20

I am deploying a Ruby on Rails application to AWS using Elastic Beanstalk and have to set a private key as an environment variable

E.g

-----BEGIN RSA PRIVATE KEY----- SpvpksXQIBA65ICOgQxV2TvMIICAiMeV9prhdJSKjjsk2 tYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk tYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk tYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk tYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk -----END RSA PRIVATE KEY-----

However this doesn't seem to work when deploying the app as it always fails with a

OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error

I think it's because the RSA Key is malformed.

However unlike in Heroku, AWS EB does not accept multiline input (see below) so I have to use \n to create new lines.

enter image description here

I tried with few different styles but none of them seem to interpolate the \n properly and I always keep getting the same error.

I've tried with \n and the end of each line, then \\n and also tried tried double quotes \" to wrap the key but I still keep getting the same error.

How do I properly set a multiline environment variable in AWS Elastic Beanstalk ?

nelsonic
  • 31,111
  • 21
  • 89
  • 120
Ranhiru Jude Cooray
  • 19,542
  • 20
  • 83
  • 128

4 Answers4

12

You can transform your private key in a base64, then you store that base64 as environment variable. When needed you decode this variable.

in unix:

$ base64 path/to/your/private_key_file

in your application:

def private_key
  Base64.decode64(ENV['PRIVATE_KEY'])
end
Helio Albano
  • 828
  • 9
  • 16
6

You could set it in EB using \n and then convert the '\n' to newlines before you pass it to config.key - something like this (note the single and double quotes in the call to gsub):

single_line_key = ENV.fetch('CLOUDFRONT_KEY')
multi_line_key = single_line_key.gsub('\n', "\n")
config.key = multi_line_key
Brian
  • 5,300
  • 2
  • 26
  • 32
  • 1
    Hi! Is there a Node solution to this. I've been pulling my hair out with trial+error. Does the key need to have "\n" chars in it? – user2402616 Jun 24 '21 at 14:51
  • I haven’t used EB in a few years, but a similar solution should work for Node. You’ll want to put the two non-escaped characters (\n) in your single-line string and then convert them at runtime to newlines, which will give you the multi-line string that is expected. – Brian Jun 25 '21 at 16:09
  • 1
    For some reason, my `replace` did not working on Beanstalk, but it did work locally. I spent several hours on this and just gave up. Quick soln I ended up using was just to encode the key as Base64 String and then decode in Code. Ideal soln would probably be to use Secrets Manager, but that could be overkill too – user2402616 Jun 25 '21 at 16:18
4

In I had the same problem with Golang and the elastic beanstalk, I did this went to AWS console and set the value like this:

-----BEGIN RSA PRIVATE KEY-----\nSpvpksXQIBA65ICOgQxV2TvMIICAiMeV9prhdJSKjjsk2\ntYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk\ntYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk\ntYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk\ntYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkk\n-----END RSA PRIVATE KEY-----

inside my code

key := os.Getenv("PUSH_AUTH_KEY")
key = strings.Replace(key, `\n`, "\n", 5)
Shubham Dhanera
  • 71
  • 5
1

You need to 'export' your multiline string, e.g., your private or public key into the environment correctly.

Enclose in your shell export statement $'.....' where ...... is your multiline string, e.g., your private or public key.

Example: export KEY = $'-----BEGIN RSA PRIVATE KEY-----\nSpvpksXQIBA65ICOgQxV2TvMIICAiMeV9prhdJSKjjsk2tYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkktYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkktYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkkktYdz8lhn/ibROQW71utuHLAyHGMBxz3kIaaIq1kjdkk\n-----END RSA PRIVATE KEY-----'

nethsix
  • 800
  • 8
  • 17