I'm looking to securely replace the use of a local .env file in my PHP script with HashiCorp Vault Secrets. Here’s how my current code loads environment variables from .env:
$envFile = __DIR__ . '/../.env';
if (file_exists($envFile)) {
$envVariables = parse_ini_file($envFile);
foreach ($envVariables as $key => $value) {
putenv("$key=$value");
}
}
$servername = getenv('DB_HOST');
$username = getenv('DB_USERNAME');
$password = getenv('DB_PASSWORD');
$dbname = getenv('DB_NAME');
I installed the HCP CLI on my Ubuntu 24.04 machine following this HashiCorp tutorial.
I successfully authenticated and retrieved secrets from HashiCorp Vault Secrets using the command hcp vault-secrets secrets list.
I'm running nginx as the web server.
I want to securely retrieve these secrets from HashiCorp Secrets for use in my PHP script, without exposing or leaking them.
The PHP script is part of a live website, so I need a solution that can either inject secrets into the environment when nginx starts or have the PHP script dynamically retrieve the secrets in a secure and efficient way on each request I guess. I want to avoid exposing the secrets as environment variables in phpinfo.
What can I do?
