问题
I have a laravel application run in AWS Elastic Beanstalk environment. I use Laravel Passport to handle the authentication.
Every time I run eb deploy
the keys will be deleted, since it is not part of the version control files (included in .gitignore). Thus, I have to manually run php artisan passport:keys
in the EC2 instance to generate the keys. But this will make all users need to login again because the old token is now invalid, since it's a new key pair.
What is the best practice to provide a consistent oauth-public and oauth-private key for my configuration?
I am thinking of including the key into the repository, but I believe this is not recommended.
Another way is that I generate the key once, then upload it to S3. Then have a post-deployment script to retrieve the S3.
Is there any better way?
回答1:
I managed to solve this yesterday, with S3.
- Create a private S3 Repository, where you store your sensitive files (oauth-private.key, etc.)
- In your .ebextensions directory, you have to create a .config file where you define a
Resource
(see https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/customize-containers-ec2.html#linux-files -authentication
section) - looking like this:
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["<BUCKET-NAME>"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
- Assuming A) Your S3 Bucket is called
<BUCKET-NAME>
and B) The IAM instance profile in your ElasticBeanstalk environment is calledaws-elasticbeanstalk-ec2-role
- Now you have to add the files to a location on the instance, where you can access it, you're free too choose where. In your
.config
file insert following:
files:
"/etc/keys/oauth-private.key":
mode: "000755"
owner: webapp
group: webapp
authentication: "S3Auth" # Notice, this is the same as specified in the Resources section
source: "https://<BUCKET-NAME>.s3-<REGION>.amazonaws.com/<PATH-TO-THE-FILE-IN-THE-BUCKET>"
- Now for this to work, you still need to grant access to the IAM instance profile (aws-elasticbeanstalk-ec2-role), therefore you need to edit the ACL of your Bucket, like this:
{
"Version": "2012-10-17",
"Id": "BeanstalkS3Copy",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ID>:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucketVersions",
"s3:ListBucket",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<BUCKET-NAME>/*"
]
}
]
}
You can find the ARN of the IAM instance profile by going to the IAM Dashboard > Roles > aws-elasticbeanstalk-ec2-role and the copy the Role ARN
In your Laravel application you have to use
Passport::loadKeysFrom('/etc/keys')
来源:https://stackoverflow.com/questions/48106704/mantaining-oauth-keys-between-elastic-beanstalk-deployment