The private keys that you use in a project should not be compromised with the source code. The best option is to configure Elastic Beanstalk to download the file from AWS S3 during the deploy of the application.
The following example shows an Elastic Beanstalk's configuration file getting a private key file from an S3 bucket.
# .ebextensions/serverkey.config
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-region-account-id"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
# Private key
"/etc/pki/tls/certs/server.key":
mode: "000400"
owner: webapp
group: webapp
authentication: "S3Auth"
source: https://s3.amazonaws.com/elasticbeanstalk-region-account-id/server.key
The instance profile "aws-elasticbeanstalk-ec2-role" must have permission to read the key object from the specified bucket. Look here to see how to do it.
You made set the url with an environment variable like this:
source: { "Fn::Join" : ["", ["https://s3.amazonaws.com/elasticbeanstalk-region-account-id/", {"Fn::GetOptionSetting": {"Namespace": "aws:elasticbeanstalk:application:environment", "OptionName": "APP_ENV"}}, ".key"]]}
Hope you have a good day!
Top comments (0)