I have been using a .env file to run my app in my local machine. However when deploying my app using aws ec2 instance, I am at a complete loss on how to set up the ENV vars as I am a complete beginner at using AWS. Please help me to set up the environment variables.
Based on the comments.
Since .env is used on local workstation successfully, it can also be used on ec2 instance.
Just have to be careful with not string any sensitive information in .env and using public repositories, as you may leak your passwords or access keys.
For storing secrets at AWS, the recommended way would be through secret manager or ssm parameter store. Also any permissions that your app may require to access these or other AWS services should be provided through instance role, not by hard codding AWS credentials into app or instance.
Related
We have a Node application which is running as a Docker container in AWS Elastic Beanstalk. The application has access to PostgreSQL RDS. We want to use AWS Secrets Manager, so that our Container can access RDS without the credentials being exposed in code.
Once we create the Secrets in AWS Secrets Manager a code is generated which may be in java/javascript etc. So do we add that code in our source code and attach policy of Secret Manager to both aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role?
Please advise how this can be done.
We have created the Secrets in Secret Manager. We have not proceeded further as the application is up and running, making any changes may affect it.
As this is our first time, we need help.
I am trying to set up the development environment for a project that uses an API hosted in GCP. We are using the Google Auth Library: Node.js Client, and it tries to pull an ID token automatically, and fails. This is the error:
Error: Cannot fetch ID token in this environment, use GCE or set the GOOGLE_APPLICATION_CREDENTIALS environment variable to a service account credentials JSON file.
So, I've solved this by manually downloading a service account key and pointing the GOOGLE_APPLICATION_CREDENTIALS environment variable to it. However, when more developers start to work on this project, it would be great to have a somewhat more automatic or streamlined solution.
I've been reading around, and was hoping that setting the GOOGLE_APPLICATION_CREDENTIALS to the key file generated by gcloud auth application-default login would do the trick. But, it seems like the library doesn't work with user credentials? At least it doesn't work when I try it.
Having a way where the developer setting up the project in development would either simply authenticate with Google in the terminal, or point the GOOGLE_APPLICATION_CREDENTIALS to a file generated by a gcloud command would be great, instead of having the person go into GCP to download a service account key.
Is this possible somehow? It's been a little tricky to find out. Thanks!
Some other questions I've seen:
Local development without using google service account key
Could not load the default credentials? (Node.js Google Compute Engine tutorial)
I need guidance regarding using AWS-SDK credentials in production nodejs app.
What is the possible way of doing this? I researched about it that always use shared credentials files for aws credentials using that link. "https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-node-credentials-shared.html"
So I'm confused about the way. Do I need to create that file in that Linux path specified in that link in VM of EC2?
I made a new IAM role for S3 and allocate it to a specific EC2 instance but through code how can I be able to access S3 services. I deployed my app and it's still giving me access denied error on accessing S3 service.
Do I still need to include credentials file as discussed in like given above? And Do I still need to initialize S3?
const s3 = new aws.S3({
accessKeyId,
secretKey,
bucketRegion,
});
Please guide me that how can I deploy nodejs app without affecting AWS services.
Following the AWS Well Architected Framework the best solution would be to assign a role with your required permissions to the EC2 instance that you are going to use.
You should strive from adding credentials to the application directly as they are not needed in most of the cases.
Please take a look at IAM roles for Amazon EC2 as how does AWS guides to achieving that.
I'm currently running a Node server deployed on a Docker application on AWS Elastic Beanstalk, and I have several env variables that should be kept hidden, like the database URL and the JWT secret. Passing them thru the Elastic Beanstalk application config would be optimal, but it doesn't work because I'm trying to access them within a Docker container, which doesn't receive those env variables.
I've seen a lot of answers to this but it seems to me that they all involve putting the actual variable values in places like the Dockerrun.aws.json or the Dockerfile, which would both add the secret values to the repo, exposing them to the public GitHub repo that I deploy from thru CodePipeline. So, how should I pass these secret environment variables to the Docker container? Is there a way to reference the variables in my Dockerfile or docker-compose.yml files and pass them down? Is there some other Elastic Beanstalk config I can use? Any suggestions would be greatly appreciated.
Is there some other Elastic Beanstalk config I can use?
Yes. Generally, you would setup up your secrets in AWS Secret Manager or SSM Parameter Store. Then your application, regardless whether it is docker, EB or anything else, would use AWS SDK to get the secret directly from these secret vaults.
This is not only a good practice, but you also don't have to expose your secretes before they are actually needed. You only access them just before they are really used, which reduces chances of a leak.
I am trying to integrate KeyVault into my Azure App service. I have a KeyVault client library embedded in my application. In order for this client library to connect to KeyVault and access stored secrets, some configurations must be available for the client to connect. There are 4 types of credential objects that the client attempts to use, in a specific order, during initialization for authentication/authorization. The first credential object it tries to use is an environment based object. This object attempts to gather 4 environment variables from the hosting system to initialize the KeyVault client. One of these variables must contain the ClientSecret of the application trying to connect to KeyVault via the client lib. The problem I am running into is this. In my azure release pipeline I am trying to set the environment variables of the deployed host appropriately for the application to use. However, it appears that the release tasks all run on the same host, until you get to the actual deployment task of the app service. Apparently this task runs on a different host? When running the hostname command on previous tasks they all returned one hostname while the hostname command added to the deployment task returned a another. I am a little stuck and having trouble finding more clarity about setting environment variables for an app service through documentation. Does anyone have any ideas? Am I going about integrating KeyVault correctly or is there something I am missing? Please let me know if clarification is needed or more information is required to assist me. Thank you very much.
If you are using Azure App Services, this is way easier. You directly link application configuration from KeyVault using Managed Identities.
Sample config value will look like this:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
This way you
don't have to change anything in your application code. The app reads
secrets from KeyVault just like any other configuration
do not need to manage any client-side credentials to access KeyVault.
You need to create the Variables in your Pipeline and retrieve them (from Key Vault), during the release process.
PS: Your app will receive/read them as Environment Variables.
Azure DevOps Variable Group not applying in Azure Function Configuration