Configuration secrets for Laravel

Retrieve secrets from AWS Secrets Manager and override config variables in Laravel.

As an example, you could store your database password in AWS Secrets Manager instead of your .env file. This package does not modify your .env file or config files. Instead, the configuration values are set using Laravel's config() helper right after your application has started.

Migration guides

• v1 to v2

Installation

Step 1: Install with Composer

composer require audunru/config-secrets

Step 2: Publish configuration

Publish the configuration file by running:

php artisan vendor:publish --tag=config-secrets-config

Step 3: Edit configuration

This package supports two config providers: aws retrieves secrets from AWS Secrets Manager, and the array provider simply retrieves them from config-secrets.php.

Aws

In AWS Secrets Manager:

1. Create a new secret.
2. Set the secret value to any number of key/value pairs. You can prefix the secret value with base64: followed by a base64 encoded string. This is useful for private and public keys, for instance.

In your Laravel application:

1. Set AWS_DEFAULT_REGION in .env or set the region directly in config-secrets.php
2. Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in .env or use any of the other options that AWS SDK offers
3. Map Laravel configuration keys to secret keys under the aws provider's configuration section in config-secrets.php

Array

The array provider replaces configuration values with values from config-secrets.php. Look in config-secrets.php for an example. This allows you to keep environment specific configuration values in source control. For obvious reasons, do not use the array provider for values that should be kept secret.

Step 4: Update bootstrap/app.php

Add the following lines to bootstrap/app.php (recommended but not required):

use Illuminate\Foundation\Application;
use Illuminate\Foundation\Bootstrap\LoadConfiguration;
use audunru\ConfigSecrets\ConfigSecretsServiceProvider;

$app->afterBootstrapping(LoadConfiguration::class, fn (Application $app) => ConfigSecretsServiceProvider::registerAndUpdate($app));

Loading the secrets in bootstrap/app.php instead of in a service provider ensures that you can override (probably) any configuration value. For instance, Laravel's RedisServiceProvider uses the available configuration values when it is registered. Without the code above, you won't be able to override the Redis password.

Step 5: Enable configuration cache

It is very important that you cache your Laravel configuration with php artisan config:cache or php artisan optimize when you use this package. If not, secrets will be retrieved for every request. This process is slow and costly!

Alternatives

AWS Secrets Manager

Development

Testing

Run tests:

composer verify