Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Secrets Loader
Assessments

Secrets Loader Laravel Package

bref/secrets-loader

Load AWS SSM Parameter Store secrets into environment variables at runtime when using Bref on AWS Lambda. Any env var value starting with bref-ssm: is automatically replaced with the corresponding SSM parameter value. Install via composer require bref/secrets-loader.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Serverless-Native: Perfectly aligned with Bref’s AWS Lambda runtime, eliminating the need for custom secret-fetching logic. Leverages AWS SSM’s native capabilities (versioning, encryption, audit logs) without reinventing the wheel.
  • Laravel Synergy: Complements Laravel’s environment-based configuration by enabling dynamic secrets at runtime, bridging the gap between Laravel’s .env paradigm and AWS serverless constraints.
  • Modular Design: Optional dependency (not bundled with Bref by default) reduces overhead for projects not using SSM, while providing a clear upgrade path for teams adopting secrets management.

Integration Feasibility

  • Zero-Code Changes for Bref: Replaces bref-ssm: prefixes in serverless.yml with actual SSM values at Lambda initialization—no PHP SDK calls or middleware required.
  • Laravel Compatibility:
    • Environment Variables: Directly integrates with Laravel’s env() helper if secrets are prefixed (e.g., DB_PASSWORD=bref-ssm:/db/password).
    • Caching Caveats: Laravel’s config:cache may persist stale values. Requires explicit cache clearing or runtime reloading (e.g., via Bref\SecretsLoader\SecretsLoader::load() in a service provider).
  • Async SSM Fetching: Uses async-aws/ssm v2.x to avoid blocking Lambda cold starts, critical for performance-sensitive applications.

Technical Risk

  • IAM Misconfiguration: Lambda execution role must have ssm:GetParameter permissions. Over-permissive roles risk security leaks; under-permissive roles cause runtime failures.
  • Cold Start Latency: SSM API calls add ~100–300ms to cold starts. Mitigate with:
    • Provisioned Concurrency for critical paths.
    • Local Caching: Store fetched secrets in Lambda’s /tmp or ElastiCache (shared across functions).
  • Secret Versioning: SSM paths must account for versioning (e.g., /param:1). Hardcoded paths may break during rotations.
  • PHP Version Lock: Requires PHP 8.0+. Older Laravel apps may need upgrades or a forked package.

Key Questions

  1. Secrets Rotation Strategy:
    • How will SSM parameters be rotated? Will Lambda functions require restarts, or will dynamic updates (e.g., via EventBridge) be implemented?
  2. Plaintext vs. SecureStrings:
    • Does the package handle SSM’s SecureString decryption, or must secrets be stored as plaintext?
  3. Multi-Region Deployments:
    • How will cross-region secrets be managed (e.g., via Secrets Manager replication or custom logic)?
  4. Local Development:
    • How will bref-ssm: variables be resolved in non-Lambda environments (e.g., local Laravel dev)? Will a fallback to .env be needed?
  5. Audit Logging:
    • Are AWS CloudTrail logs sufficient for compliance, or will custom logging be required?

Integration Approach

Stack Fit

  • Bref + Laravel: Ideal for Laravel apps on AWS Lambda. The package seamlessly integrates with Laravel’s environment variables while leveraging AWS SSM’s security features.
  • Alternatives Considered:
    • AWS Secrets Manager: More feature-rich (automatic rotation) but requires additional SDK setup.
    • Laravel Envoy: Limited to non-Lambda deployments and lacks SSM integration.
    • HashiCorp Vault: Overkill for SSM use cases but offers dynamic secrets.

Migration Path

  1. Pilot Phase:
    • Deploy a single Lambda function using bref/secrets-loader with non-critical secrets (e.g., LOG_LEVEL=bref-ssm:/app/log-level).
    • Verify integration via CloudWatch logs (print_r($_ENV)).
  2. Gradual Rollout:
    • Replace hardcoded secrets in serverless.yml with bref-ssm: prefixes.
    • Update Laravel’s .env to reference SSM where applicable (e.g., DB_PASSWORD=bref-ssm:/db/password).
  3. Full Adoption:
    • Migrate all sensitive configs to SSM.
    • Implement secret rotation using SSM’s native tools or AWS Secrets Manager.

Compatibility

  • Bref Version: Compatible with Bref 4.x+ (tested up to PHP 8.5). Verify your Bref version’s PHP support.
  • Laravel Version: No direct dependency, but PHP version must align (e.g., Laravel 10+ supports PHP 8.1+).
  • AWS SDK: Uses async-aws/ssm (v1.3 or v2.x). Ensure Lambda’s execution role has the correct SDK permissions.

Sequencing

  1. Infrastructure Setup:
    • Create SSM parameters with least-privilege IAM policies: 
      {
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "ssm:GetParameter",
    "Resource": "arn:aws:ssm:REGION:ACCOUNT_ID:parameter/my-app/*"
  }]
}
  2. Configuration Update:
    • Modify serverless.yml to use bref-ssm: prefixes: 
      environment:
  APP_KEY: bref-ssm:/laravel/app-key
  DB_PASSWORD: bref-ssm:/db/production-password
  3. Testing:
    • Deploy to staging and validate secrets via CloudWatch logs.
    • Test Laravel’s env() function to confirm values are accessible.
  4. Monitoring:
    • Enable AWS X-Ray to trace SSM API calls.
    • Monitor for ParameterNotFound or AccessDenied errors.

Operational Impact

Maintenance

  • Package Updates: Monitor bref/secrets-loader for breaking changes (e.g., PHP 8.6 support). Test updates in staging.
  • SSM Parameter Management:
    • Use AWS Systems Manager or Terraform to manage parameter versions and tags.
    • Implement change approval workflows for sensitive secrets.
  • Laravel Cache: Clear config cache post-deployment if using config:cache: 
    php artisan config:clear

Support

  • Debugging:
    • Enable Bref’s debug mode to log environment variables: 
      provider:
  environment:
    BREF_DEBUG: true
    • Check CloudWatch for SecretsLoader errors (e.g., missing IAM permissions).
  • Fallback Mechanism: For local/dev environments, use a placeholder script to replace bref-ssm: variables with .env values.

Scaling

  • Performance:
    • Cold Starts: Mitigate with Provisioned Concurrency or SnapStart (if using Java-based Lambda).
    • Concurrency Limits: SSM API throttling at high scale? Use exponential backoff in async-aws/ssm config.
  • Multi-Account/Region:
    • Use AWS Organizations SCPs to enforce SSM access controls.
    • For cross-region, replicate secrets via Secrets Manager replication or custom Lambda layers.

Failure Modes

Failure Scenario Impact Mitigation
SSM parameter missing Lambda fails to start Use bref-ssm:/default/fallback or default values in serverless.yml.
IAM permission denied AccessDenied error at runtime Audit IAM policies; use least privilege.
SSM API throttling Timeouts on cold starts Implement retry logic or use local caching.
Laravel cache stale Outdated secrets in config() Clear cache post-deployment or reload secrets at runtime.
Cross-region SSM access Latency or failures Replicate secrets via Secrets Manager or use global endpoints.
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
emuniq/filament-browser-notifications
syriable/filament-translator
hungnm28/livewire-form
wenprise/eloquent
crudly/encrypted
fadion/bouncy
cuci/prototurk-sdk
gos/pubsub-router-bundle
cuci/prototurk-sdk-symfony
clementtalleu/easyadmin-markdown-bundle
codeflextech/permission-manager
karnoweb/livewire-datepicker
sayedenam/sayed-dashboard
milito/query-filter
apiboxsym/user-bundle
apiboxsym/health-check-bundle
jayeshmepani/jpl-moshier-ephemeris-php
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui