amazon web services - Secret info & EC2 CodeDeploy?

Question

With secret code such as MongoDB password, Firebase admin password in my NodeJS server code, I am wondering how I should go about deploying this to EC2 (and multiple EC2 instances with CodeDeploy / AutoScaling, in the future).

Is there a common way to go about this - keeping your credentials secure? You could argue that the security layer is at the instance: make sure that there is no unwanted access to your instance(s) and you should be good. But is this really the way to go?

question from:https://stackoverflow.com/questions/65864896/secret-info-ec2-codedeploy

Answer 1

Given a service that has a secret password in its config file called config.json, create a software config file called config-development.json:

password=[PASSWORD]

During Codedeploy, there are scripts or hooks, that run during the deployment cycle eg BeforeInstall, Install, AfterInstall. During the AfterInstall script execution, get the secret from the parameter store via cli, store it in a variable, and then replace the [PASSWORD] value in the json file, using sed or any search and replace command line tool.

Rename the resulting file to the config.json, and restart the service.

This approach will allow you to keep secrets out of your repo, and use only value from the parameter store.

See https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file-structure-hooks.html#reference-appspec-file-structure-hooks-list