Unlike the WordPress db.php approach, however, this WP-CLI implementation always gets the secret and cannot cache it. Therefore, a WP-CLI specific file is necessary, wp-cli-secrets-manager.php. It always uses the DB_USER and DB_PASSWORD constants defined in wp-config.php it will not use the wp-content/db.php drop in. And finally, to get around WordPress’s lack of database access hooks, the wpdb global is overridden by placing a drop-in db.php file in the wp-content directory. This approach is similar to that used by the AWS Secrets Manager JDBC Library except instead of a file, it stores the information in memory. If login fails, the credentials are retrieved from AWS Secrets Manager again and the file is updated, then the connection is retried. When accessing the database, the credentials are read from the file. For caching, the secret is written to a file in the system temp directory. To get around these challenges, I decided to not use the AWS SDK for PHP and instead have PHP use exec to call the AWS CLI. I did not want to require the WordPress container/VM to have to be restarted when the credentials changed. Zero-downtime credential rotation is a requirement.There are no WordPress hooks for database access.Using the AWS SDK for PHP with WordPress would require using a composer based build process to namespace the SDK (to avoid conflict with other plugins) and ideally remove the unnecessary parts.It’s important to use caching for secrets to reduce costs, reduce latency, and improve availability. There is no (currently?) AWS Secrets Manager caching library for PHP.In the process, I encountered a few challenges: I have not been able to find any documentation or samples for how to set up WordPress to use AWS Secrets Manager for its database access credentials, so I figured out how to do that and I’m sharing my findings here. However, it’s not terribly easy to use with WordPress. It provides support for storing, retrieving, managing, and rotating credentials at an affordable cost (currently $0.40 per secret per month). AWS Secrets Manager is a simple and powerful way to handle secrets (such as database username/password credentials).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |