-
Notifications
You must be signed in to change notification settings - Fork 12
Encryption of environment variables
Naomichi Yamakita edited this page Dec 21, 2020
·
43 revisions
Secret values can be passed to environment variables using SSM or KMS.
First, register string in SSM parameter store.
SSM parameter can be specified in environment of task definition.
container_definitions:
- name: web
secrets:
- name: MYSQL_PASSWORD
value_from: production/database/password/master
First, create KMS alias key for encryption.
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-key.html
- https://docs.aws.amazon.com/cli/latest/reference/kms/create-alias.html
# Encrypt
$ docker-compose run --rm rails thor genova:env encrypt --master-key=[KMS ALIAS NAME] --value=[VALUE]
Encrypted value: ${...}
# Decrypt
$ docker-compose run --rm rails thor genova:env decrypt --value='${...}'
Decrypted value: xxx
Encrypted value can be specified in environment of task definition.
container_definitions:
- name: web
environemnt:
- name: MYSQL_PASSWORD
value: ${...}