Skip to content

[FrameworkBundle][Secret] Leverage vault to store APP_SECRET env var #1005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[FrameworkBundle][Secret] Leverage vault to store APP_SECRET env var #1005

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,11 +351,12 @@ one used by ``symfony/framework-bundle``:
},
"composer-scripts": {
"cache:clear": "symfony-cmd",
"assets:install --symlink --relative %PUBLIC_DIR%": "symfony-cmd"
"assets:install --symlink --relative %PUBLIC_DIR%": "symfony-cmd",
"secrets:generate-keys": "symfony-cmd",
"secrets:set APP_SECRET --random": "symfony-cmd"
},
"env": {
"APP_ENV": "dev",
"APP_SECRET": "%generate(secret)%"
"APP_ENV": "dev"
},
"gitignore": [
".env",
Expand Down
7 changes: 4 additions & 3 deletions symfony/framework-bundle/5.4/manifest.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,12 @@
},
"composer-scripts": {
"cache:clear": "symfony-cmd",
"assets:install %PUBLIC_DIR%": "symfony-cmd"
"assets:install %PUBLIC_DIR%": "symfony-cmd",
"secrets:generate-keys": "symfony-cmd",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the composer scripts run on each install/update. you don't want to regenerate keys every time

Copy link
Contributor Author

@noniagriconomie noniagriconomie Sep 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

according to the command doc:

  If encryption keys already exist, the command must be called with
  the --rotate option in order to override those keys and re-encrypt
  existing secrets.
  
      bin/console secrets:generate-keys --rotate

@Tobion iiuc it is ok like this; after the first install, other updates will change nothing related to those keys

"secrets:set APP_SECRET --random": "symfony-cmd"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know if I should use the --local option here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't this generate a new APP_SECRET every time?

Copy link
Contributor Author

@noniagriconomie noniagriconomie Sep 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indeed it does :s

2 options:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nicolas-grekas friendly ping :)
related to symfony/symfony#38021 (comment) and the creation of the secret logic, do you have an idea here?
many thanks!

},
"env": {
"APP_ENV": "dev",
"APP_SECRET": "%generate(secret)%"
"APP_ENV": "dev"
},
"gitignore": [
"/.env.local",
Expand Down