I'm creating an application using PHP and nginx. RDS passwords are managed through AWS's secret manager, but PHP does not have a caching package to manage secrets manager. (If you don't cache it, Secret Manager will be called every time the page is called, which is bad in terms of speed and cost.)
So, I would like to present a new idea, and I would appreciate your feedback on whether there are any security issues.
The idea is to use nginx's fastcgi_param. If you add fastcgi_param in nginx settings, you can use it like $_SERVER['var'] in PHP code. example) fastcgi_param VAR1 VALUE1
The work details are as follows.
#!/bin/bash
aws secretsmanager get-secret-value --secret-id **SECRETID** --query SecretString --version-stage AWSCURRENT --region **REGION** --output text | jq -r 'to_entries|map("\(.key)=\(.value|tostring)")|.[]' > /etc/nginx/fastcgi_params_custom
When you run the above script, a file called fastcgi_parms_custom is created in the ‘/etc/nginx’ directory.
Include the file created in step 2 in the location ~ .php$ { ... } block of nginx settings as shown below.
include fastcgi_params_custom
echo $_SERVER['username']." ".$_SERVER['password'];
In the above work, the contents of the shell script, variable names, permission settings, etc. need to be improved a little, but it was written simply at the idea level. If there are any security issues, please let me know.
(I am thinking of not using automatic password replacement in the settings of the AWS console, but by modifying the shell script to create fastcgi_parms_custom and then restarting nginx)
The main reason for using secrets management is to avoid persisting secrets on non-ephemeral storage. Your approach subverts this. Further, nginx only reads it's configuration files at startup - so changing a secret means restarting the service. While it is possible to restart the daemon without an interruption to the service, it stil seems to be a crude solution.
You could....
(potentially there are other solutions too)