-
Notifications
You must be signed in to change notification settings - Fork 12
Encryption of environment variables
Naomichi Yamakita edited this page Sep 22, 2021
·
43 revisions
Secret values can be passed to environment variables using SSM or KMS.
First, register string in SSM parameter store.
SSM parameter can be specified in environment of task definition.
container_definitions:
- name: web
secrets:
- name: MYSQL_PASSWORD
value_from: production/database/password/master
Embedding of KMS keys to encrypt secret values is deprecated. Use of SSM parameter store is recommended.
秘密の値を暗号化するためのKMS鍵の埋め込みは非推奨です。SSMパラメータストアの使用を推奨します。 First, create KMS alias key for encryption.
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
# Encrypt
$ docker-compose run --rm rails thor genova:env encrypt --master-key=[KMS ALIAS NAME] --value=[VALUE]
Encrypted value: ${...}
# Decrypt
$ docker-compose run --rm rails thor genova:env decrypt --value='${...}'
Decrypted value: xxx
Encrypted value can be specified in environment of task definition.
container_definitions:
- name: web
environemnt:
- name: MYSQL_PASSWORD
value: ${...}