1

Hello: I do have Django based application deployed in AWS EC2 instance. The application accesses a hospital database hosted on the premises for query and update through as set of APIs written in Django application. However, we cant have production IP, database UserID, database Pwd in our EC2 application due to security reasons. What are the options available for this problem. One option that is thought is set-up a reverse proxy server on a different machine at on-premise environment and access the prod database through it. I wanted to know,

  1. If there are other better practiced solutions available
  2. A pointer to an example configuration of ReverseProxy maintaining database UserID, databasePwd etc in the proxy and running the API through it. We are still trying setting-up an UBUNTU based Ngnx server. However, still not sure where to maintain the DBUserID, DBPwd etc. Any help or guiding pointer will be greatly appreciated. Thanks
Raja Devarakonda
  • 11
  • 1
  • you can store the credentials in the Systens manager parameter store secrets. The django application write some code inside your django index.php file to read the credential from the parameter store and update the configuration file that has the db credential. But in this approach the , anyone who can get to the ec2, can see the plain passwords in the configuration file. – Arun Kamalanathan Jul 31 '20 at 06:03
  • check this. in this example, when django receives a request, they are making an sdk call to aws systems manager and getting the secrets. the password will not be stored into the file. but it will be querying the systems manager for each http request. https://engineering.instawork.com/django-settings-in-the-cloud-aa3fc547a2b4 – Arun Kamalanathan Jul 31 '20 at 06:09
  • posted an answer, basically you read the credentials once when the ec2 boot up using a boot script, then you can store the values as system environment variables. django can then read the credential from the environment variables. – Arun Kamalanathan Jul 31 '20 at 06:27

1 Answers1

0

I haven't tried this in django, here is what I consider as a neat solution:

  • Assign an IAM role to the EC2 instance. Assign permission to the role so that it can read from the Systems manager parameter store
  • Store the credentials (Username, Password, Host, etc) in the aws System manager (SSM) parameter store
  • Add a boot script to the ec2 and query the systems manager for the parameter. The script will run once when the ec2 instance boots, read the values from SSM and set the values as environment variables
  • In the django setting file where the db credentials are set, i would read the credential from the environment variables for e.g os.environ['DATABASE_PASSWORD']

References:

EC2 Boot Script

Systems manager parameter store

How to set environment variables in python

Arun Kamalanathan
  • 8,107
  • 4
  • 23
  • 39