Schedule a chat

Elastic Beanstalk Secrets as a Service

May 3, 2018

Elastic Beanstalk

Elastic Beanstalk is Amazon’s answer to the easy management of container-based applications. EB trades functionality like service discovery, cross-node communication, and advanced scheduling for simplicity and ease-of-use.

One often overlooked convenience provided by EB is its support for environment variables. Instead of breaking 12-factor app rules by encouraging the storage of environment variables in the repository (dev.yaml, staging.yaml, etc.) or creating workflow problems with a env.yaml per branch, EB does something better: an easily configurable key-value store for each environment you create.

Centrally Managed Secrets

While EB’s key-value store is very convenient, once you begin to manage the same set of variables across developer machines, CI/CD platforms, and EB environments, a central authority for managing these variables makes things much easier. On top of that, it’s relatively easy to accidentally change a variable that breaks your application – having safeguards against that is desirable.

A centrally managed secret store like Environr takes the place of the environment variables in EB and injects them into the environment at run-time. With one central location to manage configuration maps, maintaining synchronized configurations across your different environments becomes much less of a challenge.

After copying EB-managed variables to Environr, a few steps are needed:

  • Replace EB-managed variables with an ENVIRONR_API_KEY and ENVIRONR_API_SECRET
  • Create a / script and add it to the container at build time

The run script can be as simple as:

#!/usr/bin/env bash

env $(environr-cli env --env-output oneline [config set name]) /path/to/application

This fetches the configuration, sets the environment variables being returned, and runs the application.

Now, when it’s time to inject environment configurations into CI/CD platforms or developers’ machines, just create a new Environr API key for each and setup the configuration maps. No more wrestling with environment out-of-sync secrets and environment variables!

comments powered by Disqus