aws
External Configuration/Secret Sources
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request The ability to plug in App Configuration and Secrets from an external source (AWS SSM Parameter Store and AWS Secret Manager as MVP). Essentially the equivalent of ECS/Kubernetes, where you can name a provider, some parameters, and the ability to provide values as either environment variables or files.
Describe alternatives you've considered Baking in config at build time and building multiple images.
Additional context Good examples of great experiences today that should inspire (if not straight up use):
- Kubernetes ConfigMap and Secret CSI
- ECS Functionality (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html)
It'd be nice to also be able to eventually use Vault transparently, but that might be a strech.
Hey @RichiCoder1 , do you know the estimated date of this feature? I would love to use AWS App Runner, but can't find a secure way to pass secrets (e.g. DB credentials) to the App Runner instances
Hey @RichiCoder1 , do you know the estimated date of this feature? I would love to use AWS App Runner, but can't find a secure way to pass secrets (e.g. DB credentials) to the App Runner instances
I'm afraid I'm not affiliated with AWS at all, so I have about as much of an answer as you do 😅. However, the ticket is marked as We are working on it, and it at least partially references a feature that already exists with the underlying engine (ECS) so I'm hoping personally it'll land sometime this FY.
Hi, any news about that feature? It's really blocking our team to use AppRunner. I am expecting something similar to ECS:
ecs.Secret.fromSecretsManager(secret, field?) Please keep us updated. In the meanwhile do you have any workaround? Thx
Hi @atali, Thanks for reaching out. The team is actively working on this feature, we will keep you updated about the progress in the upcoming weeks.
@atali Not sure whether this is a working workaround because I didn't try it, but isn't it possible to pass the secret ARN as an environment variable to the container and there use the awscli to get the secret value and do something with it, for example put it in the container command execution environment in docker-entrypoint.sh like this:
#!/bin/bash
set -euxo pipefail
MY_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $MY_SECRET_ARN --query SecretString --output text)
exec env MY_VARIABLE=$MY_SECRET_VALUE "$@"
I believe it should work as long as you have a VPC connector to a VPC with a Secrets Manager VPC endpoint and your task role allows the containers to access Secrets Manager.
EDIT: If you have jq installed, you can extract secret values by piping the secret string into jq like this: | jq -r .username
Thank you @adonig , I will give a try. Hopefully the new feature will be available soon. Keep up the good work !
https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/
This feature is now supported in App Runner. Please visit the What's New announcement that also has links to a deep dive blogpost and developer guide. Thank you all for your feedback and support.
https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/
Thank you! CDK support now pretty please :)
Yes, the team will work on it next and we will keep you posted on the updates.
Will the CDK L1 construct support it in the short time because it's automatically generated ?
Hi @atali,
Yes, since we have added support for CFN, L1 constructs should be available in the upcoming release of aws-cdk, please watch out https://github.com/aws/aws-cdk repo for upcoming releases and change logs. Thanks
Hi @kichik, PR for the CDK integration is merged now, so you should be all set :) - https://github.com/aws/aws-cdk/pull/23692
Here are some usage patterns:
environmentSecrets: {
SECRET: apprunner.Secret.fromSecretsManager(secret),
PARAMETER: apprunner.Secret.fromSsmParameter(parameter),
SECRET_ID: apprunner.Secret.fromSecretsManagerVersion(secret, { versionId: 'version-id' }),
SECRET_STAGE: apprunner.Secret.fromSecretsManagerVersion(secret, { versionStage: 'version-stage' }),
},
Here are the service methods that you can use to directly add this integration:
...
service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field'));
service.addEnvironmentVariable('SECOND_ENVIRONEMENT_VARIABLE', 'second test value');
...
Let me know if you have any questions. Thanks
Yes, once Customer updates all the secrets via AWS Secrets Manager and then trigger a single deployment on App Runner, we will be refreshing all the secrets.
Hello,
Do you have an example code that shows to add ssm parameter arn (not ssm secrets) with source "SSM Parameter Store" as an environment variable under AWS CDK?
Yes, once Customer updates all the secrets via AWS Secrets Manager and then trigger a single deployment on App Runner, we will be refreshing all the secrets.
Is there a way to trigger auto-reload upon secret updates via CDK?
Perhaps we could watch for an event, and then somehow call an API to force-reload?
Hi @moltar, You can listen to the AWS Eventbridge events and invoke aws apprunner start-deployment API to force a new deployment
Hi @moltar, You can listen to the AWS Eventbridge events and invoke
aws apprunner start-deploymentAPI to force a new deployment
Hey, yeah, tried that. But EB events only fire if there is CloudTrail on the account, which is a whole other can of worms 😁