定制 paeire/laravel-secrets-manager 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

paeire/laravel-secrets-manager

Composer 安装命令:

composer require paeire/laravel-secrets-manager

包简介

Load AWS Secrets Manager secrets into Laravel's configuration at boot, with optional RDS rotation support and configurable caching.

README 文档

README

Load secrets from AWS Secrets Manager into Laravel's configuration at boot before the database (or anything else) is used. It supports two modes (a general "full config" secret and an RDS rotation secret), configurable caching, and a command to refresh the cache.

Requirements

  • PHP 8.2+
  • Laravel 10, 11 or 12
  • AWS credentials available through the standard AWS credential provider chain (IAM role, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, etc.)
  • The IAM principal needs secretsmanager:GetSecretValue on the secret(s) you load.

Installation

composer require paeire/laravel-secrets-manager

The service provider is auto-discovered. Optionally publish the config:

php artisan vendor:publish --tag=secrets-config

How it works

Secrets are loaded in the provider's register() which runs after Laravel loads its configuration but before any service (database, cache, mail, ...) is resolved. Values are written with config()->set(), so they override whatever config/*.php produced from .env, regardless of when the connection is first used.

Configuration

All settings are driven by environment variables (see config/secrets.php):

Variable Default Description
FULL_CONFIG false Enable the general secret loader.
AWS_SECRET_ID laravel-prod-secrets Secret id for the general loader.
AWS_DEFAULT_REGION us-east-1 AWS region.
RDS_ROTATION false Enable the RDS rotation loader.
AWS_SECRET_ID_RDS laravel-prod-secrets Secret id for the RDS loader.
RDS_READ_WRITE false Mirror the resolved host onto the read/write connection.
SECRETS_THROW_ON_FAILURE false Re-throw on load failure instead of only logging.
SECRETS_CACHE false Cache the general secret.
SECRETS_CACHE_STORE (default store) Cache store for the general secret.
SECRETS_CACHE_TTL 300 General secret cache TTL (seconds).
SECRETS_RDS_CACHE false Cache the RDS secret (off by default).
SECRETS_RDS_CACHE_STORE (default store) Cache store for the RDS secret.
SECRETS_RDS_CACHE_TTL 60 RDS secret cache TTL (seconds).

Mode 1 Full config

Set FULL_CONFIG=true. Each key in the secret's JSON is applied to the config repository and exported to the process environment, so it works whether your code reads it via config() or via env():

  • Keys that are Laravel config paths (e.g. database.connections.mysql.host) override that config value directly.
  • Keys that are flat variable names (e.g. RECAPTCHA_SECRET_KEY) are reachable through env('RECAPTCHA_SECRET_KEY') as well as config('RECAPTCHA_SECRET_KEY').
{
    "database.connections.mysql.host": "10.0.0.5",
    "database.connections.mysql.password": "s3cr3t",
    "RECAPTCHA_SECRET_KEY": "6Lfz...",
    "services.stripe.key": "sk_live_..."
}

Only scalar values are exported to env(); structured (array) values are applied to config() only, since environment variables can't hold them.

Mode 2 RDS rotation

Set RDS_ROTATION=true. The secret uses the standard AWS RDS rotation shape; only the keys below are mapped onto database.connections.mysql, and any extra keys (engine, dbname, dbClusterIdentifier, ...) are ignored:

{
    "username": "admin",
    "password": "rotated-password",
    "host": "my-cluster.rds.amazonaws.com",
    "port": 3306
}

With RDS_READ_WRITE=true, the resolved host is also written to database.connections.mysql.read.host and ...write.host.

Caching

General secrets change rarely, so caching avoids an AWS call on every boot. RDS rotation secrets are not cached by default on purpose: a cached, rotated password would break authentication.

Caveat: if your cache store itself depends on a secret this package loads (for example a Redis password loaded via FULL_CONFIG), point SECRETS_CACHE_STORE at a self-contained store such as file, or leave caching disabled otherwise the cache can't be read before the secret it needs is loaded.

Refreshing the cache

After rotating or changing a cached secret, clear the cache so it is re-fetched on the next boot:

php artisan secrets:refresh            # clear both caches
php artisan secrets:refresh --general  # only the general secret
php artisan secrets:refresh --rds      # only the RDS secret

The command runs in its own process, so it invalidates the cache; the fresh values are loaded on the next request/boot.

Failure handling

By default, a failure to load secrets is logged (without leaking values) and the app continues to boot. Set SECRETS_THROW_ON_FAILURE=true to fail fast when secrets are mandatory.

Testing

composer install
composer test

License

MIT

paeire/laravel-secrets-manager 适用场景与选型建议

paeire/laravel-secrets-manager 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 684 次下载、GitHub Stars 达 0, 最近一次更新时间为 2025 年 06 月 05 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「aws」 「laravel」 「secrets」 「rds」 「rotation」 「secrets-manager」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 paeire/laravel-secrets-manager 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 paeire/laravel-secrets-manager 我们能提供哪些服务?
定制开发 / 二次开发

基于 paeire/laravel-secrets-manager 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 684
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 4
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2025-06-05