Chapters
29 Chapters
|
3:14:24
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!Compatible PHP versions: ^7.1.3
Subscribe to download the code!Compatible PHP versions: ^7.1.3
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
25.
Prod Vault Optimization & Vault for Tests
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.3.0",
"ext-iconv": "*",
"antishov/doctrine-extensions-bundle": "^1.4", // v1.4.2
"aws/aws-sdk-php": "^3.87", // 3.110.11
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"doctrine/annotations": "^1.0", // 1.10.1
"doctrine/doctrine-bundle": "^2.0", // 2.0.6
"doctrine/doctrine-migrations-bundle": "^1.3|^2.0", // 2.1.2
"doctrine/orm": "^2.5.11", // v2.7.2
"doctrine/persistence": "^1.3.7", // 1.3.8
"easycorp/easy-log-handler": "^1.0", // v1.0.9
"http-interop/http-factory-guzzle": "^1.0", // 1.0.0
"knplabs/knp-markdown-bundle": "^1.7", // 1.8.1
"knplabs/knp-paginator-bundle": "^5.0", // v5.0.0
"knplabs/knp-snappy-bundle": "^1.6", // v1.7.0
"knplabs/knp-time-bundle": "^1.8", // v1.11.0
"league/flysystem-aws-s3-v3": "^1.0", // 1.0.23
"league/flysystem-cached-adapter": "^1.0", // 1.0.9
"league/html-to-markdown": "^4.8", // 4.8.2
"liip/imagine-bundle": "^2.1", // 2.3.0
"nexylan/slack-bundle": "^2.1", // v2.2.1
"oneup/flysystem-bundle": "^3.0", // 3.3.0
"php-http/guzzle6-adapter": "^2.0", // v2.0.1
"phpdocumentor/reflection-docblock": "^3.0|^4.0", // 4.3.4
"sensio/framework-extra-bundle": "^5.1", // v5.5.3
"symfony/asset": "5.0.*", // v5.0.2
"symfony/console": "5.0.*", // v5.0.2
"symfony/dotenv": "5.0.*", // v5.0.2
"symfony/flex": "^1.0", // v1.21.6
"symfony/form": "5.0.*", // v5.0.2
"symfony/framework-bundle": "5.0.*", // v5.0.2
"symfony/mailer": "5.0.*", // v5.0.2
"symfony/messenger": "5.0.*", // v5.0.2
"symfony/monolog-bundle": "^3.5", // v3.5.0
"symfony/property-access": "4.4.*|5.0.*", // v5.0.2
"symfony/property-info": "4.4.*|5.0.*", // v5.0.2
"symfony/security-bundle": "5.0.*", // v5.0.2
"symfony/sendgrid-mailer": "5.0.*", // v5.0.2
"symfony/serializer": "4.4.*|5.0.*", // v5.0.2
"symfony/twig-bundle": "5.0.*", // v5.0.2
"symfony/validator": "5.0.*", // v5.0.2
"symfony/webpack-encore-bundle": "^1.4", // v1.7.2
"symfony/yaml": "5.0.*", // v5.0.2
"twig/cssinliner-extra": "^2.12", // v2.12.0
"twig/extensions": "^1.5", // v1.5.4
"twig/extra-bundle": "^2.12|^3.0", // v3.0.1
"twig/inky-extra": "^2.12", // v2.12.0
"twig/twig": "^2.12|^3.0" // v2.14.4
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.0", // 3.3.0
"fzaninotto/faker": "^1.7", // v1.8.0
"symfony/browser-kit": "5.0.*", // v5.0.2
"symfony/debug-bundle": "5.0.*", // v5.0.2
"symfony/maker-bundle": "^1.0", // v1.14.3
"symfony/phpunit-bridge": "5.0.*", // v5.0.2
"symfony/stopwatch": "4.4.*|5.0.*", // v5.0.2
"symfony/var-dumper": "5.0.*", // v5.0.2
"symfony/web-profiler-bundle": "4.4.*|5.0.*" // v5.0.2
}
}
4 Comments
Hey,
i have another Question, hoping you can help me out here.
I am trying to understand the benefit of using secrets on a security level. (understood the logistic and organizational benefits).
Am i right:
-> So everytime a variable for example %env(DEFUSE_SECRET)% would be accessed, symfony would use the stored decryption key in ENV file to decrypt the secret in the vault?
-> As result of that there is a huge lack of performance in big projects - so the suggestion is: Changing the deployment pipeline to deploy the decryption key -> decrypt the secrets to a env file on the prod server -> deleting the decryption key.. Besides: What is the point of deleting the decryption key ?
So in general: What is the point of using secrets and vault if there is no solutions for storing secrets in a safe way?
-> is there a way to store secrets in a safe way? Like External Authentication methods or something like that?
Besides that: Has someone really had huge performance issues ?
Thanks for answering :) and thanks for the great content!!
Hey @Florian!
Sorry for the VERY VERY slow reply - super busy time of year! Let me do my best to reply :).
The tricky thing about secrets is that you can hide/encrypt all of them... but eventually, your application is going to need access to at least ONE key to "unlock" them. So using something like a vault allows you to minimize the number of secrets that you need to manually worry about from "many" (i.e. trying to handle all of your secret stuff individually) down to just one thing. But yea, it's still ONE thing you need to worry about. But yes, there may be some services that work around this on an infrastructure level - by deploying your decrypted secrets to your server for you in a way where only your server can access them. For example, in platform.sh, you can store secrets directly in their system (e.g. you could literally go to their web gui and "add a new secret"). These are then made available to you unencrypted in your final, deployed environment.
Yup!
Right again
I'm not sure about huge. But yes, since there's some overhead to decrypting, Symfony gives you a performance "escape hatch" so you have the option to avoid that penalty. However, I'd modify tour statement a little bit to this:
This ultimately gives you a situation very much like platform.sh: when you get up to production, boom! Your secrets are waiting for you in a decrypted format.
The decryption key isn't needed at this point, so no purpose of having it on production. And since it's highly sensitive, better to not include it (if someone gets root access to your server, you have problems no matter what - but the less you have there the better).
Cheers!
How does `composer dump-env prod` ( https://symfony.com/blog/ne... ) work with `bin/console secrets:decrypt-to-local --force --env=prod`? When deploying, should I run `bin/console secrets:decrypt-to-local --force --env=prod` then `composer dump-env prod`?
Yo Kevin B.!
Oh man, nice question. I shouldn't be surprised ;). Honestly, this hadn't occurred to me. BUT, it probably occurred to Nicolas Grekas, because it appears to work correctly in this order:
I just tested this - and the final .env.prod.local will contain the plain-text secrets as expected. If you do it in the "wrong" order, .env.local.php simply won't contain the secret... and since the other .env files aren't loaded when .env.local.php is present, the env var won't exist and it will try to load your secrets from the "vault"... which will only work if the decrypt key is present.
So, it looks like all works as expected. But if you see anything different, let me know!
Cheers!
"Houston: no signs of life"
Start the conversation!