Menu
My elastic beanstalk app has a number of environment variables that are confidential (e.g. API keys, hashing secrets etc.). I would like to setup AWS so that most developers can view and edit config etc, but can't see some of these environment variables. It would be a large overhead if we had to change all of these each time a developer leaves, for example.
From playing about with permissions, it seems (with Elastic Beanstalk at least) you can either have complete access to the config or can't see any of it - and removing access entirely would mean a developer can't even do basic things like see why a deployment failed.
I'm wondering if there's another approach to environment variables that might allow me to give devs access to this config, but obscure the highly confidential stuff. Could I put secret env vars in a file on the server?
Is there another way of doing this?
751
Elastic Beanstalk isn't great if you need a lot of environment variables. The simple reason is that Elastic Beanstalk has a hard limit of 4KB to store all key-value pairs. The environment had accumulated 74 environment variables — a few of them had exceedingly verbose names.
Environment properties are written to the /opt/python/current/env file, which is sourced into the virtualenv stack where the application runs. For more information, see Using the Elastic Beanstalk Python platform.
This is how I have used EB environemnt variables for setting RDS password
$(aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:eu-central-1:<aws-account-id>:secret:<secret-arn> --region eu-central-1 | jq --raw-output '.SecretString' | jq -r .password)
Password is stored in AWS Secrets Manager as json
{
"username": "<db-user>",
"engine": "mysql",
"dbname": "<db-name>",
"host": "<rds-host-name>.eu-central-1.rds.amazonaws.com",
"password": "<password>",
"port": 3306,
"dbInstanceIdentifier": "<db-identifier>"
}
RDS password set in Elastic Beanstalk as environment variable
69
One way of approaching this is using the IAM role of your Elastic Beanstalk EC2 instance. You could store information in a resource that is not accessible by your developers but can be accessed by the EC2 instance because it assumes a certain role.
Amazon has a blog post on how to do this using an S3 encrypted bucket and AWS KMS to store the encryption key. This is about using it for Docker containers in the EC2 Container Service but the principle is the same.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
