How to specify sensitive environment variables at deploy time with Elastic Beanstalk

amazon-web-services amazon-elastic-beanstalk
Iulian picture Iulian · May 27, 2015 · Viewed 9.9k times · Source

I am deploying a Python Flask application with Elastic Beanstalk. I have a config file /.ebextensions/01.config where among other things I set some environment variables - some of which should be secret.

The file looks something like this: 

packages:
  yum:
    gcc: []
    git: []
    postgresql93-devel: []

option_settings:
  "aws:elasticbeanstalk:application:environment":
    SECRET_KEY: "sensitive"
    MAIL_USERNAME: "sensitive"
    MAIL_PASSWORD: "sensitive"
    SQLALCHEMY_DATABASE_URI: "sensitive"
  "aws:elasticbeanstalk:container:python:staticfiles":
    "/static/": "app/static/"

What are the best practices for keeping certain values secret? Currently the .ebextensions folder is under source control and I like this because it is shared with everyone, but at the same time I do not want to keep sensitive values under source control.

Is there a way to specify some environment variables through the EB CLI tool when deploying (e.g. eb deploy -config ...)? Or how is this use case covered by the AWS deployment tools?

Answer

Carl G picture Carl G · Nov 11, 2017

The AWS documentation recommends storing sensitive information in S3 because environment variables may be exposed in various ways:

Providing connection information to your application with environment properties is a good way to keep passwords out of your code, but it's not a perfect solution. Environment properties are discoverable in the Environment Management Console, and can be viewed by any user that has permission to describe configuration settings on your environment. Depending on the platform, environment properties may also appear in instance logs.

The example below is from the documentation, to which you should refer for full details. In short, you need to:

  1. Upload the file to S3 with minimal permissions, possibly encrypted.

  2. Grant read access to the role of the instance profile for your Elastic Beanstalk autoscaling group. The policy would be like:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "database",
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::my-secret-bucket-123456789012/beanstalk-database.json"
            ]
        }
    ]
}

  3. Add a file with a name like s3-connection-info-file.config to /.ebextensions in your application bundle root with these contents:

    Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["my-secret-bucket-123456789012"]
          roleName: "aws-elasticbeanstalk-ec2-role"

files:
  "/tmp/beanstalk-database.json" :
    mode: "000644"
    owner: root
    group: root
    authentication: "S3Auth"
    source: https://s3-us-west-2.amazonaws.com/my-secret-bucket-123456789012/beanstalk-database.json

Then update your application code to extract the values from the file /tmp/beanstalk-database.json (or wherever you decide to put it in your actual config.)

Related questions

SSH to Elastic Beanstalk instance

I just signed up for Amazon's new Elastic Beanstalk offering. What I can't figure out is how to SSH to a Beanstalk instance. I don't have a private key because Beanstalk generated the instance on my behalf.

Read More
Difference between Amazon EC2 and AWS Elastic Beanstalk

Can someone please explain what is the difference between EC2 and Beanstalk. I want to know regarding SaaS, PaaS and IaaS. To deploy a web application in Wordpress I need a scalable hosting service. If there anything better than my …

Read More
How do you pass custom environment variable on Amazon Elastic Beanstalk (AWS EBS)?

The Amazon Elastic Beanstalk blurb says: Elastic Beanstalk lets you "open the hood" and retain full control ... even pass environment variables through the Elastic Beanstalk console. http://aws.amazon.com/elasticbeanstalk/ How to pass other environment variables besides the one …

Read More