Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/technicalguru/php-vault
A flexible, lightweight PHP-based vault to provide secrets dynamically
https://github.com/technicalguru/php-vault
hashicorp hashicorp-vault php php-framework php-library vault vault-client
Last synced: 3 months ago
JSON representation
A flexible, lightweight PHP-based vault to provide secrets dynamically
- Host: GitHub
- URL: https://github.com/technicalguru/php-vault
- Owner: technicalguru
- License: lgpl-3.0
- Created: 2020-05-22T13:47:47.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2022-10-30T10:02:30.000Z (about 2 years ago)
- Last Synced: 2024-10-07T05:46:44.489Z (4 months ago)
- Topics: hashicorp, hashicorp-vault, php, php-framework, php-library, vault, vault-client
- Language: PHP
- Homepage:
- Size: 55.7 KB
- Stars: 11
- Watchers: 4
- Forks: 5
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
# technicalguru/php-vault
A flexible PHP-based vault to provide secrets dynamically# License
This project is licensed under [GNU LGPL 3.0](LICENSE.md).# Installation
## By Composer
```sh
composer install technicalguru/vault
```## By Package Download
You can download the source code packages from [GitHub Release Page](https://github.com/technicalguru/php-vault/releases)# Hashicorp Setup
The procedure is best described at [Hashicorp Blog](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle). It describes
how to create an `approle`. Here is the essence of it:```sh
# Enable the auth method for approle
vault auth enable approle# Create a renewal policy
echo 'path "auth/token/*" { capabilities = [ "create", "read", "update", "delete", "list", "sudo" ] }' >renewal-policy.hcl
vault policy write renewal-policy renewal-policy.hcl# Create a file with your policy on the respective secret path:
cat 'path "secret/my-secret" { capabilities = ["read", "list"] }' >app-policy.hcl# Create the policy
vault policy write my-app-policy app-policy.hcl# Create the approle with renewal-policy and your application policy
vault write auth/approle/role/my-approle token_policies=renewal-policy,my-app-policy token_period=30m token_ttl=30m token_max_ttl=1h token_explicit_max_ttl=2h# Get the role ID printed
vault read auth/approle/role/my-approle/role-id# Create the secret ID and print it
vault write -f auth/approle/role/my-approle/secret-id
```Please notice that you need to recreate the secret ID whenever you change the application role or a policy.
# Examples
## Create a HashicorpVault
Please note that this vault is actually a client to an existing Hashicorp Vault.```php
// Create configuration
$config = array(
'type' => 'hashicorp',
'config' => array(
'uri' => 'https://127.0.0.1:8200/v1',
'roleId' => '123456-12345-12345-123456',
'secretId' => 'abcdef-abcde-abcde-abcdef'
)
);// Create the vault instance
try {
$vault = \TgVault\VaultFactory::create($config);
} catch (\TgVault\VaultException $e) {
// Vault could not be created
}```
## Create a MemoryVault
```php
// Create configuration
$config = array(
'type' => 'memory',
'config' => array(
'secrets' => array(
'my/secret/number/1' => array(
'username' => 'my-username1',
'password' => 'my-password1',
),
'my/secret/number/2' => array(
'username' => 'my-username2',
'password' => 'my-password2',
),
)
)
);// Create the vault instance
try {
$vault = \TgVault\VaultFactory::create($config);
} catch (\TgVault\VaultException $e) {
// Vault could not be created
}
```## Create a FileVault
```php
// Create configuration
$config = array(
'type' => 'file',
'config' => array(
'filename' => 'path-to-json-secret-file'
)
);// Create the vault instance
try {
$vault = \TgVault\VaultFactory::create($config);
} catch (\TgVault\VaultException $e) {
// Vault could not be created
}
```The secrets file (JSON) shall look like this:
```json
{
"secrets": {
"my/secret/number/1" : {
"username" : "my-username1",
"password" : "my-password1"
},
"my/secret/number/2" : {
"username" : "my-username2",
"password" : "my-password2"
}
}
}
```## Retrieving a secret
```php
try {
$mySecret1 = $vault->getSecret('my/secret/number/1');
$mySecret2 = $vault->getSecret('my/secret/number/2');
} catch (\TgVault\VaultException $e) {
// secret was not found
}$username1 = $mySecret1->get('username');
$password1 = $mySecret1->get('password');
$username2 = $mySecret2->get('username');
$password2 = $mySecret2->get('password');
```A value in a secret is `NULL` when the key does not exists whereas an exception will be thrown when the secret itself cannot be found
or an error occurred while retrieval.## Using lazy callback credentials
You can use the `SecretProvider` or `CredentialsProvider` helper classes to pass them credentials without knowing where they come from
or how to use a vault.```php
$callback1 = new \TgVault\SecretProvider($vault, 'my/secret/number/1');
$callback2 = new \TgVault\CredentialsProvider($vault, 'my/secret/number/2');try {
$username1 = $callback1->get('username');
$password1 = $callback1->get('password');$username2 = $callback2->getUsername();
$password2 = $callback2->getPassword();
} catch (\TgVault\VaultException $e) {
// Secret cannot be retrieved or does not exist
}
```The `CredentialsProvider` takes additional constructor arguments that define, which keys in the secret provide username and password. The
defaults are as given above for the `SecretProvider`.# Contribution
Report a bug, request an enhancement or pull request at the [GitHub Issue Tracker](https://github.com/technicalguru/php-vault/issues).