-
Notifications
You must be signed in to change notification settings - Fork 12
Encryption of environment variables
Secret values can be passed to environment variables using SSM or Secret Manager.
First, register secret value in SSM parameter store.
SSM parameter can be specified in environment
of task definition.
# config/deploy/xxx.yml
container_definitions:
- name: app
secrets:
- name: MYSQL_PASSWORD
value_from: production/database/password/master
Secret values can also be referenced from the Parameter Store at build time.
clusters:
- name: production
services:
backend:
containers:
- name: app
build:
secret_args:
# Can be specified by ARN or parameter name.
MYSQL_PASSWORD: arn:aws:ssm:***
First, register secret value in Secret Manager.
Specify the ARN of the Secret Manager in the value_from
field.
# config/deploy/xxx.yml
container_definitions:
- name: app
secrets:
- name: MYSQL_PASSWORD
value_from: "arn:aws:secretsmanager:{region}:***:secret:/mysql_password"
Secrets Manager can also be used as a parameter during deployment.
clusters:
- name: production
services:
backend:
containers:
- name: app
build:
secret_args:
# Can be specified by ARN.
MYSQL_PASSWORD: arn:aws:secretsmanager:***
Embedding of KMS keys to encrypt secret values is deprecated. Use of SSM parameter store or System manager is strongly recommended.
First, create KMS alias key for encryption.
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
docker-compose run --rm rails thor genova:utils encrypt --key-id={KMS KEY ID} --value={VALUE}
Encrypted value: ${...}
# Can also be encrypted using KMS aliases.
docker-compose run --rm rails thor genova:utils encrypt --alias={KMS ALIAS} --value={VALUE}
Encrypted value: ${...}
docker-compose run --rm rails thor genova:utils decrypt --value='${...}'
Decrypted value: xxx
You can embed KMS-encrypted values in the environment
parameter of the task definition file.
Encrypted values are expanded as environment variables during deployment.
# config/deploy/xxx.yml
container_definitions:
- name: app
environemnt:
- name: MYSQL_PASSWORD
value: ${...}