I'm working on a Laravel application hosted behind a load balancer with multiple instances. Instead of relying solely on the .env file, I'm pulling sensitive configuration values (API keys, DB credentials, etc.) from a cloud secret manager (e.g., AWS Secrets Manager or Google Secret Manager) before the Laravel application fully boots.
What I've done:
I created a custom helper that fetches secrets from the secret manager and stores them in a JSON file under Laravel's storage_path('app/cache/secrets.json').
This helper runs very early in the application lifecycle (before config is loaded) by being included in public/index.php.
Laravel then loads environment values using putenv() and $_ENV from the JSON cache file.
My problem:
If the secret manager updates (e.g., a key is rotated), the JSON file is not automatically updated on each application instance behind the load balancer. This means outdated secrets could persist until a manual deploy or cache clear.
What I'm looking for:
What’s the best way to sync updated secrets across all Laravel instances automatically? (E.g., a mechanism to invalidate or refresh the cache file across the nodes.)
Is there a more Laravel-native or efficient way to load secrets before bootstrapping without using .env files directly on each node?
Would it be better to use Laravel’s config caching and merge in secrets dynamically? Or would that defeat the purpose of immutable secrets?
Notes:
I'm open to solutions that involve Laravel events, queues, cron jobs, or system-level sync strategies.
I'm currently using Laravel 10.
Any insights or best practices for handling this securely and efficiently would be greatly appreciated!