Encryption of environment variables

Secret values can be passed to environment variables using SSM or KMS.

Using SSM Parameter Store

First, register string in SSM parameter store.

https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html

SSM parameter can be specified in environment of task definition.

container_definitions:
  - name: web
    secrets:
      - name: MYSQL_PASSWORD
        value_from: production/database/password/master

Using System Manager

Specify the ARN of the Secret Manager in the value_from field.

container_definitions:
  - name: web
    secrets:
      - name: MYSQL_PASSWORD
        value_from: "arn:aws:secretsmanager:{region}:***:secret:/mysql_password::"

Using KMS

Embedding of KMS keys to encrypt secret values is deprecated. Use of SSM parameter store or System manager is strongly recommended.

First, create KMS alias key for encryption.

# Encrypt
$ docker-compose run --rm rails thor genova:env encrypt --master-key=[KMS ALIAS NAME] --value=[VALUE]
Encrypted value: ${...}

# Decrypt
$ docker-compose run --rm rails thor genova:env decrypt --value='${...}'
Decrypted value: xxx

Encrypted value can be specified in environment of task definition.

container_definitions:
  - name: web
    environemnt:
      - name: MYSQL_PASSWORD
        value: ${...}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Encryption of environment variables

Using SSM Parameter Store

Using System Manager

Using KMS

Clone this wiki locally