search

wapacro / az-keyvault-php

Library to easily work with Azure Key Vault using managed identities
https://packagist.org/packages/wapacro/az-keyvault-php
MIT License
18 stars 15 forks source link

cURL error 3 on KeyVault Initialization #7

Closed jhoelzl closed 3 years ago

jhoelzl commented 3 years ago

The initialization of the my keyvault

$secret = new AzKeyVault\Secret('https://my-custom.vault.azure.net/');

causes this error:

NOTICE: PHP message: PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 3: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01 in /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211,

0 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(158): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array),

1 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(110): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),

2 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),

3 /www/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke(Object(GuzzleHttp\Psr7\Request), Array)

GMP is installed, the command php -info | grep "GMP"returns

GMP version => 6.1.2.

Also the application is allowed to access the keyvault through service principal.

Versions of installed packages:


brick/math                  0.9.1     Arbitrary-precision arithmetic library
fgrosse/phpasn1             v2.2.0    A PHP Framework that allows you to encode and decode arbitrary ASN.1 structures using the ITU-T X.690 Encoding Rules.
firebase/php-jwt            v5.2.0    A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
grpc/grpc                   1.30.0    gRPC library for PHP
guzzlehttp/guzzle           7.2.0     Guzzle is a PHP HTTP client library
guzzlehttp/promises         1.4.0     Guzzle promises library
guzzlehttp/psr7             1.7.0     PSR-7 message implementation that also provides common utility methods
monolog/monolog             2.1.1     Sends your logs to files, sockets, inboxes, databases and various web services
psr/cache                   1.0.1     Common interface for caching libraries
psr/http-client             1.0.1     Common interface for HTTP clients
psr/http-message            1.0.1     Common interface for HTTP messages
psr/log                     1.1.3     Common interface for logging libraries
ralouphie/getallheaders     3.0.3     A polyfill for getallheaders.
react/promise               v2.8.0    A lightweight implementation of CommonJS Promises/A for PHP
rize/uri-template           0.3.2     PHP URI Template (RFC 6570) supports both expansion & extraction
spatie/macroable            1.0.1     A trait to dynamically add methods to a class
spatie/url                  1.3.5     Parse, build and manipulate URL's
spomky-labs/base64url       v2.0.4    Base 64 URL Safe Encoding/Decoding PHP Library
wapacro/az-keyvault-php     v2.0.0    PHP Library to work with Azure KeyVault using managed identity
web-token/jwt-core          v2.2.5    Core component of the JWT Framework.

Do you have any suggestions?

jgb-ibsa commented 3 years ago

This is not documented but you can solve by adding the following ENV

IDENTITY_ENDPOINT=https://your-vault-url.vault.azure.net
jhoelzl commented 3 years ago

Unfortunately this does not help. It is confusing since from the same Host (Azure VM) it works with Python, but not with PHP.

From another Azure Webapp (PHP) it works with your library.

Maybe there are some differences in the PHP versions or settings.

litan1106 commented 3 years ago

@jhoelzl you need to extend the Client if you are not using managed identity.

for example, you would override the the Client's getAccessToken to authenticate via the service principal credentials. Then create Secret with the Client. (more detail on the official docs.)

new Secret("https://your-vault-name.vault.azure.net", new Client());
class Client extends AzKeyVaultClient
{
    public function __construct()
    {
        parent::__construct();
        $this->client = $this->getClient();
        $this->accessToken = $this->getAccessToken();
    }

    protected function getAccessToken(): string
    {
        $resource = 'https://vault.azure.net';

        [$tenantId, $clientId, $clientSecret] = $this->getAzureConfig();

        $tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/token";
wapacro commented 3 years ago

Hi @jhoelzl The newest release adds support for running this package in Azure VM's. But as @litan1106 correctly pointed out this only works with managed identity. If you have user-assigned identities you'd need to override the getAccessToken method in the client.

jhoelzl commented 3 years ago

Okay, thank you guys for the support. As the lib works from the webapp but not in my VM (although the VM has access to the keyvault through managed identity), i think it is another problem, therefore i close this issue.

litan1106 commented 3 years ago

Okay, thank you guys for the support. As the lib works from the webapp but not in my VM (although the VM has access to the keyvault through managed identity), i think it is another problem, therefore i close this issue.

NP. I always use the Service Principal's credential to authenticate. (This lib is super flex with custom extended Client.)