Reputation: 405
Use environment variable in ebextensions file
I have three AWS accounts. I have stored my SSL certificate files in S3 inside one of the AWS accounts (say AWS1). I have created an IAM role which grants 'GetObject' access to the S3 buckets in AWS1. I have then configured an ebextensions file for a single instance application I have running in another AWS account (say AWS2) to download the SSL certificates from the S3 bucket in AWS1 using the AccessKey and Secret of the IAM role I created in AWS1.
The following is a part of a my http-single-instance.config file in .ebextensions for the application I have in AWS2
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["aws1-bucket"]
accessKeyId: "AWS1IAMACCESSKEY"
secretKey: "AWS1IAMSECRET"
But as you can see I have had to put the AWS1 IAM secret values in the source code of the application in AWS2 directly to get this working. Instead of putting the values for accessKeyId and secretKey in the actual source code, is it possible to load these values either from Environment Variables or from S3 somehow? So in the end, if I can get something like
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["aws1-bucket"]
accessKeyId: {AWS2ENVACCESSKEYID}
secretKey: {AWS2ENVSECRETKEY}
For applications that are running in the same AWS account, I have followed the instructions provided in this documentation - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html and that works perfectly. The solution I currently have is also working with the SSL certificates being downloaded as required, but I just want to know if there is a way to do this more securely.
Any assistance is much appreciated. Thanks!
Upvotes: 2
Views: 505
Answers (1)
Reputation: 3322
Note that S3 can grant access to other accounts using the ACL, so it shouldn't be a problem that they are not under the same AWS account, as long as cross-account access is granted.
Using that in combination with IAM roles should still support your use case, without placing non-rotating keys in the code.
See here for how to grant cross account access: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
Upvotes: 1
Related Questions
- Environment specific ebextensions Beanstalk commands
- how to provide environment variables to AWS ECS service?
- How to configure an environment variable for a new environment?
- Accessing environment variables in AWS Beanstalk ebextensions
- Reference environment properties in ebextension script
- How to overwrite Elastic Beanstalk environment variables through ebextensions?
- AWS Elastic Beanstalk: How to use environment variables in ebextensions?
- Env Variable in .ebextensions "files:" section
- How do you pass custom environment variable on Amazon Elastic Beanstalk (AWS EBS)?
- how to set AWS variables by using environment variables