Store app secrets on ENV vars using AWS Secrets Manager and Terraform.

Store app secrets on ENV vars using AWS Secrets Manager and Terraform.

Environment variables are used to avoid storage of app secrets in code or in local configuration files. Environment variables override configuration values for all previously specified configuration sources.

AWS Secrets Manager is an AWS service that helps you protect secrets needed to access your applications, services, and IT resources. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text.

By combining AWS Secret manager and environment variables, we can find an easy and secure way to manage application secrets. In this article, we are going to see how to do this and manage all the code using Terraform.

Create secrets and parameters on AWS Secrets Manager using Terraform

AWS Secrets Manager pricing is $0.40 per secret and $0.05 per 10,000 API calls. If you store one value per secret, and your application has multiple secrets, this can have a big impact on your billing. However, in one secret you can store multiple key/value pairs using JSON, and this is what we are going to do to store our application secrets.

So, the first thing we need to do is creating the secrets on AWS Secrets Manager. To do this, we are going to use Terraform, although we will manage the values outside of Terraform (using AWS Console).

resource "aws_secretsmanager_secret" "app_secrets" {
  name       = "app-secrets"
  kms_key_id = "${var.kms_arn}" # If not specified, it will use the default `aws/secretsmanager` KMS key
}

This is all we need, then, we need to use AWS Console to add key/value pairs containing our application secrets.

It's worth noting that if you only want to set a secret with a single value, you can pass it directly to the ECS task and it will be automatically set as an environment variable, but this doesn't work for multiple key/value pairs.

If we want to manage secret values using Terraform, we need to create also a secret_version and map the values from Terraform variables. This might be interesting for variables that depend on Terraform, such as other AWS services IDs.

locals {
  app_parameters = {
    VAR_1        = "${var.var1}"
    VAR_2        = "${var.var2}"
  }

}

# Secrets
resource "aws_secretsmanager_secret" "app_parameters" {
  name       = "app-parameters"
}

# Versions
resource "aws_secretsmanager_secret_version" "worker_parameters" {
  secret_id     = "${aws_secretsmanager_secret.app_parameters.id}"
  secret_string = "${jsonencode(local.app_parameters)}"
}

After secrets are created, we need to grant permissions to get these secrets to our application IAM Role.

  statement {
    actions = [
      "secretsmanager:GetSecretValue",
    ]

    resources = [
      "${aws_secretsmanager_secret.app_secrets.arn}"
    ]
  }

We are also going to pass an environment variable to our application (deployed on ECS) containing the secret ID of the secret we created above (we will use this variable later). So, on the container definitions file, we add the following statement.

    "environment": [
      {
        "name": "AWS_SECRET_ID",
        "value": "${aws_secretsmanager_secret.app_secrets.name}"
      }
    ]

Retrieve secrets from AWS Secrets Manager and set them as environment variables on your application

Now that we have application secrets on AWS Secrets Manager, we need to retrieve them on the application and set them as environment variables.

To do this, we are going to use awscli and jq.

So, the first thing we need is to install those tools on our application Docker image.

Once they're installed, we are going to modify the Docker entrypoint of the application and add the following lines.

#!/bin/sh

if [ -n "$AWS_SECRET_ID" ]
then
    aws secretsmanager get-secret-value --secret-id ${AWS_SECRET_ID} --query SecretString --output text | jq -r 'to_entries|map("\(.key)=\(.value|tostring)")|.[]' > /tmp/secrets.env
    eval $(cat /tmp/secrets.env | sed 's/^/export /')
    rm -f /tmp/secrets.env
fi

The above code uses awscli to get the secret values, then it uses jq to parse them and create a file with the format <KEY>=<VALUE>. Then, using eval and sed commands we use that file to set up environment variables.

And that's it! We have environment variables configured for our application secrets, and we can use them to set up application variables accordingly.

Jose López
Jose López
2020-02-12 | 4 min read
Share article

More articles