cURL error 3 on KeyVault Initialization

Question

cURL error 3 on KeyVault Initialization

jhoelzl opened this issue 4 years ago · comments

The initialization of the my keyvault

$secret = new AzKeyVault\Secret('https://my-custom.vault.azure.net/');

causes this error:

NOTICE: PHP message: PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 3: (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for ?resource=https%3A%2F%2Fvault.azure.net&api-version=2019-08-01 in /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:211,
#0 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(158): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array),
#1 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(110): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),
#2 /www/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(47): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)),
#3 /www/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke(Object(GuzzleHttp\Psr7\Request), Array)

GMP is installed, the command php -info | grep "GMP"returns

GMP version => 6.1.2.

Also the application is allowed to access the keyvault through service principal.

Versions of installed packages:


brick/math                  0.9.1     Arbitrary-precision arithmetic library
fgrosse/phpasn1             v2.2.0    A PHP Framework that allows you to encode and decode arbitrary ASN.1 structures using the ITU-T X.690 Encoding Rules.
firebase/php-jwt            v5.2.0    A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.
grpc/grpc                   1.30.0    gRPC library for PHP
guzzlehttp/guzzle           7.2.0     Guzzle is a PHP HTTP client library
guzzlehttp/promises         1.4.0     Guzzle promises library
guzzlehttp/psr7             1.7.0     PSR-7 message implementation that also provides common utility methods
monolog/monolog             2.1.1     Sends your logs to files, sockets, inboxes, databases and various web services
psr/cache                   1.0.1     Common interface for caching libraries
psr/http-client             1.0.1     Common interface for HTTP clients
psr/http-message            1.0.1     Common interface for HTTP messages
psr/log                     1.1.3     Common interface for logging libraries
ralouphie/getallheaders     3.0.3     A polyfill for getallheaders.
react/promise               v2.8.0    A lightweight implementation of CommonJS Promises/A for PHP
rize/uri-template           0.3.2     PHP URI Template (RFC 6570) supports both expansion & extraction
spatie/macroable            1.0.1     A trait to dynamically add methods to a class
spatie/url                  1.3.5     Parse, build and manipulate URL's
spomky-labs/base64url       v2.0.4    Base 64 URL Safe Encoding/Decoding PHP Library
wapacro/az-keyvault-php     v2.0.0    PHP Library to work with Azure KeyVault using managed identity
web-token/jwt-core          v2.2.5    Core component of the JWT Framework.

Do you have any suggestions?

jgb-ibsa · Answer 1 · Wed Nov 18 2020 20:22:45 GMT+0800 (China Standard Time)

This is not documented but you can solve by adding the following ENV

IDENTITY_ENDPOINT=https://your-vault-url.vault.azure.net

Josef Hölzl · Answer 2 · Fri Nov 20 2020 21:01:32 GMT+0800 (China Standard Time)

Unfortunately this does not help.
It is confusing since from the same Host (Azure VM) it works with Python, but not with PHP.

From another Azure Webapp (PHP) it works with your library.

Maybe there are some differences in the PHP versions or settings.

Li Tan · Answer 3 · Tue Nov 24 2020 03:31:37 GMT+0800 (China Standard Time)

@jhoelzl you need to extend the Client if you are not using managed identity.

for example, you would override the the Client's getAccessToken to authenticate via the service principal credentials. Then create Secret with the Client. (more detail on the official docs.)

new Secret("https://your-vault-name.vault.azure.net", new Client());

class Client extends AzKeyVaultClient
{
    public function __construct()
    {
        parent::__construct();
        $this->client = $this->getClient();
        $this->accessToken = $this->getAccessToken();
    }

    protected function getAccessToken(): string
    {
        $resource = 'https://vault.azure.net';

        [$tenantId, $clientId, $clientSecret] = $this->getAzureConfig();

        $tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/token";

Roman Ackermann · Answer 4 · Tue Nov 24 2020 07:36:14 GMT+0800 (China Standard Time)

Hi @jhoelzl
The newest release adds support for running this package in Azure VM's. But as @litan1106 correctly pointed out this only works with managed identity. If you have user-assigned identities you'd need to override the getAccessToken method in the client.

Josef Hölzl · Answer 5 · Tue Nov 24 2020 16:36:00 GMT+0800 (China Standard Time)

Okay, thank you guys for the support. As the lib works from the webapp but not in my VM (although the VM has access to the keyvault through managed identity), i think it is another problem, therefore i close this issue.

Li Tan · Answer 6 · Tue Nov 24 2020 23:26:02 GMT+0800 (China Standard Time)

Okay, thank you guys for the support. As the lib works from the webapp but not in my VM (although the VM has access to the keyvault through managed identity), i think it is another problem, therefore i close this issue.

NP. I always use the Service Principal's credential to authenticate. (This lib is super flex with custom extended Client.)