Working with Azure GovCloud

[tserface]

Overall this code works great. When I was working with standard Azure I had no problems at all.

When I tried on our GovCloud installation I had an issue because of the embedded URL in the Vault/Client code. I was able to fix it easily, for me, to work for either by adding a flag to the constructor:

Vault.php: public function __construct(string $url = null, $client = null, $is_govcloud = false) { $this->client = $client ?? new Client($is_govcloud);

    if ($url) {
        $this->setKeyVault($url);
    }
}

Client.php: public function __construct($is_govcloud = false) { $this->client = new \GuzzleHttp\Client(); $this->accessToken = $this->getAccessToken($is_govcloud); }

and

protected function getAccessToken($is_govcloud = false) {
    // Get MSI endpoint & token from environment (App Service) or use hardcoded values in case of VM
    $endpoint = $this->env('IDENTITY_ENDPOINT', 'http://169.254.169.254/metadata/identity/oauth2/token');
    $idHeaderValue = $this->env('IDENTITY_HEADER', 'true');
    $idHeaderName = !empty($this->env('IDENTITY_HEADER')) ? 'X-IDENTITY-HEADER' : 'Metadata';
    $resource = $is_govcloud ? 'https://vault.usgovcloudapi.net' : 'https://vault.azure.net';

    $endpoint = Url::fromString($endpoint)->withQueryParameter('resource', $resource);
    return 'Bearer ' . $this->get($endpoint, $idHeaderValue, $idHeaderName, self::OAUTH_API_VERSION)->access_token;
}

Note: the resource URL is different for GovCloud. This simple fix made it work for either.

$client = new AzKeyVault\Secret($URL, null, true);

Hopefully, this makes sense. If you'd like I could send you the files I changed.

This fixes the 401 Audience error that people see on GovCloud sometimes.