8

I have a laravel application run in AWS Elastic Beanstalk environment. I use Laravel Passport to handle the authentication.

Every time I run eb deploy the keys will be deleted, since it is not part of the version control files (included in .gitignore). Thus, I have to manually run php artisan passport:keys in the EC2 instance to generate the keys. But this will make all users need to login again because the old token is now invalid, since it's a new key pair.

What is the best practice to provide a consistent oauth-public and oauth-private key for my configuration?

I am thinking of including the key into the repository, but I believe this is not recommended.

Another way is that I generate the key once, then upload it to S3. Then have a post-deployment script to retrieve the S3.

Is there any better way?

Fadli
  • 976
  • 9
  • 24
  • I think the deployment through S3 is a good idea, but better yet would be to retrieve the credentials through secrets manager. Do you have figured out a way by now? – eneskaya Feb 03 '19 at 18:42
  • 1
    @eneskaya No, this (side) project got abandoned due to prioritization over my other projects. But if I were to improve things, I'd do the S3 way. Could you explain more about the secret manager? – Fadli Feb 04 '19 at 04:39
  • I was able to load the oauth keys using secret manager: https://stackoverflow.com/questions/65815958/safe-location-to-write-oauth-key-files-in-laravel – otaku Jan 21 '21 at 09:13

1 Answers1

13

I managed to solve this yesterday, with S3. 

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["<BUCKET-NAME>"]
          roleName:
            "Fn::GetOptionSetting":
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
  • Assuming A) Your S3 Bucket is called <BUCKET-NAME> and B) The IAM instance profile in your ElasticBeanstalk environment is called aws-elasticbeanstalk-ec2-role
  • Now you have to add the files to a location on the instance, where you can access it, you're free too choose where. In your .config file insert following:
files:
    "/etc/keys/oauth-private.key":
        mode: "000755"
        owner: webapp
        group: webapp
        authentication: "S3Auth" # Notice, this is the same as specified in the Resources section
        source: "https://<BUCKET-NAME>.s3-<REGION>.amazonaws.com/<PATH-TO-THE-FILE-IN-THE-BUCKET>"
  • Now for this to work, you still need to grant access to the IAM instance profile (aws-elasticbeanstalk-ec2-role), therefore you need to edit the ACL of your Bucket, like this:
{
    "Version": "2012-10-17",
    "Id": "BeanstalkS3Copy",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ID>:role/aws-elasticbeanstalk-ec2-role"
            },
            "Action": [
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetObjectVersion",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET-NAME>/*"
            ]
        }
    ]
}

  • You can find the ARN of the IAM instance profile by going to the IAM Dashboard > Roles > aws-elasticbeanstalk-ec2-role and the copy the Role ARN

  • In your Laravel application you have to use Passport::loadKeysFrom('/etc/keys')

Marius
  • 57,995
  • 32
  • 132
  • 151
eneskaya
  • 918
  • 1
  • 10
  • 17
  • Isn't this kinda unsecure and should we use secrets manager instead? https://stackoverflow.com/questions/61549058/aws-elastic-beanstalk-and-secret-manager – Francisco Trillo Sep 25 '22 at 15:22