-
Notifications
You must be signed in to change notification settings - Fork 12
Encryption of environment variables
Naomichi Yamakita edited this page Jun 22, 2022
·
43 revisions
Secret values can be passed to environment variables using SSM or KMS.
First, register string in SSM parameter store.
SSM parameter can be specified in environment
of task definition.
container_definitions:
- name: app
secrets:
- name: MYSQL_PASSWORD
value_from: production/database/password/master
Specify the ARN of the Secret Manager in the value_from
field.
container_definitions:
- name: app
secrets:
- name: MYSQL_PASSWORD
value_from: "arn:aws:secretsmanager:{region}:***:secret:/mysql_password::"
Embedding of KMS keys to encrypt secret values is deprecated. Use of SSM parameter store or System manager is strongly recommended.
First, create KMS alias key for encryption.
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
# Encrypt
$ docker-compose run --rm rails thor genova:env encrypt --master-key=[KMS ALIAS NAME] --value=[VALUE]
Encrypted value: ${...}
# Decrypt
$ docker-compose run --rm rails thor genova:env decrypt --value='${...}'
Decrypted value: xxx
Encrypted value can be specified in environment
of task definition.
container_definitions:
- name: app
environemnt:
- name: MYSQL_PASSWORD
value: ${...}