在弹性beantalk部署之间维护OAuth密钥 [英] Mantaining OAuth keys between elastic beanstalk deployment
问题描述
我有一个在AWS Elastic Beanstalk环境中运行的laravel应用程序.我使用Laravel Passport进行身份验证.
I have a laravel application run in AWS Elastic Beanstalk environment. I use Laravel Passport to handle the authentication.
每次运行 eb deploy
时,键都将被删除,因为它不是版本控制文件的一部分(包含在.gitignore中).因此,我必须在EC2实例中手动运行 php artisan Passport:keys
来生成密钥.但这将使所有用户都需要再次登录,因为旧令牌现在是无效的,因为它是一个新的密钥对.
Every time I run eb deploy
the keys will be deleted, since it is not part of the version control files (included in .gitignore). Thus, I have to manually run php artisan passport:keys
in the EC2 instance to generate the keys. But this will make all users need to login again because the old token is now invalid, since it's a new key pair.
为我的配置提供一致的oauth-public和oauth-private密钥的最佳实践是什么?
What is the best practice to provide a consistent oauth-public and oauth-private key for my configuration?
我正在考虑将密钥包含在存储库中,但是我认为不建议这样做.
I am thinking of including the key into the repository, but I believe this is not recommended.
另一种方法是我生成一次密钥,然后将其上传到S3.然后使用部署后脚本来检索S3.
Another way is that I generate the key once, then upload it to S3. Then have a post-deployment script to retrieve the S3.
还有什么更好的方法吗?
Is there any better way?
推荐答案
昨天我用S3设法解决了这个问题.
I managed to solve this yesterday, with S3.
- 创建一个私有的S3存储库,您可以在其中存储敏感文件(oauth-private.key等)
- 您必须在.ebextensions目录中创建一个.config文件,在其中定义一个
Resource
(请参阅
- Create a private S3 Repository, where you store your sensitive files (oauth-private.key, etc.)
- In your .ebextensions directory, you have to create a .config file where you define a
Resource
(see https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-files -authentication
section) - looking like this:
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["<BUCKET-NAME>"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
- 假设A)您的S3存储桶称为
< BUCKET-NAME>
,而B)ElasticBeanstalk环境中的IAM实例配置文件称为aws-elasticbeanstalk-ec2-role
- 现在,您必须将文件添加到实例上可以访问它的位置,您也可以自由选择位置.在您的
.config
文件中,插入以下内容: - Assuming A) Your S3 Bucket is called
<BUCKET-NAME>
and B) The IAM instance profile in your ElasticBeanstalk environment is calledaws-elasticbeanstalk-ec2-role
- Now you have to add the files to a location on the instance, where you can access it, you're free too choose where. In your
.config
file insert following:
files:
"/etc/keys/oauth-private.key":
mode: "000755"
owner: webapp
group: webapp
authentication: "S3Auth" # Notice, this is the same as specified in the Resources section
source: "https://<BUCKET-NAME>.s3-<REGION>.amazonaws.com/<PATH-TO-THE-FILE-IN-THE-BUCKET>"
- 现在要执行此操作,您仍然需要授予对IAM实例配置文件(aws-elasticbeanstalk-ec2-role)的访问权限,因此,您需要编辑存储桶的ACL,如下所示:
{
"Version": "2012-10-17",
"Id": "BeanstalkS3Copy",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ID>:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>/*"
]
}
]
}
-
您可以通过转到 IAM仪表板>角色> aws-elasticbeanstalk-ec2-role 并复制角色ARN 来找到IAM实例配置文件的ARN strong>
You can find the ARN of the IAM instance profile by going to the IAM Dashboard > Roles > aws-elasticbeanstalk-ec2-role and the copy the Role ARN
在Laravel应用程序中,您必须使用
Passport :: loadKeysFrom('/etc/keys')
In your Laravel application you have to use
Passport::loadKeysFrom('/etc/keys')
这篇关于在弹性beantalk部署之间维护OAuth密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!