I am deploying my laravel application to AWS Elastic Beanstalk and I’m encountering the problem of persisting the oauth keys for laravel passport.
I went through this and this. While the S3 option sounds reasonable, I still wanted a more secure way and wanted to checkout secret manager from AWS.
Since laravel passport provides the option to load keys from a custom folder, I figured I could use the AWS PHP SDK to retrieve a secret key and write it to storage/app/oauth-public.key
and storage/app/oauth-private.key
and have passport load it from there.
This approach is working fine after deployment to beanstalk but is the storage/app
folder a safe location to generate the oauth.*.key
files? or is there a better way/safer place?
The following is my boot function in Providers/AuthServiceProvider.php
public function boot() { $this->registerPolicies(); Passport::routes(); Passport::tokensExpireIn(now()->addDays(5)); // load keys from aws secret manager if they don't exist if(!file_exists(storage_path().'/app/oauth-public.key') && !file_exists(storage_path().'/app/oauth-private.key')) { $keys = json_decode($this->getPassportKeys()); $public_key = implode("n", explode('n', $keys->PASSPORT_PUBLIC_KEY)); Storage::put('oauth-public.key', $public_key); $private_key = implode("n", explode('n', $keys->PASSPORT_PRIVATE_KEY)); Storage::put('oauth-private.key', $private_key); } Passport::loadKeysFrom(storage_path().'/app'); }
Advertisement
Answer
Generally your applications on AWS should be stateless. This means that no data should be stored on the instances as they can be replaced at any time due to scaling in activities, AZ re-balancing or other activities.
Consequently, usually you would store application data outside of your instances. For secretes, such as your keys, good locations could be SSM Parameter Store or Secrets Manager (SM).
You are already using SM which is good in my view. If you store them locally in storage/app
this folder will be deleted anytime you deploy new version of your application. So you have to make sure that you always get the keys from SM. Also you could consider them storing the files in memory, rather then on a hard drive. This would allow you to get them faster without reading them from the local storage.