Skip to content
Advertisement

PHP – How to cache database credentials retrieved from AWS KMS Parameter Store

I’m running a PHP application that connects to a RDS database using username and password to serve data to clients. The username and password are retrieved from AWS KMS as encrypted string using AWS SSM client. I do this for every single request to the PHP app to open up a connection to the database.

So the flow looks something like this

Incoming request -> Retrieve DB credentials from AWS -> Open DB connection -> Query -> return data

Within this flow, every single request goes out to AWS to fetch DB credentials, secure string gets decrypted using KMS, and the end result is high usage of KMS resulting in higher bills. It also introduces latency to every API request.

I was wondering if there are some PHP caching library I can use to somewhat securely store credentials locally on the EC2 instance so I don’t need to fetch it all the time.

I read a lot of forums, and I see some people say to store them on a file living outside of root or even .env that lives outside of root is fine as well, some other say to use memcache, but most of the people say caching credentials is simply no-go pattern.

I know there’s no such thing as 100% secure, but any advice to caching credentials + what are the popular tools that are being used for PHP out there will be appreciated.

Advertisement

Answer

Maybe you could store your credentials in a fast access Redis instance, in such a way you would not continually hit the KMS and SSM Parameter Store service, but in that case I would recommend that you put a very low TTL in Redis so that these credentials can die in the short time to avoid any security incident. With this solution, you could implement a Singlenton pattern that always requests the credentials from redis and, if you don’t have them, request them from the SSM and temporarily store them for later use.

** The redis instance should have a direct trust relationship with the server / application to mitigate security incidents.

User contributions licensed under: CC BY-SA
3 People found this is helpful
Advertisement