Allows API user credentials to be specified in an environment variables.
This can be used to:
- Ensure that API users always retain the same credentials, i.e. it creates any missing accounts and then force resets the password
- Store external API credentials
This is used to ensure that local API accounts retain the credentials. Any missing accounts are created, and the password is reset to whatever is defined in the configuration.
Define an array of username, password and an optional roles and mail pairs:
$config['helfi_api_base.api_accounts']['accounts'][] = [
'username' => 'account1',
'password' => 'password1',
'roles' => ['role1', 'role2'],
'mail' => '[email protected]',
];If no mail is provided, an autogenerated email address like [email protected] is used. For example: [email protected].
Add new secret to your project's KeyVault on Azure Portal.
For example, add a new secret called YOUR-API-ACCOUNT. This will be automatically mapped to an env variable called YOUR_API_ACCOUNT.
The value should be a JSON encoded string, something like:
{
"username": "account1",
"password": "password1",
"roles": ["role1"],
"mail": "[email protected]"
}Add mapping to your project's all.settings.php:
# public/sites/all.settings.php
if ($your_api_account = getenv('YOUR_API_ACCOUNT')) {
$config['helfi_api_base.api_accounts']['accounts'][] = json_decode($your_api_account, TRUE);
}We hook into helfi_api_base.post_deploy event (src/EventSubscriber/EnsureApiAccountsSubscriber.php), triggered by drush helfi:post-deploy command executed as a part of deployment tasks: https://github.com/City-of-Helsinki/drupal-helfi-platform/blob/main/docker/openshift/entrypoints/20-deploy.sh
You can test this locally by running drush helfi:post-deploy.
This is used to store external API credentials.
Define an array of id, plugin, and data pairs:
$vault_accounts = [
[
'id' => 'pubsub',
'plugin' => 'json',
'data' => '{"endpoint": "xxx.docker.so", "hub": "local", "group": "invalidate_cache", "access_key": "<access-key>"}',
],
[
'id' => 'global_navigation',
'plugin' => 'authorization_token',
'data' => 'aGVsZmktYWRtaW46MTIz',
],
];
$config['helfi_api_base.api_accounts']['vault'] = $vault_accounts;The value of data field depends on used plugin:
- Authorization token (
authorization_token): A simple string. For exampleaGVsZmktYWRtaW46MTIz. - JSON (
json): A JSON string. For example{"endpoint": "xxxx.docker.so", "key": "value"}.
Add new secret to your project's KeyVault on Azure Portal.
For example, add a new secret called YOUR-VAULT-ACCOUNT. This will be automatically mapped to an env variable called YOUR_VAULT_ACCOUNT.
Add mapping to your project's all.settings.php file, or settings.php if the feature should be enabled everywhere by default:
if ($your_vault_account = getenv('YOUR_VAULT_ACCOUNT')) {
$config['helfi_api_base.api_accounts']['vault'][] = [
'id' => 'your_vault_account',
'plugin' => 'authorization_token',
'data' => $your_vault_account,
];
}/** @var \Drupal\helfi_api_base\Vault\VaultManager $service */
$service = \Drupal::service('helfi_api_base.vault_manager');
/** @var \Drupal\helfi_api_base\Vault\VaultItemInterface $item */
$item = $service->get('your_vault_account'); // 'your_vault_account' is the ID previously defined in YOUR_VAULT_ACCOUNT.
$id = $item->id(); // $id = 'vault_account_id'.
$data = $item->data() // $data = 'aGVsZmktYWRtaW46MTIz'. This is a base64 encoded basic auth token (helfi-admin:123).Add something like this to your local.settings.php:
# local.settings.php
$vault_accounts = [
[
'id' => 'your_vault_account',
'plugin' => 'authorization_token',
'data' => base64_encode('helfi-debug-data:123'),
],
];
$config['helfi_api_base.api_accounts']['vault'] = $vault_accounts;