Identity in a Linux VM
gbsmith opened this issue · comments
I was trying to get this working on a PHP app running on one of our Azure VMs running Ubuntu 20.04 and PHP 7.4.3 and encountered a couple of problems.
-
It blew up because the
IDENTITY_ENDPOINT
andIDENTITY_HEADER
env vars are not present. Instead, I found that by using the instructions at https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad and simply using the "standard" local endpoint, http://169.254.169.254/metadata/identity/oauth2/token, and theMetadata: true
header, I could get the token I needed (the VM had identity setup in Azure portal). -
After that, the next problem was with the secret version; I don't care about it. So I tried calling
getSecret
with just the secret name but the default nullsecretVersion
caused an error with thesprintf
in endpoint construction as well as in the SecretEntity response instantiation. Neither like a null where a string should be. Once I ?? coalesced them to the empty string, I was able to grab the secret out of the vault.
So maybe there can be and alternative setting or subclass that uses the standard local URL and metadata instead of the IDENTITY_*
env vars.
The newest release covers both of your concerns. The VM/App Service detection is done automatically, so no need to specify a different client.
See https://github.com/wapacro/az-keyvault-php/releases/tag/v2.1.0
Excellent!
@wapacro Interestingly, on an Azure Container Instance, the IDENTITY_ENDPOINT
is NOT present but the IDENTITY_HEADER
IS.
The package currently results in an error:
400 Bad Request
Required metadata header not specified or not correct