litan1106
commented
3 years ago You can just use create a service principal for local development. https://github.com/wapacro/az-keyvault-php/issues/7#issuecomment-732378538
Open gbsmith opened 3 years ago
litan1106
commented
3 years ago You can just use create a service principal for local development. https://github.com/wapacro/az-keyvault-php/issues/7#issuecomment-732378538
MalteToenjes
commented
3 years ago But it is not possible to specify the AppId for what the permission is granted or? Like it is described in this article: https://jumpforjoysoftware.com/2017/12/azure-key-vaults/
vecchp
commented
2 years ago Looked through all the discussion around this topic. I wasn't very thrilled with a service principal and having to use additional credentials since the developer is likely already logged in with az login. Instead I copied the pattern I saw in the AWS and Azure cli where it attempts to use the local credentials before looking for a system credential.
<?php
namespace App\Utils;
use AzKeyVault\Client;
/**
* Flexible KeyVault Client to use either az login or managed identity credentials
*/
class CloudAwareKeyVaultClient extends Client
{
/**
* Get access token using managed identity or az login credentials
* @return string
*/
protected function getAccessToken(): string
{
if (env("AZ_OVERRIDE_MANAGED_IDENTITY") === True) {
$output = "";
exec("az account get-access-token --output json --resource 'https://vault.azure.net'", $output);
return 'Bearer ' . json_decode(implode($output))->accessToken;
}
return parent::getAccessToken();
}
}
https://stackoverflow.com/questions/58856673/azure-key-vault-and-managed-identity-local-development-with-rest
The project is great for our apps deployed on Azure VMs, but we have some devs who want to run our app on their local machine for development purposes. Any ideas how we could use az-keyvault-php so is basically the same experience whether inside Azure or on a local machine (connected to our Azure VPN)?