Local Development Usage
Developing locally presents some unique challenges once Pantheon Secrets are built into your workflow. These are some tips to help you get past struggling with trying to reproduced secret behavior while developing locally.
Local Environment Usage
The Pantheon Secrets SDK includes a CustomerSecretsFakeClient implementation that is used when the SDK runs outside of Pantheon infrastructure. This client uses a secrets JSON file to build the secrets information emulating what happens on the platform using the Secrets service.
To get this file, you should use the plugin secret:site:local-generate command and then set an environment variable into your local environment (or docker container if you are running a docker-ized environment) with name CUSTOMER_SECRETS_FAKE_FILE and use the absolute path to the file as the value.
To get generate this file, run
terminus secret:site:local-generatein your terminal in your project root:terminus secret:site:local-generate <site>Replace
<site>with your Pantheon site name. Thesecrets.jsonfile will be generated in your project root.Once you have the
secrets.json, add it to your.gitignoreso you do not accidentally commit it to your repository.# Ignore Pantheon local secrets file secrets.json
Lando configuration
Modify your
.lando.yml:services: appserver: overrides: environment: CUSTOMER_SECRETS_FAKE_FILE: /app/secrets.jsonRebuild your Lando application:
lando rebuild -y
DDEV configuration
CD to your DDEV root directory
Add to your
.ddev/config.yml:web_environment: - CUSTOMER_SECRETS_FAKE_FILE=/var/www/html/secrets.jsonRestart your DDEV environment:
ddev restart
Verifying Secrets Access
Local Development Function
The pantheon_get_secret() function only works on Pantheon's infrastructure, not in local development. For local development, you can create a helper function that mimics the pantheon_get_secret() function. To do this, you can use the Pantheon Customer Secrets SDK. This SDK mirrors the code that is already integrated into the platform. The easiest way to install the Customer Secrets SDK locally is via Composer:
composer require-dev pantheon-systems/customer-secrets-php-sdkOnce you have the SDK locally, you can create a local version of pantheon_get_secret using the SDK:
if ( ! function_exists( 'pantheon_get_secret' ) ) {
function pantheon_get_secret( $token = '' ) {
// Check if SDK class exists, if not try to load the Composer autoloader.
if ( ! class_exists( '\PantheonSystems\CustomerSecrets\CustomerSecrets' ) ) {
$autoloader = __DIR__ . '/vendor/autoload.php';
if ( file_exists( $autoloader ) ) {
require_once $autoloader;
} else {
// Autoloader not found - handle appropriately for your application.
return null;
}
}
// Create SDK client for local development
try {
$client = \PantheonSystems\CustomerSecrets\CustomerSecrets::create()->getClient();
$secret = $client->getSecret( $token );
return $secret ? $secret->getValue() : null;
} catch ( \Exception $e ) {
// Handle errors appropriately for your application
return null;
}
}
}This approach allows your code to work seamlessly both on Pantheon (where pantheon_get_secret() is natively available) and in local development (where you provide your own implementation).
Drupal-Specific
If using Drupal with the Key module and Pantheon Secrets module:
- Go to the Key module configuration
- Click the "Sync Pantheon Secrets" tab
- Click the "Sync Keys" button
- Your secrets from the JSON file should appear in the available list of keys
Restrictions
For secrets without "user" scope, the secret:site:local-generate command will set the value of the secret to "null". You must manually set test values in your local secrets.json file.