I'm currently running a Node server deployed on a Docker application on AWS Elastic Beanstalk, and I have several env variables that should be kept hidden, like the database URL and the JWT secret. Passing them thru the Elastic Beanstalk application config would be optimal, but it doesn't work because I'm trying to access them within a Docker container, which doesn't receive those env variables.

I've seen a lot of answers to this but it seems to me that they all involve putting the actual variable values in places like the Dockerrun.aws.json or the Dockerfile, which would both add the secret values to the repo, exposing them to the public GitHub repo that I deploy from thru CodePipeline. So, how should I pass these secret environment variables to the Docker container? Is there a way to reference the variables in my Dockerfile or docker-compose.yml files and pass them down? Is there some other Elastic Beanstalk config I can use? Any suggestions would be greatly appreciated.

CodePudding user response：

Is there some other Elastic Beanstalk config I can use?

Yes. Generally, you would setup up your secrets in AWS Secret Manager or SSM Parameter Store. Then your application, regardless whether it is docker, EB or anything else, would use AWS SDK to get the secret directly from these secret vaults.

This is not only a good practice, but you also don't have to expose your secretes before they are actually needed. You only access them just before they are really used, which reduces chances of a leak.