Laravel Passport: Missing keys after deployment to aws

Question

I'm having trouble setting up laravels passport on aws elastic beanstalk. The eb client is set up correctly and I can deploy code changes. No errors are shown.

However making requests to laravel results in error 500 afterwards, telling me I'm missing the passport keys in "app/current/storage/oauth-public.key\". Locally everything runs fine.

I guess I'm missing the artisan command "php artisan passport:install", so I added it in the composer file:

"post-install-cmd": [
        "Illuminate\\Foundation\\ComposerScripts::postInstall",
        "@php artisan passport:install"
]

But apparently it does not create the keys.

Either the post-install hook is not executed after running eb deploy, or there is another error that does not let me create the key file (missing writing permission?)

How can I verify that the post-install hook is executed? Anyone had a similar issue?

I followed the suggestions in this issue but so far it did not help: https://github.com/laravel/passport/issues/418

UPDATE: I sshed into the app and tried to run php artisan passport:install manually, which resulted in an error. I had to give permissions first to the folder (sudo chmod -R 777 storage) then it worked. Unfortunatly the keys are deleted everytime I run eb deploy, so I would have to redo these steps every time - pretty cumbersome. Anyone has found a good way to automate this?

Answer 1

Apparently this PR https://github.com/laravel/passport/pull/683 made possible to pass the keys by envvars.

/*
|--------------------------------------------------------------------------
| Encryption Keys
|--------------------------------------------------------------------------
|
| Passport uses encryption keys while generating secure access tokens for
| your application. By default, the keys are stored as local files but
| can be set via environment variables when that is more convenient.
|
*/
'private_key' => env('PASSPORT_PRIVATE_KEY'),
'public_key' => env('PASSPORT_PUBLIC_KEY'),

I didn't test it yet but I will soon.

Update

We tried it and we hit the envvars size limit of 4K: https://forums.aws.amazon.com/thread.jspa?messageID=618423&#618423

At the end, we ended up using our CI instead.

Answer 2

Add a file or command within your .ebextensions folder (in the root of your project) which will create new keys when you deploy.

container_commands:
01_passport_install:
      command: "php artisan passport:keys --force"

This has advantages and disadvantages :

• CONS it will log all users out, or throw a 401 error, when you deploy a new version of your code to Beanstalk
• PROS this is by far the quickest secure way to handle this problem

Answer 3

You can also automate command executions after deployment.

As explained in the Elastic Beanstalk deployment workflow, post-deploy hooks are the last executed in alphanumeric order.

In the root of your source code create the folders .platform/hooks/postdeploy/ and in "postdeploy/" folder create a bash script with the commands you want to execute. i.e:

#! /bin/bash
sudo php artisan passport:install

Then (as Markus Lechner answered to amesStreet in this forum) you must create also a config file with container_commands in order to give permissions to execute the bash script (explained also in the first link, you must use chmod +x to set execute permission on your hook files)

Create a folder called .ebextensions/ in the root of your source code and a config file in that folder: ".ebextensions/some_name.config" and type:

container_commands:
10_deploy_hook_permissions:
    command: |
        sudo find .platform/ -type f -iname "*.sh" -exec chmod -R 755 {} \;
        sudo find /var/app/staging/.platform/ -type f -iname "*.sh" -exec chmod -R 755 {} \;

wich is equivalent to give execution permissions to every .sh files in the .platform folder and the same in the staging/ folder (which is part of the deployment workflow at prebuild and pre-deploy stages)

Answer 4

The trick is to use different .ebignore and .gitignore files.

1. Generate the keys in local environment.
2. Ignore it in .gitignore (/storage/*.keys)
3. Allow it in .ebignore (#/storage/*.keys)

So keys will not be tracked in git, but still uploading to elasticbeanstalk with eb deploy command.