Encryption of environment variables

Secret values can be passed to environment variables using SSM or Secret Manager.

SSM Parameter Store

First, register secret value in SSM parameter store.

• https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html

SSM parameter can be specified in environment of task definition.

# config/deploy/xxx.yml
container_definitions:
  - name: app
    secrets:
      - name: MYSQL_PASSWORD
        value_from: production/database/password/master

Secret values can also be referenced from the Parameter Store at build time.

clusters:
  - name: production
    services:
      backend:
        containers:
          - name: app
            build:
              secret_args:
                # Can be specified by ARN or parameter name.
                MYSQL_PASSWORD: arn:aws:ssm:***

Secrets Manager

First, register secret value in Secret Manager.

• https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/put-secret-value.html

Specify the ARN of the Secret Manager in the value_from field.

# config/deploy/xxx.yml
container_definitions:
  - name: app
    secrets:
      - name: MYSQL_PASSWORD
        value_from: "arn:aws:secretsmanager:{region}:***:secret:/mysql_password"

Secrets Manager can also be used as a parameter during deployment.

clusters:
  - name: production
    services:
      backend:
        containers:
          - name: app
            build:
              secret_args:
                # Can be specified by ARN.
                MYSQL_PASSWORD: arn:aws:secretsmanager:***

KMS (Deprecated)

Embedding of KMS keys to encrypt secret values is deprecated. Use of SSM parameter store or System manager is strongly recommended.

First, create KMS alias key for encryption.

• https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
• https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html

Encrypt

docker-compose run --rm rails thor genova:utils encrypt --key-id={KMS KEY ID} --value={VALUE}
Encrypted value: ${...}

# Can also be encrypted using KMS aliases.
docker-compose run --rm rails thor genova:utils encrypt --alias={KMS ALIAS} --value={VALUE}
Encrypted value: ${...}

Decrypt

docker-compose run --rm rails thor genova:utils decrypt --value='${...}'
Decrypted value: xxx

Task definition

You can embed KMS-encrypted values in the environment parameter of the task definition file. Encrypted values are expanded as environment variables during deployment.

# config/deploy/xxx.yml
container_definitions:
  - name: app
    environemnt:
      - name: MYSQL_PASSWORD
        value: ${...}