External Configuration/Secret Sources about apprunner-roadmap HOT 19 CLOSED

Hey @RichiCoder1 , do you know the estimated date of this feature? I would love to use AWS App Runner, but can't find a secure way to pass secrets (e.g. DB credentials) to the App Runner instances

from apprunner-roadmap.

Hi @kichik,
PR for the CDK integration is merged now, so you should be all set :) - aws/aws-cdk#23692

Here are some usage patterns:

environmentSecrets: {
  SECRET: apprunner.Secret.fromSecretsManager(secret),
  PARAMETER: apprunner.Secret.fromSsmParameter(parameter),
  SECRET_ID: apprunner.Secret.fromSecretsManagerVersion(secret, { versionId: 'version-id' }),
  SECRET_STAGE: apprunner.Secret.fromSecretsManagerVersion(secret, { versionStage: 'version-stage' }),
},

Here are the service methods that you can use to directly add this integration:

...
service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field'));
service.addEnvironmentVariable('SECOND_ENVIRONEMENT_VARIABLE', 'second test value');
...

Let me know if you have any questions. Thanks

from apprunner-roadmap.

Thank you! CDK support now pretty please :)

Yes, the team will work on it next and we will keep you posted on the updates.

from apprunner-roadmap.

Hi @atali,
Thanks for reaching out. The team is actively working on this feature, we will keep you updated about the progress in the upcoming weeks.

from apprunner-roadmap.

@atali Not sure whether this is a working workaround because I didn't try it, but isn't it possible to pass the secret ARN as an environment variable to the container and there use the awscli to get the secret value and do something with it, for example put it in the container command execution environment in docker-entrypoint.sh like this:

#!/bin/bash
set -euxo pipefail
MY_SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $MY_SECRET_ARN --query SecretString --output text)
exec env MY_VARIABLE=$MY_SECRET_VALUE "$@"

I believe it should work as long as you have a VPC connector to a VPC with a Secrets Manager VPC endpoint and your task role allows the containers to access Secrets Manager.

EDIT: If you have jq installed, you can extract secret values by piping the secret string into jq like this: | jq -r .username

from apprunner-roadmap.

Hi @atali,
Yes, since we have added support for CFN, L1 constructs should be available in the upcoming release of aws-cdk, please watch out https://github.com/aws/aws-cdk repo for upcoming releases and change logs. Thanks

from apprunner-roadmap.

Hey @RichiCoder1 , do you know the estimated date of this feature? I would love to use AWS App Runner, but can't find a secure way to pass secrets (e.g. DB credentials) to the App Runner instances

I'm afraid I'm not affiliated with AWS at all, so I have about as much of an answer as you do 😅. However, the ticket is marked as We are working on it, and it at least partially references a feature that already exists with the underlying engine (ECS) so I'm hoping personally it'll land sometime this FY.

from apprunner-roadmap.

Hi,
any news about that feature? It's really blocking our team to use AppRunner.
I am expecting something similar to ECS:

ecs.Secret.fromSecretsManager(secret, field?)
Please keep us updated.
In the meanwhile do you have any workaround?
Thx

from apprunner-roadmap.

Thank you @adonig , I will give a try. Hopefully the new feature will be available soon.
Keep up the good work !

from apprunner-roadmap.

https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/

from apprunner-roadmap.

Thank you! CDK support now pretty please :)

from apprunner-roadmap.

This feature is now supported in App Runner. Please visit the What's New announcement that also has links to a deep dive blogpost and developer guide. Thank you all for your feedback and support.

https://aws.amazon.com/about-aws/whats-new/2023/01/aws-app-runner-secrets-configuration-aws-secrets-systems-manager/

from apprunner-roadmap.

Will the CDK L1 construct support it in the short time because it's automatically generated ?

from apprunner-roadmap.

Can we update bulk secret value in apprunner

from apprunner-roadmap.

Yes, once Customer updates all the secrets via AWS Secrets Manager and then trigger a single deployment on App Runner, we will be refreshing all the secrets.

from apprunner-roadmap.

Hello,

Do you have an example code that shows to add ssm parameter arn (not ssm secrets) with source "SSM Parameter Store" as an environment variable under AWS CDK?

from apprunner-roadmap.

Yes, once Customer updates all the secrets via AWS Secrets Manager and then trigger a single deployment on App Runner, we will be refreshing all the secrets.

Is there a way to trigger auto-reload upon secret updates via CDK?

Perhaps we could watch for an event, and then somehow call an API to force-reload?

from apprunner-roadmap.

Hi @moltar, You can listen to the AWS Eventbridge events and invoke aws apprunner start-deployment API to force a new deployment

from apprunner-roadmap.

Hi @moltar, You can listen to the AWS Eventbridge events and invoke aws apprunner start-deployment API to force a new deployment

Hey, yeah, tried that. But EB events only fire if there is CloudTrail on the account, which is a whole other can of worms 😁

from apprunner-roadmap.