DEV Community

Cover image for How to store private keys securely in AWS S3 for use with Elastic Beanstalk
Ezequiel Esnaola
Ezequiel Esnaola

Posted on • Updated on

How to store private keys securely in AWS S3 for use with Elastic Beanstalk

The private keys that you use in a project should not be compromised with the source code. The best option is to configure Elastic Beanstalk to download the file from AWS S3 during the deploy of the application.

The following example shows an Elastic Beanstalk's configuration file getting a private key file from an S3 bucket.

# .ebextensions/serverkey.config
Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-region-account-id"]
          roleName: 
            "Fn::GetOptionSetting": 
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
  # Private key
  "/etc/pki/tls/certs/server.key":
    mode: "000400"
    owner: webapp
    group: webapp
    authentication: "S3Auth"
    source: https://s3.amazonaws.com/elasticbeanstalk-region-account-id/server.key
Enter fullscreen mode Exit fullscreen mode

The instance profile "aws-elasticbeanstalk-ec2-role" must have permission to read the key object from the specified bucket. Look here to see how to do it.

You made set the url with an environment variable like this:

source: { "Fn::Join" : ["", ["https://s3.amazonaws.com/elasticbeanstalk-region-account-id/", {"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "APP_ENV"}}, ".key"]]}
Enter fullscreen mode Exit fullscreen mode

Hope you have a good day!

Top comments (0)