loading...
Cover image for How to store private keys securely in AWS S3 for use with Elastic Beanstalk

How to store private keys securely in AWS S3 for use with Elastic Beanstalk

eesnaola profile image Ezequiel Esnaola Updated on ・1 min read

The private keys that you use in a project should not be compromised with the source code. The best option is to configure Elastic Beanstalk to download the file from AWS S3 during the deploy of the application.

The following example shows an Elastic Beanstalk's configuration file getting a private key file from an S3 bucket.

# .ebextensions/serverkey.config
Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-region-account-id"]
          roleName: 
            "Fn::GetOptionSetting": 
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
  # Private key
  "/etc/pki/tls/certs/server.key":
    mode: "000400"
    owner: webapp
    group: webapp
    authentication: "S3Auth"
    source: https://s3.amazonaws.com/elasticbeanstalk-region-account-id/server.key

The instance profile "aws-elasticbeanstalk-ec2-role" must have permission to read the key object from the specified bucket. Look here to see how to do it.

You made set the url with an environment variable like this:

source: { "Fn::Join" : ["", ["https://s3.amazonaws.com/elasticbeanstalk-region-account-id/", {"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "APP_ENV"}}, ".key"]]}

Hope you have a good day!

Discussion

pic
Editor guide