1

I am deploying my laravel application to AWS Elastic Beanstalk and I'm encountering the problem of persisting the oauth keys for laravel passport.

I went through this and this. While the S3 option sounds reasonable, I still wanted a more secure way and wanted to checkout secret manager from AWS.

Since laravel passport provides the option to load keys from a custom folder, I figured I could use the AWS PHP SDK to retrieve a secret key and write it to storage/app/oauth-public.key and storage/app/oauth-private.key and have passport load it from there.

This approach is working fine after deployment to beanstalk but is the storage/app folder a safe location to generate the oauth.*.key files? or is there a better way/safer place?

The following is my boot function in Providers/AuthServiceProvider.php

public function boot()
{
    $this->registerPolicies();
    Passport::routes();
    Passport::tokensExpireIn(now()->addDays(5));

    // load keys from aws secret manager if they don't exist
    if(!file_exists(storage_path().'/app/oauth-public.key') && !file_exists(storage_path().'/app/oauth-private.key')) {
        $keys = json_decode($this->getPassportKeys());
        $public_key = implode("\n", explode('\n', $keys->PASSPORT_PUBLIC_KEY));
        Storage::put('oauth-public.key', $public_key);
        $private_key = implode("\n", explode('\n', $keys->PASSPORT_PRIVATE_KEY));
        Storage::put('oauth-private.key', $private_key);
    }
    Passport::loadKeysFrom(storage_path().'/app');
}
otaku
  • 849
  • 2
  • 13
  • 33

1 Answers1

1

Generally your applications on AWS should be stateless. This means that no data should be stored on the instances as they can be replaced at any time due to scaling in activities, AZ re-balancing or other activities.

Consequently, usually you would store application data outside of your instances. For secretes, such as your keys, good locations could be SSM Parameter Store or Secrets Manager (SM).

You are already using SM which is good in my view. If you store them locally in storage/app this folder will be deleted anytime you deploy new version of your application. So you have to make sure that you always get the keys from SM. Also you could consider them storing the files in memory, rather then on a hard drive. This would allow you to get them faster without reading them from the local storage.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • since I generate the files during boot of the authserviceprovider they would be generated everytime a new version is deployed through the codepipeline. I tried deploying this approach and it works fine. I looked into storing them in memory but wasn't able to figure out how? The `loadKeysFrom` function will expect a folder path that contains 2 files `oauth-*.keys`, can that be done in PHP memory? I assumed you're referring to `php://memory` https://www.php.net/manual/en/wrappers.php.php – otaku Jan 21 '21 at 07:51