Our solution to encrypt and securely retrieve environment variables for use in Docker on the AWS EC2 Container Service has been enormously popular. We just made it easier.
Storing and distributing runtime secrets continues to be an area of focus for the DevOps community. AWS Key Management Service used in conjunction with S3 and IAM offers a lightweight option and eliminates the need for an additional deployment dependency. To make it easier for developers, we decided to wrap it up into a CLI so you can instantly get the benefits without having to understand the intricacies of AWS KMS and IAM. Check it out on GitHub.
How to Use
1 2 git clone -o github https://github.com/promptworks/aws-secrets cd aws-secrets && make install
1 2 3 aws-secrets-init-resources my-app-name echo "export SECRET_KEY=xyzzy" > my-app-env aws-secrets-send my-app-name my-app-env
Adding to a Dockerfile
1 CMD ["aws-secrets-run-in-env", "my-app-name", "command_to_start_app"]
Complete instructions, including how to retrieve and use the secrets on any AWS instance are in the project’s README.
Amazon wrote their own version of our original post a few months ago: How to Manage Secrets for Amazon EC2 Container Service–Based Applications by Using Amazon S3 and Docker.
Amazon’s solution uses encrypted S3 buckets and CloudFormation templates to create the resources with appropriate subnets, routing tables, security groups, etc. It should be noted that their solution uses server-side encryption on the S3 buckets and doesn’t use KMS, which would provide an audit log. You also have to write an entrypoint script to retrieve the secrets and load them into the environment of the running process.
PromptWorks’ aws-secrets Advantages
As a commenter on the AWS blog post pointed out, their solution “still requires too many manual steps. AWS should invest in tools to automate more steps without being exposed to AWS internals.” Our AWS Secrets CLI provides that automation and abstraction. It also relies less on AWS plumbing like CloudFormation and encrypts your secrets client-side.