How to specify sensitive environment variables at deploy time with Elastic Beanstalk
I am deploying a Python Flask application with Elastic Beanstalk. I have a config file /.ebextensions/01.config where among other things I set some environment
-
The AWS documentation recommends storing sensitive information in S3 because environment variables may be exposed in various ways:
Providing connection information to your application with environment properties is a good way to keep passwords out of your code, but it's not a perfect solution. Environment properties are discoverable in the Environment Management Console, and can be viewed by any user that has permission to describe configuration settings on your environment. Depending on the platform, environment properties may also appear in instance logs.
The example below is from the documentation, to which you should refer for full details. In short, you need to:
- Upload the file to S3 with minimal permissions, possibly encrypted.
Grant read access to the role of the instance profile for your Elastic Beanstalk autoscaling group. The policy would be like:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "database", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-secret-bucket-123456789012/beanstalk-database.json" ] } ] }Add a file with a name like
s3-connection-info-file.configto/.ebextensionsin your application bundle root with these contents:Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Auth: type: "s3" buckets: ["my-secret-bucket-123456789012"] roleName: "aws-elasticbeanstalk-ec2-role" files: "/tmp/beanstalk-database.json" : mode: "000644" owner: root group: root authentication: "S3Auth" source: https://s3-us-west-2.amazonaws.com/my-secret-bucket-123456789012/beanstalk-database.json
Then update your application code to extract the values from the file
/tmp/beanstalk-database.json(or wherever you decide to put it in your actual config.)
加载中...
- 热议问题