I have a Golang which connects to a DynamoDB.
The name of the db table was hard-coded and now it is set to read from an environment variable using os.LookupEnv().
I unit tested locally with the variable being read from a secrets.env file, but I wonder how to proceed to make it work when deployed in production?
I suppose that I need to set this on AWS config somehow?
No, you would not store it in aws config that is for configuring access keys, which I also recommend not doing, use an IAM role attached to whichever service you are using is best practice.
As for DynamoDB table name as an env variable, its totally up to how you wish to do it. You can store it as an env variable on the OS in EC2 for example. Or if using Lambda you can use its Environment Variables
You can also use Parameter Store to store environments variables and is common practice.
Related
I have a requirement.
I am deploying a application into AWS using terraform.
A part of this contains creating of a secrets resource "aws_secretsmanager_secret", for this secret I have to add userid/password of an external system which will be static and will never change.
Now while deploying this I have to declare the values for the userid/password. Since this terraform will code will also get stored in the git repository. This storing of credential in plain text form is not allowed.
How to solve this problem ?
Thanks,
Abhi
I have stored the credential in variables.tf that will eventually create the secrets with the variables, but this is not allowed
Instead of storing your credentials in your variables.tf file, you can store them into environment variables, and have your tf code read those variables.
This way, when you commit your tf files to git, the variables will no be pushed in plain text.
Medium article explaining how to do it
Official documentation
Can anyone suggest what's the best way to retrieve AWS secrets-manager secrets from Dockerfile and send the secret values to Docker container as environment variables after Docker ran.
The reason behind why I am asking this, I am trying to remove all sensitive password information hard coded in different places of git code repository and move the passwords to AWS secrets-manager.
https://github.com/s12v/secure-exec is a similar tool, which supports the Secrets Manager (including JSON).
As mentioned above, with ECS there's no need in such tools.
Take a look at ssm-env, which populates ENV vars from Parameter Store. There is an example of using it with Docker.
If you are using ECS, there is built-in support for this.
Is there any to pass parameters from EC2 parameter store as environment variables to an ECS task?
AWS provides us with
1) A way to store parameters, both secret and less secret
2) A way to set environment variables inside ECS tasks
but no way to connect the to - or am I missing something?
Here a solution is described where you wrap the docker image in your own image only to be able to load parameters. If this is the recommended way then I will have to wrap all images from Docker Hub that I could otherwise use as stock images and do nothing beside configure them via environment variables.
I feel like this forces me to take on an unnecessary amount of responsibility for coding, maintaining, storing, etc. of docker images where I would otherwise only have to set environment variables.
This was recently posted by AWS on how to access Parameter store in an ECS task. https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/
In the environment: section of docker-compose docs for AWS CLI (cmd-ecs-cli-compose), the following is stated:
Important
We do not recommend using plaintext environment variables for sensitive > information, such as credential data.
What is the recommended way of storing sensitive information, like passwords, with docker-compose and ECS task definitions? Why is plain text not recommended?
Plain text is not recommended for environment variables because well docker is not a security container and environment variables are readable to all processes that have access to the top level Docker namespace. So if someone has access to /proc on your EC2 instance, they can read the secrets by querying the process running inside the container.
I recommend either encrypting them with KMS or storing them in Parameter Store or DynamoDB and downloading on startup.
How can I change which RDS database my EB environment uses? I.e. where are the settings that specify this?
I have cloned an environment and want to change the database it uses to an existing RDS database rather than the one that was created when the environment was cloned.
Is your environment using EB?
In that case you can set in the environment variables:
in case you are reading them.
Maybe that might be useful:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html?console_help=true
**Scroll down to see how to use an existing RDS instance after open your specific language page