Extending Laravel Vapor to remove secret size limits

April 25, 2022

We're using Laravel Vapor for a few of our services currently, and it's awesome. It's well worth the cost, and almost everything is seamless, from deployment to scaling.

After a couple of months, we started to run into the dreaded secret size limit error as our projects .env grew

==> Uploading Environment File...
Whoops! There were some problems with your request.
- The variables may not be greater than 2000 characters.

An easy fix

Laravel Vapor supports uploading secret files alongside the standard .env file upload. These files can be up to 10kb in size, and you can have an unlimited number of secrets. Why not store our additional .env variables in a secret, and load them like the standard laravel .env?

I forked the laravel/vapor-core library, and added a simple function that will parse any secret starting with DOT_ENV_ as a .env file. It parses the text content of the secret and injects them into the environment in the same way as the standard environment variables.

protected static function setEnvironmentVariables(array $variables)
    foreach ($variables as $key => $value) {
        if (Str::startsWith($key, 'DOT_ENV_')) {
            try {
                $parsedDotEnv = Dotenv::parse($value);


            } catch (InvalidFileException $e) {
                echo "Failed to parse dot env secret [{$key}] into runtime." . PHP_EOL;


        echo "Injecting secret [{$key}] into runtime." . PHP_EOL;

        $_ENV[$key] = $value;
        $_SERVER[$key] = $value;

Using the fork in your project

Unfortunately, the Laravel team is not interested in integrating this into the core, so I've created a fork that tracks the official package.
Using the fork in your own project is very easy!

  • Update your composer.json to point your installation to the fork, using the repositories option.
"repositories": [
        "type": "github",
        "url": "https://github.com/atymic/vapor-core"
  • Update your version to the latest tag (first release being 2.21.3), which will have the secrets code in it. Make sure to lock it to the specific version (otherwise, when laravel updates the mainline package you'll be upgraded and won't have the secret code). Subscribe to release notifications on the repo so you can update once we have released the new version.
  • Create an additional .env file, for example, .env.extended (make sure to gitignore). This file can be up to 10kb
  • Update your production deployment script to push the extended env file to a secret (i.e. vapor secret --name DOT_ENV_EXTENDED --file .env.extended production)

    • Any secret with a name prefixed with DOT_ENV will be loaded by laravel as a env file
  • Your app will load the additional secret file at runtime!

Wrapping up

Hopefully the Laravel Vapor team reconsiders and brings this solution or a similar one into the core soon, but for the moment this should alleviate those pesky secret size limit issues.

Feel free to comment or reach out with any questions :)