tapp / laravel-aws-secrets-manager
Use AWS Secrets manager to load environment variables for configuration.
Installs: 131 415
Dependents: 0
Suggesters: 0
Security: 0
Stars: 36
Watchers: 10
Forks: 20
Open Issues: 2
Requires
- php: ^7.1 || ^7.3 || ^7.4 || ^8.0 || ^8.1 || ^8.3
- aws/aws-sdk-php: ^3.145 || ^3.219 || ^3.263
- illuminate/support: ^6.0 || ^7.0 || ^8.0 || ^9.8 || ^10.6 || ^11.0
Requires (Dev)
- orchestra/testbench: ^3.8 || ^5.0 || ^6.0 || ^7.4 || ^8.2
- phpunit/phpunit: ^7.0 || ^8.4 || ^9.3.3 || ^11.0.1
README
Manage environment secrets using AWS Secrets Manager.
Installation
You can install the package via composer:
composer require tapp/laravel-aws-secrets-manager
Publish Config:
php artisan vendor:publish --provider="Tapp\LaravelAwsSecretsManager\LaravelAwsSecretsManagerServiceProvider"
Usage
This package will try and load in secrets from AWS Secrets manager in any environment that is in the enabled-environments config array. It is recommended that caching is enabled to reduce round trips to AWS Secrets Manager.
Available env values:
AWS_DEFAULT_REGION AWS_SECRETS_TAG_NAME=stage AWS_SECRETS_TAG_VALUE=production
AWS_SECRETS_TAG_NAME and AWS_SECRETS_TAG_VALUE are used to pull down all the secrets that match the tag key/value.
Other Environment-based Configuration
Enabled environments
Specify which environments should have AWS Secrets enabled:
AWS_SECRETS_ENABLED_ENV=production,staging
Default: production
Overwritable Variables Config
Specify which variables should be able to overwrite the config using the AWS_SECRETS_VARIABLES_CONFIGS key in the .env file. The format is a comma-separated list of ENV_VARIABLE_NAME:CONFIG_KEY pairs.
For example:
VARIABLES_CONFIG_KEYS=APP_KEY:app.key,OTHER_KEY:app.other_key
This setup allows APP_KEY to overwrite app.key in the config, and OTHER_KEY to overwrite app.other_key.
Default Behavior: If AWS_SECRETS_VARIABLES_CONFIGS is not set or is empty, no variables will be set for config overwriting.
Cache Settings
For example:
AWS_SECRETS_CACHE_ENABLED=true
AWS_SECRETS_CACHE_EXPIRY=60
AWS_SECRETS_CACHE_STORE=file
Setting up AWS Secrets
- Store New Secret.
- Select type of secret, one of AWS managed or other.
- Enter Key/Value, the KEY should match a env variable.
- Give it a secret name and description
- Add a tag key/value (stage => production) is an example if you want to pull down all production secrets.
Cache the config
php artisan config:cache
AWS Credentials
Since this package utilizes the PHP AWS SDK the following .env values are used or credentials set ~/.aws/credentials.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html
Key Rotation
If key rotation is enabled, the most recent next rotation date is cached and if it's in the past we force getting the secrets.
Testing
composer test
Changelog
Please see CHANGELOG for more information what has changed recently.
Contributing
Please see CONTRIBUTING for details.
Security
If you discover any security related issues, please email security@tappnetwork.com instead of using the issue tracker.
Credits
License
The MIT License (MIT). Please see License File for more information.
Laravel Package Boilerplate
This package was generated using the Laravel Package Boilerplate.
Laravel Google App Engine (GAE) Datastore Secret Manager
This package was heavily based off of the GAE package. laravel-GAE-secret-manager.