Image created with Canva

How Do We Use AWS Secrets Manager in PHP Symfony

Serghei Pogor
5 min readApr 8, 2024

--

Imagine you have a secret, a very important secret, like the secret ingredient to the world’s best chocolate cake 🍰.

You wouldn’t want to just write it down on a piece of paper and leave it lying around, right?

In the world of web development, our secret ingredients are API keys, database passwords, and more.

We need to keep them safe, and AWS Secrets Manager helps us do just that.

Why AWS Secrets Manager?

Because it’s like having the most secure, digital safe. You can store all your secrets there, and only you have the key. It’s easy to use, super secure, and Symfony loves it.

Let’s get our hands dirty with some code. But remember, this is like learning to make that secret-ingredient chocolate cake.

Take it step by step. 🚀

First, we need to install the AWS SDK for PHP. If you’re using Composer (which is like a magic wand for adding stuff to your project), you can do this:

composer require aws/aws-sdk-php

Integrating AWS Secrets Manager with Symfony

Our goal is to securely fetch database credentials stored in AWS Secrets Manager and use them in our Symfony application. To simplify this task, we’ll utilize a helpful Symfony bundle.

Step 1: Install the AWS Secrets Bundle

First, we introduce the constup/aws-secrets-bundle, a Symfony bundle designed to make working with AWS Secrets Manager straightforward. Begin by installing the bundle via Composer:

composer require constup/aws-secrets-bundle

This command adds the necessary package to your Symfony project, facilitating easier access to your AWS secrets.

Step 2: Configuration

After installing the bundle, you need to configure it to communicate with AWS Secrets Manager. Open your config/packages/aws_secrets.yaml (you might need to create this file) and add your AWS region and the secret name:

aws_secrets:
region: 'us-east-1' # Your AWS region
version: 'latest'
secret_name: 'my_database_credentials' # The name of your secret in AWS Secrets Manager

This configuration tells the bundle where to find your secrets and which secrets to fetch.

Step 3: Fetching and Using Your Secrets

Now that everything is set up, the bundle will automatically fetch your secrets from AWS Secrets Manager and make them available as environment variables in your Symfony application. To utilize these secrets, especially for configuring your database, you can reference them directly in your .env or .env.local files like so:

# .env.local
DATABASE_URL=mysql://${AWS_SECRETS_DB_USER}:${AWS_SECRETS_DB_PASSWORD}@${AWS_SECRETS_DB_HOST}/${AWS_SECRETS_DB_NAME}

Ensure you replace the placeholders with the actual keys used in your stored JSON secret. For instance, if your secret’s JSON structure is:

{
"db_user": "user123",
"db_password": "pass123",
"db_name": "mydatabase",
"db_host": "database-host.amazonaws.com"
}

You would access these in Symfony with AWS_SECRETS_DB_USER, AWS_SECRETS_DB_PASSWORD, etc., assuming the bundle prefixes the environment variables with AWS_SECRETS_.

Step 4: Leveraging Your Secrets

With your database credentials now securely integrated into your Symfony application via environment variables, you can proceed to use these credentials wherever needed. For example, configuring the Doctrine DBAL in config/packages/doctrine.yaml:

doctrine:
dbal:
url: '%env(resolve:DATABASE_URL)%'

This setup ensures that your database connection utilizes the credentials fetched from AWS Secrets Manager, enhancing your application’s security by avoiding hardcoded sensitive information.

Automating Secret Rotation

One of the paramount advantages of using AWS Secrets Manager is its ability to automate the rotation of secrets. Rotating secrets regularly is a critical security practice that helps minimize the risks associated with compromised credentials. However, implementing an effective rotation strategy requires thoughtful planning:

  1. Understand Rotation Needs: Determine which secrets need rotation and how frequently. Database credentials, for example, might need to be rotated more frequently than other types of secrets.
  2. Implement Rotation Logic: Use AWS Lambda functions to define the rotation logic for your secrets. AWS provides templates and guides to help you set up Lambda functions that can automatically update your secrets in AWS Secrets Manager.
  3. Update Your Application Configuration: Ensure your Symfony application dynamically fetches credentials, so it always uses the latest secrets without needing a restart. The constup/aws-secrets-bundle makes this easier, but always double-check to ensure your application handles the update gracefully.

Monitoring and Logging

Monitoring access to your secrets and logging usage patterns can provide insights into potential security threats and operational issues. AWS provides tools like CloudTrail and CloudWatch to monitor and log access to Secrets Manager:

  • AWS CloudTrail: Helps you log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. Ensure CloudTrail is enabled for your Secrets Manager to track every access or modification to your secrets.
  • Amazon CloudWatch: Use CloudWatch to set up alarms and notifications based on specific access patterns or events. For instance, an alarm for unauthorized access attempts to your secrets can be an early indicator of a security issue.

Best Practices for Secret Management

  • Principle of Least Privilege: Ensure that only necessary services and users have access to your secrets. Utilize IAM policies to tightly control access.
  • Audit Regularly: Regular audits of your secret usage, access patterns, and permissions help identify unnecessary access rights or potential vulnerabilities.
  • Encrypt Your Secrets: AWS Secrets Manager encrypts the secret data through encryption keys that you own and control. Always use this feature to add an additional layer of security.
  • Environment Segregation: Keep your development, testing, and production secrets separate. This minimizes the risk of accidentally exposing production secrets and allows for safer testing and development practices.

The use of AWS Secrets Manager and the constup/aws-secrets-bundle in your Symfony projects is a step toward building more secure and reliable applications.

And as always, in the grand adventure of coding, let your curiosity lead the way, and let the principles of security and efficiency illuminate your path. Happy coding, and may your secrets always be safe and your applications secure! 🚀🔒✨

🔔 Click Subscribe to catch more coding fun.
👏🏻 Love it? Give a big clap.
💬 Got a cool idea or funny coding joke? Drop it in the comments.

Share these tips with your fellow developers to help each other succeed together.

Thanks for hanging out and reading. You rock! 🚀

Hold on a sec!!! Want more of my fun stuff in your inbox? Sign up here! 📩

--

--

Serghei Pogor
Serghei Pogor

Written by Serghei Pogor

Good code is its own best documentation

Responses (2)