Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way of hiding environment variables in AWS Elastic Beanstalk?

My elastic beanstalk app has a number of environment variables that are confidential (e.g. API keys, hashing secrets etc.). I would like to setup AWS so that most developers can view and edit config etc, but can't see some of these environment variables. It would be a large overhead if we had to change all of these each time a developer leaves, for example.

From playing about with permissions, it seems (with Elastic Beanstalk at least) you can either have complete access to the config or can't see any of it - and removing access entirely would mean a developer can't even do basic things like see why a deployment failed.

I'm wondering if there's another approach to environment variables that might allow me to give devs access to this config, but obscure the highly confidential stuff. Could I put secret env vars in a file on the server?

Is there another way of doing this?

like image 751
MDalt Avatar asked Dec 22 '16 12:12

MDalt


People also ask

When should you not use Elastic Beanstalk?

Elastic Beanstalk isn't great if you need a lot of environment variables. The simple reason is that Elastic Beanstalk has a hard limit of 4KB to store all key-value pairs. The environment had accumulated 74 environment variables — a few of them had exceedingly verbose names.

Where are Elastic Beanstalk environment variables stored?

Environment properties are written to the /opt/python/current/env file, which is sourced into the virtualenv stack where the application runs. For more information, see Using the Elastic Beanstalk Python platform.


2 Answers

This is how I have used EB environemnt variables for setting RDS password

$(aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:eu-central-1:<aws-account-id>:secret:<secret-arn> --region eu-central-1 | jq --raw-output '.SecretString' | jq -r .password)

Password is stored in AWS Secrets Manager as json

{
  "username": "<db-user>",
  "engine": "mysql",
  "dbname": "<db-name>",
  "host": "<rds-host-name>.eu-central-1.rds.amazonaws.com",
  "password": "<password>",
  "port": 3306,
  "dbInstanceIdentifier": "<db-identifier>"
}

RDS password set in Elastic Beanstalk as environment variable

like image 69
Adriano Avatar answered Sep 29 '22 20:09

Adriano


One way of approaching this is using the IAM role of your Elastic Beanstalk EC2 instance. You could store information in a resource that is not accessible by your developers but can be accessed by the EC2 instance because it assumes a certain role.

Amazon has a blog post on how to do this using an S3 encrypted bucket and AWS KMS to store the encryption key. This is about using it for Docker containers in the EC2 Container Service but the principle is the same.

like image 23
Bram Avatar answered Sep 29 '22 19:09

Bram