Chapters
25 Chapters
|
2:34:05
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!
Subscribe to download the code!
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=8.1",
"ext-ctype": "*",
"ext-iconv": "*",
"knplabs/knp-time-bundle": "^1.18", // v1.19.0
"symfony/asset": "6.1.*", // v6.1.0-RC1
"symfony/console": "6.1.*", // v6.1.0-RC1
"symfony/dotenv": "6.1.*", // v6.1.0-RC1
"symfony/flex": "^2", // v2.4.5
"symfony/framework-bundle": "6.1.*", // v6.1.0-RC1
"symfony/http-client": "6.1.*", // v6.1.0-RC1
"symfony/monolog-bundle": "^3.0", // v3.8.0
"symfony/runtime": "6.4.3", // v6.4.3
"symfony/twig-bundle": "6.1.*", // v6.1.0-RC1
"symfony/ux-turbo": "^2.0", // v2.1.1
"symfony/webpack-encore-bundle": "^1.13", // v1.14.1
"symfony/yaml": "6.1.*", // v6.1.0-RC1
"twig/extra-bundle": "^2.12|^3.0", // v3.4.0
"twig/twig": "^2.12|^3.0" // v3.4.0
},
"require-dev": {
"symfony/debug-bundle": "6.1.*", // v6.1.0-RC1
"symfony/maker-bundle": "^1.41", // v1.42.0
"symfony/stopwatch": "6.1.*", // v6.1.0-RC1
"symfony/web-profiler-bundle": "6.1.*" // v6.1.0-RC1
}
}
22 Comments
@Brontie 1) do we need to git commit dev.decrypt.private.php in production, and development environment and why ?
No — you should not commit
dev.decrypt.private.phpto production for sensitive secrets. In this chapter’s setup, the dev vault is intentionally committed because it only contains shared, non-sensitive values likeCHANGEME, so teammates can run the app locally and Symfony can decrypt those values automatically. The private decrypt key is safe there only because the data it unlocks is meant to be readable by everyone on the team.For production, you keep secrets truly private and do not commit the production decrypt key. Instead, use real environment variables from the hosting platform when possible, or store prod secrets in the platform’s own secret system / vault so only the production environment can read them.
A common gotcha: committing the dev decrypt key is only okay because the dev vault is not storing actual secrets.
@Brontie so in production prod.decrypt.private.php should be stored where, and do we neet it when why try to deploy using gitlab runner and capistrano ?
Hey @ahmedbhs,
Take a look at https://symfony.com/doc/current/configuration/secrets.html#deploy-secrets-to-production for the recommended way. I typically use option 2 (the decrypt key as an env var).
Don't forget to run
secrets:decrypt-to-localas part of your deployment process.Hope this helps,
Kevin
prod.decrypt.private.phpshould not live in your Git repo. In production, it belongs only on the server that needs to decrypt theprodvault, and even then you should only use it if your deployment flow actually relies on Symfony secrets instead of real environment variables. If you're deploying with GitLab Runner + Capistrano, the usual approach is to have Capistrano put the release code on the server, install dependencies, and provide the needed env values through the server/platform rather than checking in a private decrypt key.If your production secrets are handled by the host or injected as real environment variables, you do not need
prod.decrypt.private.phpat all. You only need it when the production server itself must decrypt Symfony’sconfig/secrets/prod/*files.Common gotcha: don’t copy the dev decrypt key into prod just because it “works” locally — dev secrets are intentionally shareable, while prod secrets must stay private.
the production server itself does it need to decrypt them ?@Brontie
Only if you’re using Symfony’s secrets vault in production. In that setup, the production app needs access to the matching
prod.decrypt.private.phpfile on the server so Symfony can decryptconfig/secrets/prod/*and expose those values as environment variables during boot.If your deployment instead sets real environment variables on the server or platform, then the production server does not need to decrypt anything, so
prod.decrypt.private.phpis unnecessary.@Brontie prod.decrypt.private.php is used one to init .env.prod.local files or many times per the symfony app
It’s used by the Symfony app many times, not just once. When the app boots in
prod, Symfony reads theprodsecrets vault on demand and decrypts the needed values usingprod.decrypt.private.php, so those secrets can be exposed as environment variables whenever the container is built or the app starts. It’s not an initializer for a.env.prod.localfile — that file isn’t part of the secrets vault flow.Tip: if you’re using real production environment variables from your host, you can skip the vault entirely and
prod.decrypt.private.phpnever comes into play.Hi all,
I've been trying to use the base64 encrypted version of my private key for the secrets vault and I must be missing something. I have encrypted the password according to the docs
php -r 'echo base64_encode(require "config/secrets/prod/prod.decrypt.private.php");'and set that value on the server as an environment variable SYMFONY_DECRYPTION_SECRET but the app still doesn't find the variables in the vault.
Am I missing something obvious?
Thanks!
Seems it was obvious. For anybody as thick as me that ends up with the same quandary, the SYMFONY_DECRYPTION_SECRET needs to be in the .env file and not a server environment variable.
Hey @phpbutcher
I'd need to double-check but as far as I know, you should be able to set it as a server env var. Is it possible that you were overriding its value in the
.envor.env.localfile?Cheers!
So I know I must be missing something simple but I've read the docs and I either missed it or I'm just not getting it. I was under the impression that once I added a variable to the secrets vault it would be available in my controller as $_ENV['MY_SECRET_VARIABLE'] but that doesn't seem to be the case. The only references I've seen in the doc were to use them in config files with '%env(MY_SECRET_VARIABLE)%'.
I'm hoping someone can explain either what I'm missing in the docs or what I need to do to use the secret variables directly in my controllers.
Thanks for any help
Hey @phpbutcher!
Yea, this is a good question. The secrets become "environment variables in Symfony", but I'm pretty sure that they're not written back to
$_ENV(and your experience confirms that). But to answer your question, to use a value directly in your controller, I would:That should do it :). The
Autowireattribute is relatively new (theenvargument is even newer), but this can be used for controller args or the__construct()method in any service.Let me know if that helps!
Cheers!
Thanks for the reply Ryan!
That would be an awesome suggestion except I lied a little in my OP. Some of the secret variables I am indeed trying to use in a controller that extends AbstractController but some are not. I did manage to solve my problem in those cases this morning by binding them in /config/services.yaml. I originally thought that wasn't working because I put the bind in like so ( for the future benefit of others like me) and it threw an error because it seems as soon as you put a bind variable in services.yaml it has to be used somewhere and I hadn't done that yet.
And then in my LoginFormAuthenticator class:
If there's a better/easier way to do it I'd love to hear it.
Thanks again Ryan! I will make use of the Autowire(env: thing in my Controllers. It makes it much more obvious to others where that value is coming from.
Ryan,
It seems I didn't read your reply close enough. Your Autowire suggestion does work in both the Controller and LoginFormAuthenticator.
Thanks for taking the time to Respond. It makes the Symfony Casts so much more valuable.
Sweeet! Super happy it worked!
A tutorial on deployment might be an interesting idea :)
Hey Rufnex,
We do have a tutorial about deployment already! :) Take a look at Ansistrano tool: https://symfonycasts.com/screencast/ansistrano - it's based on Ansible automation language, but you're not required to know it to start this deployment course as its syntax is pretty descriptive. Moreover we explain it during the course well I think. But in case you're interested in Ansible to learn its syntax deeper - we also have a separate tutorial about it here: https://symfonycasts.com/screencast/ansible
Cheers!
Thank you Victor. I will check it out.
Hey Rufnex,
You're welcome! If you have any use cases that are not covered with that Ansistrano deploy tutorial - please, let us know in the comments! It would definitely help us to plan a new deploy tutorial in the future :)
Cheers!
Hey,
Thanks for the feedback, I'll put your idea in our list =)
Cheers!
"Houston: no signs of life"
Start the conversation!