.169.254/metadata/identity/oauth2/token?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01
So i can't get the token from the AD.
Any idea?
Thanks,
When I try to use the setSecret(string, string)
method, I receive the following error message.
Passing in the "body" request option as an array to send a request is not supported. Please use the "form_params" request option to send a application/x-www-form-urlencoded request, or the "multipart" request option to send a multipart/form-data request.
Possibly related with https://stackoverflow.com/a/34411797/878514
getSecrets()
function will fetch secret names in KeyVault upto max 25 but how can I use these names to fetch actual secret value dynamically?
getSecret()
function for which we have to pass the secret name manually but I would like to know how can I do this dynamicallyFeature Request: Set a secret in a specified key vault.
https://docs.microsoft.com/en-us/rest/api/keyvault/setsecret/setsecret
Does it support non azure app?
If I'm not wrong, it seems to me that it support only azure app
Feature Request: List secrets in a specified key vault.
In the real world scenario, you probably have to work with all secrets in a specified key vault.
https://docs.microsoft.com/en-us/rest/api/keyvault/getsecrets/getsecrets
The project is great for our apps deployed on Azure VMs, but we have some devs who want to run our app on their local machine for development purposes. Any ideas how we could use az-keyvault-php so is basically the same experience whether inside Azure or on a local machine (connected to our Azure VPN)?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.