copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Sharing Secrets Between Environments

Open dereksdev opened this issue 4 years ago • 10 comments

Is there a way to share secrets between environments? The requirement to tag each secret with copilot-environment leads me to believe this is not possible, but it would be useful for shared application secrets. I would like to be able to do the following:

  1. set up an SSM parameter with only tag copilot-application set to my application name
  2. reference the secret in the global secrets in manifest.yml:
secrets: 
  SECRET_NAME: /copilot/app_name/secrets/SECRET_NAME

This process currently results in an error: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm

dereksdev avatar Oct 21 '21 21:10 dereksdev

Hello @dereksdev. Yes you are correct it is not possible to define application level secrets in Copilot right now. This would be a feature request for us. Thank you for bringing up this feature and your use case for it!

iamhopaul123 avatar Oct 21 '21 22:10 iamhopaul123

Just want to say I'd like to see this feature too. It would be useful for creating a single secret with credentials to a private Docker registry.

bpottier avatar Mar 08 '22 12:03 bpottier

I'll add on that it would also be useful to share secrets across applications, as well. This is handy for multiple applications that might share the same database or for connections to a shared cache. Beyond the challenge of setting up duplicate secrets, this increases the burden of rotating secrets when necessary.

mnitchie avatar Apr 05 '22 14:04 mnitchie

Thanks @mnitchie ! as a side-tangent, how do you deal with secrets rotation today for ECS tasks? do you force a new deployment when a rotation occurs or do you use another mechanism?

efekarakus avatar Apr 05 '22 16:04 efekarakus

It's a little ad hoc at the moment. Sometimes I do what you suggested if I'm confident that won't break things with the already-deployed tasks, or if I'm planning to re-deploy right away. Once I created a second secret and changed the manifest to point to that instead of the old one, then re-deploy.

mnitchie avatar Apr 05 '22 18:04 mnitchie

+1 to this. would love it 🙌 It would nicely clean up our secret store and manifest files 😄

GearoidCollins avatar Apr 14 '22 16:04 GearoidCollins

+1 to this for me as well :). This would be a really handy feature and would make creating new environments super seamless! Has work on this feature request been started?

jakequalia avatar Jun 06 '22 17:06 jakequalia

Any update on this?

jakequalia avatar Mar 13 '24 00:03 jakequalia

This would be really useful. We are adding Elasticsearch to several apps and just have one large cluster with a bunch of indices. We could just store the Elastic Cloud ID and password once each, but now it looks like I'll have to define multiple variables per application and per environment. And if I rotate those creds, will have to change them all individually ... could add some logic to the value parsing to split on commas or another delimiter? copilot-environment=dev,prod, and same for the apps?

ColeDCrawford avatar Apr 04 '24 21:04 ColeDCrawford

@ColeDCrawford Makes sense to me! Another workaround I can think of is to tag a secret with something like "shared", and then give each of your app's EnvManagerRole access to secrets with that tag, using yaml patch.

Lou1415926 avatar Apr 05 '24 23:04 Lou1415926