πŸ‡ΊπŸ‡Έ Ed Grosvenor πŸ‡¨πŸ‡­

@ed Follows you

American PHP developer living in Basel, Switzerland. I run a global team of developers building the technology that powers EXACT Sports in Chicago.

Basel, CH Director of Application Development @ EXACT Sports https://gros.co
πŸ‡ΊπŸ‡Έ Ed Grosvenor πŸ‡¨πŸ‡­ @ed · 1yr

Laracon EU got lots of people fired up about sharing knowledge and there are a couple big CFPs open right now. My solution for sharing api keys and other sensitive data with my team might just make for an interesting conference talk.

Here's my problem. I have a widely distributed team of developers and everyone dips into and out of features across a very large app all the time. This results in frequent slack "Hey! Can I get an API key for XXXX service?" messages. It's a pain for everyone and it's easy to lose track of who has what keys and let the right people know when those keys are rotated.

Laravel recently introduced encrypted environment files, so the obvious choice would be to just encrypt the .env file and share it with everyone. But then that locks everyone into using the same database name, password, cache driver, etc. I use HELO for local mail. Other people use the log driver. So I don't want to overwrite everyone's entire .env file any time something changes.

So what I've done is create an encrypted .env.shared file that gets decrypted when the developer runs php artisan fresh (I'll write up a post about that little command later). Then I load the values from that .env.shared file before the user's local .env file is read into the environment.

This means that I can rotate keys, add new keys to new services, and provide any other shared configuration data with my team seamlessly. They can just set up their own .env file to whatever specifications they need for their own local development environments.

I've also set up an API endpoint on the site that receives a signed request from the user when they run php artisan fresh. That endpoint sends the decrypt key down inside a JSON payload. That means that when staff changes, I can simply rotate my keys, change the encryption key, and send a Slack message to my entire team that they need to run the fresh command to get all the new keys.

Maybe it's time to organize all my thoughts on this and submit.

0
0
0