Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External Configuration/Secret Sources #6

Closed
RichiCoder1 opened this issue May 19, 2021 · 19 comments
Closed

External Configuration/Secret Sources #6

RichiCoder1 opened this issue May 19, 2021 · 19 comments

Comments

@RichiCoder1
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request
    If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
The ability to plug in App Configuration and Secrets from an external source (AWS SSM Parameter Store and AWS Secret Manager as MVP). Essentially the equivalent of ECS/Kubernetes, where you can name a provider, some parameters, and the ability to provide values as either environment variables or files.

Describe alternatives you've considered
Baking in config at build time and building multiple images.

Additional context
Good examples of great experiences today that should inspire (if not straight up use):

It'd be nice to also be able to eventually use Vault transparently, but that might be a strech.
@dreamorosi dreamorosi mentioned this issue May 20, 2021
Closed
@jordi-farre jordi-farre mentioned this issue Jul 13, 2021
Open
@hatskier
Copy link

Hey @RichiCoder1 , do you know the estimated date of this feature? I would love to use AWS App Runner, but can't find a secure way to pass secrets (e.g. DB credentials) to the App Runner instances

@RichiCoder1
Copy link
Author

Hey @RichiCoder1 , do you know the estimated date of this feature? I would love to use AWS App Runner, but can't find a secure way to pass secrets (e.g. DB credentials) to the App Runner instances

I'm afraid I'm not affiliated with AWS at all, so I have about as much of an answer as you do 😅. However, the ticket is marked as We are working on it, and it at least partially references a feature that already exists with the underlying engine (ECS) so I'm hoping personally it'll land sometime this FY.

@praneetloke praneetloke mentioned this issue Mar 25, 2022
Closed
@atali
Copy link

atali commented Dec 29, 2022

Hi,
any news about that feature? It's really blocking our team to use AppRunner.
I am expecting something similar to ECS:

ecs.Secret.fromSecretsManager(secret, field?)
Please keep us updated.
In the meanwhile do you have any workaround?
Thx

@hariohmprasath
Copy link

Hi @atali,
Thanks for reaching out. The team is actively working on this feature, we will keep you updated about the progress in the upcoming weeks.

@adonig
Copy link

adonig commented Dec 29, 2022
edited
Loading

@atali Not sure whether this is a working workaround because I didn't try it, but isn't it possible to pass the secret ARN as an environment variable to the container and there use the awscli to get the secret value and do something with it, for example put it in the container command execution environment in docker-entrypoint.sh like this:

#!/bin/bash
set -euxo pipefail
MY_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $MY_SECRET_ARN --query SecretString --output text)
exec env MY_VARIABLE=$MY_SECRET_VALUE "$@"

I believe it should work as long as you have a VPC connector to a VPC with a Secrets Manager VPC endpoint and your task role allows the containers to access Secrets Manager.

EDIT: If you have jq installed, you can extract secret values by piping the secret string into jq like this: | jq -r .username

@atali
Copy link

atali commented Dec 29, 2022
edited
Loading

Thank you @adonig , I will give a try. Hopefully the new feature will be available soon.
Keep up the good work !

@jvisker
Copy link

jvisker commented Jan 6, 2023

https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/

@kichik
Copy link

kichik commented Jan 6, 2023

Thank you! CDK support now pretty please :)

@snnles
Copy link

snnles commented Jan 6, 2023

This feature is now supported in App Runner. Please visit the What's New announcement that also has links to a deep dive blogpost and developer guide. Thank you all for your feedback and support.

https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/

@snnles snnles closed this as completed Jan 6, 2023
@hariohmprasath
Copy link

Thank you! CDK support now pretty please :)

Yes, the team will work on it next and we will keep you posted on the updates.

@atali
Copy link

atali commented Jan 7, 2023

Will the CDK L1 construct support it in the short time because it's automatically generated ?

@hariohmprasath
Copy link

Hi @atali,
Yes, since we have added support for CFN, L1 constructs should be available in the upcoming release of aws-cdk, please watch out https://github.com/aws/aws-cdk repo for upcoming releases and change logs. Thanks

@hariohmprasath
Copy link

Hi @kichik,
PR for the CDK integration is merged now, so you should be all set :) - aws/aws-cdk#23692

Here are some usage patterns:

environmentSecrets: {
  SECRET: apprunner.Secret.fromSecretsManager(secret),
  PARAMETER: apprunner.Secret.fromSsmParameter(parameter),
  SECRET_ID: apprunner.Secret.fromSecretsManagerVersion(secret, { versionId: 'version-id' }),
  SECRET_STAGE: apprunner.Secret.fromSecretsManagerVersion(secret, { versionStage: 'version-stage' }),
},

Here are the service methods that you can use to directly add this integration:

...
service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field'));
service.addEnvironmentVariable('SECOND_ENVIRONEMENT_VARIABLE', 'second test value');
...

Let me know if you have any questions. Thanks

@vimalprasathr
Copy link

Can we update bulk secret value in apprunner

@msumithr
Copy link

Yes, once Customer updates all the secrets via AWS Secrets Manager and then trigger a single deployment on App Runner, we will be refreshing all the secrets.

@BuraChuhadar
Copy link

BuraChuhadar commented Aug 22, 2023
edited
Loading

Hello,

Do you have an example code that shows to add ssm parameter arn (not ssm secrets) with source "SSM Parameter Store" as an environment variable under AWS CDK?

@moltar
Copy link

moltar commented Oct 17, 2023

Yes, once Customer updates all the secrets via AWS Secrets Manager and then trigger a single deployment on App Runner, we will be refreshing all the secrets.

Is there a way to trigger auto-reload upon secret updates via CDK?

Perhaps we could watch for an event, and then somehow call an API to force-reload?

@hariohmprasath
Copy link

Hi @moltar, You can listen to the AWS Eventbridge events and invoke aws apprunner start-deployment API to force a new deployment

@moltar
Copy link

moltar commented Oct 17, 2023

Hi @moltar, You can listen to the AWS Eventbridge events and invoke aws apprunner start-deployment API to force a new deployment

Hey, yeah, tried that. But EB events only fire if there is CloudTrail on the account, which is a whole other can of worms 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Roadmap
Status: Just Shipped
Milestone
No milestone
Development

No branches or pull requests