By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 and Secret Manager

0

Hi, I am carrying out a POC to save my docker-compose .env secrets in AWS secret manager and retrieve the secret into my application running on an EC2 instance in an autoscaling group and another app running in Elastic beanstalk. I have created an Instance profile with IAM policy to retrieve the secrets from the secret manager using the secret arn. But each time I deploy this application, the docker-compose is not able to access the secrets. When I inspect the container I see that it was not able to get the secrets. How do I do this?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
Ogbeide Osemenkhian
asked a year ago674 views
1 Answer
3
Accepted Answer

Please review the following link. To access the secrets stored in AWS Secrets Manager from your application running on EC2 instances, you can use AWS SDKs or CLI commands.

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/secrets-manager.html

Update your docker-compose.yml file to use the .env file:

services:
  your-service:
    image: your-image
    env_file:
      - .env

python fetch_secrets.py and produce .env file then run docker-compose

docker-compose up

For applications running on Elastic Beanstalk Create a .ebextensions directory in your application's root directory Create a config file, for example, 01_fetch_secrets.config, inside the .ebextensions directory with the following content

container_commands:
  01_fetch_secrets:
    command: "python fetch_secrets.py"

Include the fetch_secrets.py script in your application's source code Deploy your application to Elastic Beanstalk. During deployment, Elastic Beanstalk will execute the fetch_secrets.py script and create the .env file. Your application should now be able to access the secrets stored in the .env file.

profile picture
EXPERT
Sedat Salman
answered a year ago
  • Ogbeide Osemenkhian
    a year ago

    Thanks for this. I will implement this and give feedback of the outcome.

  • Ogbeide Osemenkhian
    a year ago

    Thanks, a lot this worked for me. Though what I did differently was use the AWS SDK for Node JS, and wrote a function that gets secret from Parameter store and append it as env for the application. I believe the same implementation should work for secret manager. I went the parameter store option. I saved the secret as Json on parameter store and retrieve via the function.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content