Encryption of environment variables

Secret values can be passed to environment variables using SSM or Secret Manager.

SSM Parameter Store

First, register secret value in SSM parameter store.

• https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html

SSM parameter can be specified in environment of task definition.

# config/deploy/xxx.yml
container_definitions:
  - name: app
    secrets:
      - name: MYSQL_PASSWORD
        value_from: production/database/password/master

Secrets Manager

First, register secret value in Secret Manager.

• https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/put-secret-value.html

Specify the ARN of the Secret Manager in the value_from field.

# config/deploy/xxx.yml
container_definitions:
  - name: app
    secrets:
      - name: MYSQL_PASSWORD
        value_from: "arn:aws:secretsmanager:{region}:***:secret:/mysql_password"

KMS (Deprecated)

Embedding of KMS keys to encrypt secret values is deprecated. Use of SSM parameter store or System manager is strongly recommended.

First, create KMS alias key for encryption.

• https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
• https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html

Encrypt

$ docker-compose run --rm rails thor genova:utils encrypt --key-id={KMS KEY ID} --value={VALUE}
Encrypted value: ${...}

# Can also be encrypted using KMS aliases.
$ docker-compose run --rm rails thor genova:utils encrypt --alias={KMS ALIAS} --value={VALUE}
Encrypted value: ${...}

Decrypt

$ docker-compose run --rm rails thor genova:utils decrypt --value='${...}'
Decrypted value: xxx

Task definition

Encrypted value can be specified in environment of task definition.

# config/deploy/xxx.yml
container_definitions:
  - name: app
    environemnt:
      - name: MYSQL_PASSWORD
        value: ${...}