paeire/laravel-secrets-manager
Composer 安装命令:
composer require paeire/laravel-secrets-manager
包简介
Load AWS Secrets Manager secrets into Laravel's configuration at boot, with optional RDS rotation support and configurable caching.
README 文档
README
Load secrets from AWS Secrets Manager into Laravel's configuration at boot before the database (or anything else) is used. It supports two modes (a general "full config" secret and an RDS rotation secret), configurable caching, and a command to refresh the cache.
Requirements
- PHP 8.2+
- Laravel 10, 11 or 12
- AWS credentials available through the standard
AWS credential provider chain
(IAM role,
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, etc.) - The IAM principal needs
secretsmanager:GetSecretValueon the secret(s) you load.
Installation
composer require paeire/laravel-secrets-manager
The service provider is auto-discovered. Optionally publish the config:
php artisan vendor:publish --tag=secrets-config
How it works
Secrets are loaded in the provider's register() which runs after Laravel loads its
configuration but before any service (database, cache, mail, ...) is resolved. Values are
written with config()->set(), so they override whatever config/*.php produced from
.env, regardless of when the connection is first used.
Configuration
All settings are driven by environment variables (see config/secrets.php):
| Variable | Default | Description |
|---|---|---|
FULL_CONFIG |
false |
Enable the general secret loader. |
AWS_SECRET_ID |
laravel-prod-secrets |
Secret id for the general loader. |
AWS_DEFAULT_REGION |
us-east-1 |
AWS region. |
RDS_ROTATION |
false |
Enable the RDS rotation loader. |
AWS_SECRET_ID_RDS |
laravel-prod-secrets |
Secret id for the RDS loader. |
RDS_READ_WRITE |
false |
Mirror the resolved host onto the read/write connection. |
SECRETS_THROW_ON_FAILURE |
false |
Re-throw on load failure instead of only logging. |
SECRETS_CACHE |
false |
Cache the general secret. |
SECRETS_CACHE_STORE |
(default store) | Cache store for the general secret. |
SECRETS_CACHE_TTL |
300 |
General secret cache TTL (seconds). |
SECRETS_RDS_CACHE |
false |
Cache the RDS secret (off by default). |
SECRETS_RDS_CACHE_STORE |
(default store) | Cache store for the RDS secret. |
SECRETS_RDS_CACHE_TTL |
60 |
RDS secret cache TTL (seconds). |
Mode 1 Full config
Set FULL_CONFIG=true. Each key in the secret's JSON is applied to the config
repository and exported to the process environment, so it works whether your code
reads it via config() or via env():
- Keys that are Laravel config paths (e.g.
database.connections.mysql.host) override that config value directly. - Keys that are flat variable names (e.g.
RECAPTCHA_SECRET_KEY) are reachable throughenv('RECAPTCHA_SECRET_KEY')as well asconfig('RECAPTCHA_SECRET_KEY').
{
"database.connections.mysql.host": "10.0.0.5",
"database.connections.mysql.password": "s3cr3t",
"RECAPTCHA_SECRET_KEY": "6Lfz...",
"services.stripe.key": "sk_live_..."
}
Only scalar values are exported to
env(); structured (array) values are applied toconfig()only, since environment variables can't hold them.
Mode 2 RDS rotation
Set RDS_ROTATION=true. The secret uses the standard AWS RDS rotation shape; only the
keys below are mapped onto database.connections.mysql, and any extra keys (engine,
dbname, dbClusterIdentifier, ...) are ignored:
{
"username": "admin",
"password": "rotated-password",
"host": "my-cluster.rds.amazonaws.com",
"port": 3306
}
With RDS_READ_WRITE=true, the resolved host is also written to
database.connections.mysql.read.host and ...write.host.
Caching
General secrets change rarely, so caching avoids an AWS call on every boot. RDS rotation secrets are not cached by default on purpose: a cached, rotated password would break authentication.
Caveat: if your cache store itself depends on a secret this package loads (for example a Redis password loaded via
FULL_CONFIG), pointSECRETS_CACHE_STOREat a self-contained store such asfile, or leave caching disabled otherwise the cache can't be read before the secret it needs is loaded.
Refreshing the cache
After rotating or changing a cached secret, clear the cache so it is re-fetched on the next boot:
php artisan secrets:refresh # clear both caches php artisan secrets:refresh --general # only the general secret php artisan secrets:refresh --rds # only the RDS secret
The command runs in its own process, so it invalidates the cache; the fresh values are loaded on the next request/boot.
Failure handling
By default, a failure to load secrets is logged (without leaking values) and the app
continues to boot. Set SECRETS_THROW_ON_FAILURE=true to fail fast when secrets are
mandatory.
Testing
composer install
composer test
License
MIT
paeire/laravel-secrets-manager 适用场景与选型建议
paeire/laravel-secrets-manager 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 684 次下载、GitHub Stars 达 0, 最近一次更新时间为 2025 年 06 月 05 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「aws」 「laravel」 「secrets」 「rds」 「rotation」 「secrets-manager」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 paeire/laravel-secrets-manager 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 paeire/laravel-secrets-manager 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 paeire/laravel-secrets-manager 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Secrets Manager for PHP
PSR-6 Cache Adapter for Secretary
A PHP library to encrypt/decrypt secrets using OpenSSL.
This package includes a script and fail2ban configuration that allows you to use fail2ban when utilizing AWS elastic load balancer (ELB) and an apache webserver.
Elastic Driver for Laravel Scout
simple api library.
统计信息
- 总下载量: 684
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 4
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-06-05