Overall this code works great. When I was working with standard Azure I had no problems at all.
When I tried on our GovCloud installation I had an issue because of the embedded URL in the Vault/Client code. I was able to fix it easily, for me, to work for either by adding a flag to the constructor:
Vault.php:
public function __construct(string $url = null, $client = null, $is_govcloud = false) {
$this->client = $client ?? new Client($is_govcloud);
if ($url) {
$this->setKeyVault($url);
}
}
Client.php:
public function __construct($is_govcloud = false) {
$this->client = new \GuzzleHttp\Client();
$this->accessToken = $this->getAccessToken($is_govcloud);
}
and
protected function getAccessToken($is_govcloud = false) {
// Get MSI endpoint & token from environment (App Service) or use hardcoded values in case of VM
$endpoint = $this->env('IDENTITY_ENDPOINT', 'http://169.254.169.254/metadata/identity/oauth2/token');
$idHeaderValue = $this->env('IDENTITY_HEADER', 'true');
$idHeaderName = !empty($this->env('IDENTITY_HEADER')) ? 'X-IDENTITY-HEADER' : 'Metadata';
$resource = $is_govcloud ? 'https://vault.usgovcloudapi.net' : 'https://vault.azure.net';
$endpoint = Url::fromString($endpoint)->withQueryParameter('resource', $resource);
return 'Bearer ' . $this->get($endpoint, $idHeaderValue, $idHeaderName, self::OAUTH_API_VERSION)->access_token;
}
Note: the resource URL is different for GovCloud. This simple fix made it work for either.
$client = new AzKeyVault\Secret($URL, null, true);
Hopefully, this makes sense. If you'd like I could send you the files I changed.
This fixes the 401 Audience error that people see on GovCloud sometimes.
Overall this code works great. When I was working with standard Azure I had no problems at all.
When I tried on our GovCloud installation I had an issue because of the embedded URL in the Vault/Client code. I was able to fix it easily, for me, to work for either by adding a flag to the constructor:
Vault.php: public function __construct(string $url = null, $client = null, $is_govcloud = false) { $this->client = $client ?? new Client($is_govcloud);
Client.php: public function __construct($is_govcloud = false) { $this->client = new \GuzzleHttp\Client(); $this->accessToken = $this->getAccessToken($is_govcloud); }
and
Note: the resource URL is different for GovCloud. This simple fix made it work for either.
$client = new AzKeyVault\Secret($URL, null, true);
Hopefully, this makes sense. If you'd like I could send you the files I changed.
This fixes the 401 Audience error that people see on GovCloud sometimes.