Symfony 4.4 secrets management system #12958
Conversation
dcd7c45 to
75e5ae6
Compare
| Use Secret for Sensitive Information | ||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
|
|
||
| When your application has sensitive configuration - like an API key - you should |
There was a problem hiding this comment.
I would use a database password instead of an api key for the example
99% of project have a db :)
Wdyt?
There was a problem hiding this comment.
I see your point. But on some systems (Heroku, SymfonyCloud), the database credentials are provided to you by your platform and are not something you need to store in a vault.
|
|
||
| .. code-block:: bash | ||
|
|
||
| # .env | ||
| DATABASE_URL="mysql://db_user:db_password@127.0.0.1:3306/db_name" | ||
|
|
||
| This file should be committed to your repository and (due to that fact) should | ||
| only contain "default" values that are good for local development. This file | ||
| should not contain production values. |
There was a problem hiding this comment.
I would use sensitives values
As on a preproduction, there are also such values
There was a problem hiding this comment.
sensitive value should not be committed and therefore should not be stored in .env file which contains default public values.
I'd rather use secrets to store "pre-prodction" sensitive value and change the secret location (see section configuration) according to an env variable that define the stage.
ie.
framework:
secrets:
vault_directory: '%kernel.project_dir%/config/secrets/%kernel.environment%/%app_stage'
parameters:
app_stage: '%env(STAGE)%'$ STAGE=PRE-PRODCTION APP_ENV=PROD bin/console secrets:set DATABASE_PASSWORDThere was a problem hiding this comment.
This might be a nice example to add to the config section after this PR is merged :)
| The Secrets management was introduced in Symfony 4.4. | ||
|
|
||
| :ref:`Environment variables <config-env-vars>` are the best way to store configuration | ||
| that depends on where the application is run - for example, some API key that |
| Beware that dumping the contents of the ``$_SERVER`` and ``$_ENV`` variables | ||
| or outputting the ``phpinfo()`` contents will display the values of the | ||
| environment variables, exposing sensitive information such as the database | ||
| credentials. |
There was a problem hiding this comment.
Even more, they are exposed in the system (for instance, when requesting details about PHP-fpm processes or services). I think we maybe should be more explicit that plaintext sensitive information should not be in an env var
There was a problem hiding this comment.
That's true... but only true when users are setting "real" env vars (not using .env), right? In general, I hope we can now (with secrets) really push people to use that system. This warning already is starting to look misplaced to me: we should (in the document in general) be telling people to instantly use the secrets management for sensitive stuff.
|
This should be ready now! |
| # config/packages/doctrine.yaml | ||
| doctrine: | ||
| dbal: | ||
| password: '%env(DATABASE_PASSWORD)%' |
There was a problem hiding this comment.
Shouldn't this be %env(secret:DATABASE_PASSWORD) ?
There was a problem hiding this comment.
there is no secret env processor, the documentation is right here, to access secret, you should use %env(DATABASE_PASSWORD)%. this is explain in the paragraph above (line 104).
|
Thanks to @jderusse for helping with this great feature and writing most of the docs. Sorry for the delay - but I wanted to get the first draft right :) |
…rryan) This PR was merged into the 4.4 branch. Discussion ---------- Symfony 4.4 secrets management system Hi! This completes #11396 I also made some changes to the section in `configuration.rst` about environment variables to make sure that it read well with the secrets stuff. Thanks to @jderusse for doing the vast majority of the work. Cheers! Commits ------- cd066cc tweaks thanks to review 75e5ae6 finishing the secrets documentation 82d2058 Add the secret documentation
Hi!
This completes #11396
I also made some changes to the section in
configuration.rstabout environment variables to make sure that it read well with the secrets stuff.Thanks to @jderusse for doing the vast majority of the work.
Cheers!