rock-ms / azure-key-vault
Allow secrets to be easily fetched from an Azure Key Vault from within a Laravel application
Installs: 2 160
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 0
Forks: 12
pkg:composer/rock-ms/azure-key-vault
Requires
- php: ^7.4|^8.0|^8.1|^8.2
- illuminate/cache: ^8|^9|^10|^11
- illuminate/http: ^8|^9|^10|^11
- illuminate/support: ^8|^9|^10|^11
Requires (Dev)
- ext-json: *
- guzzlehttp/guzzle: ^7.4
- orchestra/testbench: ^6.9
- phpunit/phpunit: ^9.5
- squizlabs/php_codesniffer: ^3.5
This package is auto-updated.
Last update: 2025-10-15 19:24:20 UTC
README
Overview
This package allows secrets to be fetched from, or set in, an
Azure Key Vault,
with an interface similar to env() and config().
Installation
Require this package with composer:
composer require insites-consulting/azure-key-vault
The package should be discovered by Laravel on installation.
The following environment variables must be set, if the package's default configuration is used:
AZURE_AD_CLIENT_IDthe UUID of the service principal which will be used to access the vault. This service principal needs "Get Secret" permission on that vault.AZURE_AD_CLIENT_SECRETthe shared secret for that service principal.AZURE_AD_TENANT_IDthe UUID for the tenant under which that service principal exists.AZURE_KEY_VAULT_NAMEthe name of the key vault (used as a subdomain in its hostname; e.g.fredinfred.vault.azure.net).
This package publishes its configuration to vault.php. This can be done with:
php artisan vendor:publish --provider='InsitesConsulting\AzureKeyVault\ServiceProvider'
The configuration entries are as follows:
tenant_idthe tenant UUIDclient_idthe service principal UUIDclient_secretthe service principal shared secretvaultthe vault name
Usage
This package provides a facade called Vault, with three methods
Vault::secret(), Vault::setSecret() and Vault::setVault(), as well as a
global helper function secret().
To fetch a secret called 'apikey':
$secret = Vault::secret('apikey');
If the secret does not exist, null will be returned, unless a different
default value is specified, as here:
$other_secret = Vault::secret('otherkey', 'default-value');
If there is an error, an
InsitesConsulting\AzureKeyVault\AzureKeyVaultException will be thrown. Its
message will be set to the body of the error response from Azure, and its
code will be set to the HTTP status of that response.
The global helper function behaves identically to the facade method:
$secret = secret('apikey'); $other_secret = secret('otherkey', 'default-key');
To set a secret called 'apikey' to the value 'longsecretvalue':
Vault::setSecret('apikey', 'longsecretvalue');
This method is void, but will throw an
InsitesConsulting\AzureKeyVault\AzureKeyVaultException on error, in the same
manner as Vault::secret().
In order to work with multiple vaults, use Vault::setVault() to change the
vault name used:
$secret = secret('apikey'); Vault::setVault('other-vault'); $other_secret = secret('apikey');
This is persistent: the newly set vault will remain until Vault::setVault()
is called again.
Calling Vault::setVault() with no argument will reset the vault name to that
set in the config file:
$other_secret = secret('apikey'); Vault::setVault(); $secret = secret('apikey');