2

I am trying to deploy a django application using elastic beanstalk. The app connects to the database using the environment variables.

DATABASES = {
  'default': {
    'ENGINE': 'django.db.backends.mysql',
    'NAME': os.environ['RDS_DB_NAME'],
    'USER': os.environ['RDS_USERNAME'],
    'PASSWORD': os.environ['RDS_PASSWORD'],
    'HOST': os.environ['RDS_HOSTNAME'],
    'PORT': os.environ['RDS_PORT'],
  }
}

I don't want to set these variables explicitly in EB console or option_settings, as they would appear in EB console in plain text.

The RDS credentials are stored in AWS Secrets Manager. As EB doesn't support AWS secrets manager yet, I wrote a platform hook to fetch the secrets and export the credentials as environment variables.

django_app/.platform/hooks/prebuild/set_db_credentials.sh

#!/bin/sh

# fetch secrets from secrets manager and store in db_credentials.json
aws secretsmanager get-secret-value --secret-id="$RDS_SECRETS_ID" --region="$RDS_SECRETS_REGION" --query=SecretString --output text > db_credentials.json

# export as environment variables
export RDS_HOSTNAME="$(jq -r '.host' db_credentials.json)"
export RDS_PORT="$(jq -r '.port' db_credentials.json)"
export RDS_USERNAME="$(jq -r '.username' db_credentials.json)"
export RDS_PASSWORD="$(jq -r '.password' db_credentials.json)"
export RDS_DB_NAME="$(jq -r '.dbname' db_credentials.json)"

rm db_credentials.json

The hook is running fine but the environment variables are not available for the app. Does anyone know how to do this ?

gowthz
  • 400
  • 2
  • 8
  • 22

2 Answers2

1

You could probably use a EB hook to create dynamically aws:elasticbeanstalk:application:environment .ebextensions config file.

So the idea is to create proper .ebextensions file for env variables using one of the EB hooks, before EB is going to read and execute your .ebextensions files.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Wow! That never crossed my mind, thank you. But setting it this way will make the credentials visible in the EB console...is there any other approach to this ? – gowthz Sep 29 '21 at 11:22
  • 1
    @GowthamBhat Not sure. Haven't tried that myself. At the moment can't think of other way. Usually it would be your app that uses aws sdk to get the credentials. Can you modify your app to do that? – Marcin Sep 29 '21 at 11:24
  • Yeah, I can try that. I was reluctant to change that part as it was the standard code when using EB attached RDS instance – gowthz Sep 29 '21 at 11:31
  • @GowthamBhat If you try, please let me know how it went. – Marcin Sep 29 '21 at 11:32
  • @GowthamBhat How did it go? Did you manage to make it work? – Marcin Oct 01 '21 at 09:09
  • I created the environment variables directly in the EB console for now. Will let you know when I test this. – gowthz Oct 05 '21 at 11:53
1

A work-around solution is to save your secret in config file inside your hook. Setting the variable in the bash scripts won't work since Elastic Beanstalk likely run hooks in different shells (and provides no support for secret management so far).

For instance if you are using docker (or any platform that automatically reads env variable from the a ".env" file) the solution described here will work. Saving it into an .ebextensions might also be a solution but it doesn't seem to work with docker platform.

lmX2015
  • 400
  • 3
  • 9