How is AWS Secrets Manager used in an Elastic Beanstalk application safe if the AWS_SECRET_KEY has to be stored in the EBS environment vars?

Question

I have the following setup:

PHP Laravel application
AWS Elastic Beanstalk -> EC2 webserver
AWS Secret Manager to store the database password
Elastic Beanstalk environment variable to store the AWS_SECRET_KEY
TappNetwork/laravel-aws-secrets-manager to fetch the secrets

I used to store the database password (and other credentials) in the Beanstalk environment variables, but didn't want to store in plain text anymore.

I now store them in the AWS Secret Manager, but in order for the application to be able to fetch the secrets, the AWS_ACCESS_KEY_ID and AWS_SECRET_KEY need to be available in Laravel, so that they can be used in the communication between AWS SDK and our AWS setup.

This brings me back to square 1, because access to the access key and secret also allows access to the secret manager, if I'm not mistaken.

What am I missing here?

Did you ever get this figured out Sherlock? I am running into the same issue. — Jim M, Aug 09 '21 at 00:57

score 1 · Answer 1 · answered Jul 15 '21 at 10:35

I now store them in the AWS Secret Manager, but in order for the application to be able to fetch the secrets,

You don't have to do this. Just like with regular EC2 instance, in EB you give permissions to SM or other AWS resources using EB instance profile.

This way your ENV is clean of any AWS keys, and AWS SDK automatically will query the profile on the instance to get the temp AWS credentials to access SM. You can also query the metadata yourself if you want to "manually" get these credentails.

Ok I'll look into that, thanks. Ugh, if only Beanstalk env vars would just have Secrets Manager support. — Sherlock, Jul 15 '21 at 10:39

How is AWS Secrets Manager used in an Elastic Beanstalk application safe if the AWS_SECRET_KEY has to be stored in the EBS environment vars?

1 Answers1