Download the PHP package anastosios/mi without Composer
On this page you can find all versions of the php package anastosios/mi. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download anastosios/mi
More information about anastosios/mi
Files in anastosios/mi
Package mi
Short Description Azure Managed Identity authentication for Laravel Azure Blob Storage with automatic token caching and refresh
License MIT
Informations about the package mi
MI Azure Managed Identity for Laravel
This package enables Azure Managed Identity (MI) authentication for:
1) Azure Blob Storage (Laravel Storage disk: azure)
2) Azure Cache for Redis (Laravel Redis client: azure-mi)
3) Azure Database for PostgreSQL (Laravel DB connector: pgsql)
It fetches short-lived access tokens from the Azure Instance Metadata Service (IMDS), caches them (recommended: file cache), then injects them into each client connection so the application can authenticate without long-lived secrets.
Table of Contents
- High-Level Overview
- Token Service
- Configuration
- Config File
- .env Variables
- Azure Blob Storage
- How It Works
- Mermaid Flow Chart
- Test Command
- Azure Redis
- How It Works
- Mermaid Flow Chart
- Test Command
- Azure PostgreSQL (pgsql)
- How It Works
- Mermaid Flow Chart
- Notes About Read/Write Hosts
- Logging
- Security Notes
- Troubleshooting
High-Level Overview
All services follow the same MI pattern:
1) Determine if MI is enabled for that service/connection. 2) Fetch a token from IMDS:
- Endpoint:
http://169.254.169.254/metadata/identity/oauth2/token - Header:
Metadata: true - Params:
api-version=...resource=...- optional
client_id=...(User Assigned Managed Identity) 3) Cache the token in Laravel cache (recommended:file). 4) Inject the token into the relevant client:
- Storage:
Authorization: Bearer <token> - Redis:
password=<token>(andusername=<aad-user>) - PostgreSQL:
password=<token>5) Connect normally through Laravel APIs.
Token Service
Class
MI\AzureManagedIdentity\Services\AzureManagedIdentityTokenService
Responsibilities
- Read resource configuration from:
config('azure-managed-identity.resources.<key>') - Fetch token from IMDS with the correct:
resourceapi-version- optional
client_id
- Cache tokens by:
- resource key (e.g.
storage,redis,db) - client id (or
system)
- resource key (e.g.
- Apply a buffer before expiry to reduce refresh failures.
Token caching key pattern
Why file cache is recommended
- Avoids any circular dependency (for example: if Redis needs MI, you must not depend on Redis to cache the MI token).
- Keeps startup reliable.
- Works well in containers as long as the filesystem is writable.
Configuration
Config File
config/azure-managed-identity.php
.env Variables
Minimum recommended variables (based on the provided classes):
Azure Blob Storage
How Blob Works
Classes involved
- Service Provider:
MI\AzureManagedIdentity\Providers\AzureServiceProvider
- Disk adapter:
MI\AzureManagedIdentity\Filesystem\AzureAdapter
- Blob client wrapper:
MI\AzureManagedIdentity\Services\ManagedIdentityBlobRestProxy
- Token fetcher:
MI\AzureManagedIdentity\Services\AzureManagedIdentityTokenService
What happens when you call Storage::disk('azure')?
1) AzureServiceProvider::boot() registers a custom driver:
Storage::extend('azure', ...)2) When the disk is used:- If
use_managed_identity=truein the disk config:- Fetch token using
TokenService->getAccessToken($clientId, 'storage')3) The blob client is created:
- Fetch token using
ManagedIdentityBlobRestProxy::createWithManagedIdentity(...)4) A custom Guzzle middleware injects:Authorization: Bearer <token>x-ms-version: 2021-08-065) Flysystem adapter is created and returned as a Laravel disk. 6) Your app uses it like normal:- list files
- put files
- get files
- delete files
- etc.
Why a custom HTTP client is injected
The microsoft/azure-storage-blob SDK is primarily designed for Shared Key / SAS.
Your implementation injects a Bearer-token aware HTTP client so requests are authenticated using MI.
Blob Mermaid Flow Chart
Blob Test Command
Command: azure:test
What it does:
- If MI is enabled, it fetches a token and performs a direct container list request.
- Then it tries a normal Laravel Storage call (
files()) to confirm end-to-end integration.
Azure Redis
How Redis Works
Classes involved
- Redis connector:
MI\AzureManagedIdentity\Redis\AzureManagedIdentityPhpRedisConnector
- Token fetcher:
MI\AzureManagedIdentity\Services\AzureManagedIdentityTokenService
- Service Provider registration:
MI\AzureManagedIdentity\Providers\AzureServiceProvider
What happens when you call Redis::connection('default')?
1) You set:
REDIS_CLIENT=azure-mi2)AzureServiceProvider::boot()registers:Redis::extend('azure-mi', ...)3) Laravel usesAzureManagedIdentityPhpRedisConnectorwhen connecting. 4) Insideconnect():- If
use_managed_identity=truefor that Redis connection:- Validate
usernameexists (required for Azure Redis AAD auth) - Fetch token via:
TokenService->getAccessToken($clientId, 'redis')
- Set:
config['password'] = <token>config['username'] = <aad-username>5) Parent connector connects normally. 6) Redis commands work normally (PING,SET,GET, etc.).
- Validate
Required Redis config fields
When MI is enabled, the Redis connection config must provide:
username(the AAD principal/object id used by Redis AAD auth)scheme=tls(recommended)port=6380(common for TLS)
Redis Mermaid Flow Chart
Redis Test Command
Command: azure:redis-test
What it does:
- Connects using Laravel Redis Manager
- Executes:
PINGSETthenGET
Azure PostgreSQL (pgsql)
How DB Works
Classes involved
- Postgres connector:
MI\AzureManagedIdentity\Database\AzureManagedIdentityPostgresConnector
- Token fetcher:
MI\AzureManagedIdentity\Services\AzureManagedIdentityTokenService
- Service Provider binding:
MI\AzureManagedIdentity\Providers\AzureServiceProvider
What happens when Laravel connects to pgsql?
1) In AzureServiceProvider::register(), the package binds:
db.connector.pgsql→AzureManagedIdentityPostgresConnector2) When Laravel creates a pgsql connection, it uses this connector. 3) Insideconnect(array $config):- Determine if MI is enabled:
use_managed_identityin the pgsql config
- If enabled:
- Fetch token via:
TokenService->getAccessToken($clientId, 'db')
- Set:
config['password'] = <token>
- Ensure SSL:
- If
sslmodeis empty, set it torequire4) The connector callsparent::connect($config)which creates the real PDO connection. 5) From the application point of view, DB queries work normally.
- If
- Fetch token via:
What the DB token represents
For Azure Database for PostgreSQL with Entra/AAD auth, the access token acts like a short-lived password for the configured DB user. Your DevOps verification command mirrors that behavior:
- fetch token from IMDS for resource:
https://ossrdbms-aad.database.windows.net
- use it as
PGPASSWORD - connect using TLS (
sslmode=require)
DB Mermaid Flow Chart
Notes About Read/Write Hosts
Your database.php supports read replicas:
Laravel may connect to:
- write host for write operations
- read host for read operations (depending on query patterns and runtime)
Managed Identity still works because:
- The connector injects the token as the password for every pgsql connection attempt.
- SSL mode should be
requirefor Azure PostgreSQL.
If you experience authentication issues only on read replicas, that usually means the replica side is not configured to accept the same Entra/AAD principal or security rules differ.
Logging
The package logs:
- service start (storage/redis/db)
- cached token usage vs IMDS call
- token caching TTL (without printing the token)
- connection success
Recommended:
- Keep
LOG_LEVEL=debugin non-prod environments while validating. - Never log the raw token; only log token length if needed.
Security Notes
- Use
AZURE_MI_CACHE_STORE=fileto avoid circular dependencies (Redis itself might require MI). - Tokens are short-lived and automatically refreshed before expiry by the cache buffer strategy.
- Use TLS for:
- Azure Redis (commonly
scheme=tlsandport=6380) - Azure PostgreSQL (
sslmode=require)
- Azure Redis (commonly
- Ensure the filesystem used by file cache is writable by the application user and not world-readable.
Troubleshooting
Storage fails (403/401)
- Ensure the managed identity has correct RBAC on the Storage Account:
- typically
Storage Blob Data Contributor(or as required)
- typically
- Validate
AZURE_MI_STORAGE_RESOURCEishttps://storage.azure.com/
Redis fails
Common causes:
- Missing
usernamein redis connection config - Not using TLS or using wrong port
- Wrong resource:
- must be
https://redis.azure.com
- must be
- AAD not enabled/configured for the Redis instance
DB fails (password authentication failed)
Common causes:
DB_USERNAMEdoes not match the Entra/AAD configured DB user/principal- wrong DB token resource:
- must be
https://ossrdbms-aad.database.windows.net
- must be
- SSL not required:
- set
DB_SSLMODE=require
- set
- read replicas not configured the same as primary
All versions of mi with dependencies
illuminate/support Version ^8.0|^10.0|^11.0
illuminate/filesystem Version ^8.0|^10.0|^11.0
illuminate/redis Version ^8.0|^10.0|^11.0
illuminate/database Version ^8.0|^10.0|^11.0
illuminate/console Version ^8.0|^10.0|^11.0
guzzlehttp/guzzle Version ^7.0
microsoft/azure-storage-blob Version ^1.0|^1.5
league/flysystem-azure-blob-storage Version ^1.0|^3.0