I have three AWS accounts. I have stored my SSL certificate files in S3 inside one of the AWS accounts (say AWS1). I have created an IAM role which grants 'GetObject' access to the S3 buckets in AWS1. I have then configured an ebextensions file for a single instance application I have running in another AWS account (say AWS2) to download the SSL certificates from the S3 bucket in AWS1 using the AccessKey and Secret of the IAM role I created in AWS1.
The following is a part of a my http-single-instance.config file in .ebextensions for the application I have in AWS2
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["aws1-bucket"]
accessKeyId: "AWS1IAMACCESSKEY"
secretKey: "AWS1IAMSECRET"
But as you can see I have had to put the AWS1 IAM secret values in the source code of the application in AWS2 directly to get this working. Instead of putting the values for accessKeyId and secretKey in the actual source code, is it possible to load these values either from Environment Variables or from S3 somehow? So in the end, if I can get something like
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["aws1-bucket"]
accessKeyId: {AWS2ENVACCESSKEYID}
secretKey: {AWS2ENVSECRETKEY}
For applications that are running in the same AWS account, I have followed the instructions provided in this documentation - https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html and that works perfectly. The solution I currently have is also working with the SSL certificates being downloaded as required, but I just want to know if there is a way to do this more securely.
Any assistance is much appreciated. Thanks!
