AWS Keystore – option to read data encryption key from an env var (instead of file) #148
Conversation
AWS Keystore uses KMS for the key encryption key and data encryption key is local to the code / runtime. This change adds the option to provide the data encryption using environment varibles (in addition to files) to allow for use cases where you don't want to put the keys on the filesystem
|
We have switched to using Secret Config instead of using a config file at all. The following code was added to unless Rails.env.development? || Rails.env.test?
config.secret_config.use :ssm, key_alias: "customer-kms", path: "/#{ENV['STACK_NAME']}/web"
end |
|
@ram-nadella have you had a chance to see if the Secret Config approach above better suites you needs in the AWS environment? We are happy we made the switch since it is much easier to manage now, and we now retrieve all application settings from Secret Config at startup. If using Docker Images, Secret Config is a must have for externalizing configuration. |
|
@reidmorrison thanks for following up on this. We're using SecretsManager on AWS (provides a few nice things like access audit logs, secret rotation etc.) Ideally, we'd init |
Issue # (if available)
#149
Description of changes
AWS Keystore uses KMS for the key encryption key and data encryption key is local to the code / runtime. This change adds the option to provide the data encryption using an environment variable with existing file option as a fallback. This would allow for use cases where you don't want to put the keys on the filesystem
NOTE: this is still a work in progress; pushed a commit early to show potential approach, the data needed to build the env key is not available in the
readmethod. Thinking adding a config key might be the way to go here. Also need to add tests.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.