Chapters

25 Chapters | 2:34:05 |

01

Bundles!

4:31
02

New Bundle, New Service: KnpTimeBundle

5:09
03

Finding & Using the Services from a Bundle

6:38
04

The HTTP Client Service

6:23
05

The Cache Service

8:05
06

Bundle Config (to Control Bundle Services)

6:03
07

Configuring the Cache Service

5:39
08

debug:container & How Autowiring Works

7:41
09

Environments

8:55
10

The "prod" Environment

6:06
11

Creating a Service

5:55
12

Dependency Injection

9:34
13

Parameters

6:45
14

Manual Service Config in services.yaml

4:24
15

All About services.yaml

10:27
16

Bind Arguments Globally

3:40
17

Named Autowiring & Scoped HTTP Clients

4:43
18

Non-Autowireable Services

6:41
19

Controllers are Services Too!

2:49
20

Environment Variables

7:53
21

The Secrets Vault

5:46
22

Reading Secrets vs Env Vars

6:53
23

MakerBundle & Autoconfiguration

4:27
24

Customizing a Command

4:20
25

Command: Autowiring & Interactive Questions

4:38

> Symfony 6 > Symfony 6 Fundamentals: Services, Config & Environments

Buy Access to Course

22.

Reading Secrets vs Env Vars

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

We just created a secrets vault for our dev environment... which will contain a default "safe" version of any sensitive environment variables. For example, we set the GITHUB_TOKEN value to CHANGEME.

Now let's create the prod environment vault. Do that by saying:

./bin/console secrets:set GITHUB_TOKEN --env=prod

This time, grab the real secret value from .env.local and paste it here. Just like before, since there wasn't a prod vault already, Symfony created it. And it's got the same four files as before. Though, there is one subtle, but important difference.

Add that new directory to git:

git add config/secrets/prod

Then run:

git status

Woh! Only three of the four files were added. The fourth file - the decrypt key - is ignored by Git. We already have a line inside in .gitignore for that. We do not want to commit the prod decrypt key to the repository... because anyone that has this key will be able to read all of our secrets.

So, if another developer pulls down the project now, they will have the dev decrypt key, so they'll have no problems reading values from the dev vault. They won't have the prod decrypt key... but no big deal! The only place where you need the prod decrypt key is on production!

So with this setup, when you deploy, instead of needing to create an entire .env.local file containing all of your secrets, you just need to worry about getting this one prod.decrypt.private.php file up into your code. Or, alternatively, you can read this key and set it on an environment variable: you can check the docs for details on how.

Using The Secrets Vault

But... wait a second. I haven't really explained how the vault is used! We know that the dev environment will use the dev vault... and prod will use prod... but how do we read secrets out of the vault?

The answer is... we already are! Secrets become environment variables. It's as simple as that! So in config/packages/framework.yaml, by using this env syntax, this GITHUB_TOKEN could be a real environment variable, or it could be a secret in our vault.

To see if this is working, head to MixRepository and dd($this->githubContentClient):

            Copy Code

                            Show All Lines

                        42 lines
            |
            src/Service/MixRepository.php
        
                Show Lines

                                                    // ... lines 1 - 13
                            
            class MixRepository
        
            {
        
                Show Lines

                                                    // ... lines 16 - 24
                            
                public function findAll(): array
        
                {
        
                Show Lines

                                                    // ... lines 27 - 31
                            
                    dd($this->githubContentClient);
        
                Show Lines

                                                    // ... lines 33 - 39
                            
                }
        
            }

Move over, refresh, and... let's see if we can find the Authorization header in this. Actually, there's a really cool trick with dump. Click on this area and hold "command" or "control" + "F" to search inside of it. Search for the word "token" and... oh, that's not right! That's our real token. But... since we're in the dev environment, shouldn't it be reading our dev vault where we set the fake CHANGEME value? What's going on?

Secrets Must Fully Be Converted Away from Env Vars

As I mentioned, secrets become environment variables. But environment variables take precedence over secrets: even environment variables defined in the .env files. Yup, because we have a GITHUB_TOKEN env var set in .env and .env.local, that is taking precedence over the value in the vault!

Here's the point. As soon as you choose to convert a value from an environment variable into a secret, you need to stop setting it as an environment variable completely. In other words, delete GITHUB_TOKEN in .env and also in .env.local.

Go refresh, click on this again, use "command" + "F", search for "token", and... got it! We see "CHANGEME"! If we were in the prod environment, it would read the value from the prod vault... assuming the prod decrypt key was available.

The secrets:list Command

Ok, remove that dd() and refresh to discover that... locally, everything is broken! Dang! But... of course! It's now using that fake token from the dev vault. It would work ok on production... but how can I fix my local setup so I can keep working?

We could temporarily override the GITHUB_TOKEN secret value in the dev vault by running the secrets:set command. But... that's lame! We would need to be extra careful to not commit the modified, encrypted file.

Before we fix this, I want to show you a really handy command for the vault:

php bin/console secrets:list

Yup, this shows you all of the secrets in our vault. Pretty cool! And you can even pass --reveal to reveal the value... as long as you have the decrypt key.

You may have noticed that it gives us the value right here... but then says "Local Value" with a blank space. Hmm...

Re-run the command, but this time add --env=prod.

php bin/console secrets:list --reveal --env=prod

And... same thing! This shows us the real prod value... but there's still this "Local Value" spot with nothing.

This "Local Value" is the key to fixing our broken dev setup: it's a way to override a secret, but only locally on our one machine.

How do you set this local override value? Copy the real GITHUB_TOKEN value, then move over, find .env.local - the same file we've been working in - and say GITHUB_TOKEN= and paste the value we just copied.

Yup! Locally, we're going to take advantage of the fact that environment variables "win" over secrets! Back at your terminal, run

php bin/console secrets:list --reveal

again. Yes! The official value in the vault is "CHANGEME"... but the local value is our real token which, as we know, will override the secret and be used. If we try the page again... it works!

Okay, team! We're... well... basically done! So as a reward for your hard work on these super important topics, let's celebrate by using Symfony's code generator library: MakerBundle.

6 Comments

Sort By

Francois 9 months ago

Can you clarify something to me? Assume that the project is on private or enterprise repo on GitHub. If I understand well, collaborators would not be able to access the functionality that is provided by the secret value. Is this right?

If this is right, what is the point of creating a dev secret vault?

TIA
François

| Reply |

MolloKhan SFCASTS Francois 9 months ago edited

Hey @Francois

Anyone with access to the project will have access to the dev secret vault because the "dev private" file is committed to the repository, but they won't be able to see the production values (because the prod private file is missing). I hope it's more clear now

Cheers!

| Reply |

Frederic_H-F 1 year ago

Hi, i wonder what is the advantage? Anyone with minium skill could download prod decrypt key on production server and use it in local to get theses infos.

Is that a real security plus to use that or just use .env file with real value not encrypt?

| Reply |

sadikoff SFCASTS Frederic_H-F 1 year ago edited

Hey @Frederic_H-F

yeah, that might be a problem, but how do they download it? As a minimum, they should know FTP/SSH access, but then I'd like to say that you may have more security issues than that.

Cheers!

| Reply |

Frederic_H-F sadikoff 1 year ago

We are all senior, so yes we can handle scp or anything else in SSH. The server has double auth with montly password change so the server is really secure. I think we will continue using .env file, thanks!

| Reply |

sadikoff SFCASTS Frederic_H-F 1 year ago

Yeah, of course, and once again, this storage is not about security, it's more about convenience, so you have some easy work tools to store and work with env variables.

Cheers!

| Reply |

Symfony 6.1

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "knplabs/knp-time-bundle": "^1.18", // v1.19.0
        "symfony/asset": "6.1.*", // v6.1.0-RC1
        "symfony/console": "6.1.*", // v6.1.0-RC1
        "symfony/dotenv": "6.1.*", // v6.1.0-RC1
        "symfony/flex": "^2", // v2.4.5
        "symfony/framework-bundle": "6.1.*", // v6.1.0-RC1
        "symfony/http-client": "6.1.*", // v6.1.0-RC1
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/runtime": "6.4.3", // v6.4.3
        "symfony/twig-bundle": "6.1.*", // v6.1.0-RC1
        "symfony/ux-turbo": "^2.0", // v2.1.1
        "symfony/webpack-encore-bundle": "^1.13", // v1.14.1
        "symfony/yaml": "6.1.*", // v6.1.0-RC1
        "twig/extra-bundle": "^2.12|^3.0", // v3.4.0
        "twig/twig": "^2.12|^3.0" // v3.4.0
    },
    "require-dev": {
        "symfony/debug-bundle": "6.1.*", // v6.1.0-RC1
        "symfony/maker-bundle": "^1.41", // v1.42.0
        "symfony/stopwatch": "6.1.*", // v6.1.0-RC1
        "symfony/web-profiler-bundle": "6.1.*" // v6.1.0-RC1
    }
}

Previous Chapter

Next Chapter

Reading Secrets vs Env Vars

Share this awesome video!

Keep on Learning!

Using The Secrets Vault

Secrets Must Fully Be Converted Away from Env Vars

The secrets:list Command

6 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 13
	class MixRepository
	{
Show Lines	// ... lines 16 - 24
	public function findAll(): array
	{
Show Lines	// ... lines 27 - 31
	dd($this->githubContentClient);
Show Lines	// ... lines 33 - 39
	}
	}